All Case Studies
Beca Energy April 2026

Wooreen BESS: OT Cyber Security Design

OT Cyber Security IEC 62443 AESCSF SOCI Act BESS Critical Infrastructure

The Challenge

The Wooreen Battery Energy Storage System (BESS) is a grid-scale energy storage facility supporting grid stability and renewable energy integration. As a critical electricity asset under the Security of Critical Infrastructure Act 2018 (SOCI Act), the project required a comprehensive OT cyber security design covering all Balance of Plant (BoP) systems — SCADA, protection relays, field devices, energy management systems, and their interfaces with external parties including AEMO, AusNet, and the asset owner.

Beca, engaged by EPC contractor Zenviron for automation and cyber security design, brought Deftec in to deliver the full OT cyber security scope. The design needed to meet IEC 62443 Security Level 3 for OT zones and align with the Australian Energy Sector Cyber Security Framework (AESCSF) at Security Profile 1 — while ensuring the security architecture could be practically implemented, tested, and handed over with full assurance evidence.

Our Approach

Deftec delivered three core documents forming the complete cyber security design package:

Cyber Security Design Report — a detailed security architecture based on IEC 62443 zones and conduits, covering five security zones (field devices through to external interfaces), defined conduits with data flow controls, and target security levels assigned per zone. The architecture incorporated defence-in-depth principles including network segmentation via VLANs and ACLs, Cisco FTD firewalls with deny-all/allow-by-exception rulesets, data diodes for unidirectional flows to AEMO and the asset owner’s historian, secure remote access via VPN and jump host with MFA and manual keyswitch enablement, and deep packet inspection for SCADA protocols (DNP3, IEC 104, GOOSE).

Cyber Risk Assessment — a structured risk assessment aligned with IEC 62443-3-2, analysing threats and vulnerabilities across all zones and conduits. The assessment covered the full threat landscape — from phishing and ransomware through to advanced persistent threats and supply chain compromise — and mapped each risk to specific controls with full traceability via a threat–vulnerability–control matrix.

Cyber Security Technical Specification — the mandatory control specification for the project, defining requirements across security architecture, access control and identity management (Active Directory, RBAC, MFA, privileged access management), system hardening and baseline configurations for all device classes (Cisco firewalls and switches, Moxa field switches, SEL protection relays, SCADA servers, domain controllers), secure communications and encryption, data protection and backup (including ransomware resilience), configuration and version control, monitoring and incident response (SIEM, IDS, detection use cases), supply chain security and vendor SDL obligations under IEC 62443-4-1, physical security integration, business continuity and disaster recovery, and compliance and audit requirements. Every control was traceable to its source risk and mapped to the applicable standard.

The design also defined the full assurance pathway — FAT, SAT, penetration testing, and compliance validation — with test procedure templates, evidence checklists, secure configuration checklists, and a compliance validation matrix covering IEC 62443-3-3, AESCSF SP1, and SOCI Act obligations.

The Outcome

Deftec delivered a complete, audit-ready OT cyber security design package that provides a defensible foundation for the construction, commissioning, and operational phases of the Wooreen BESS. The design demonstrates compliance with IEC 62443 at Security Level 3 across OT zones, alignment with AESCSF Security Profile 1, and satisfaction of SOCI Act critical infrastructure obligations — giving the asset owner, EPC contractor, and automation integrator a clear pathway through assurance and into operation.

Technologies and Capabilities

  • IEC 62443 security architecture (zones, conduits, security levels)
  • AESCSF Security Profile 1 compliance
  • SOCI Act critical infrastructure alignment
  • Cisco Secure Firewall (FTD 3105) and Cisco 9300 switch configuration
  • Data diodes and unidirectional gateways
  • Active Directory, RBAC, MFA, and privileged access management
  • SIEM integration and intrusion detection
  • Moxa industrial switch hardening
  • SEL protection relay security
  • Veeam backup and disaster recovery
  • FAT/SAT cyber security test procedures
Discuss your project More case studies