Cybersecurity challenges in Australia's industrial sector: an urgent call for action

Australia, much like the United States and Canada, is facing significant challenges in protecting its critical infrastructure from cyber threats. During a recent trip across the Asia–Pacific region, I observed a keen awareness among organisations about the necessity of bolstering their cybersecurity measures. However, gaps in strategy, resources and testing continue to hinder comprehensive security implementations.

The industrial sector in Australia is navigating a similar trajectory to that of North America. Many organisations have embarked on their cybersecurity journey, recognising the strategic imperatives. Yet, the maturity levels vary, and numerous gaps still remain, particularly in operational technology (OT) environments. Unlike non-industrial business environments, where cybersecurity frameworks are more robust, OT sectors grapple with unique challenges that impede the adoption of comprehensive security measures.

While challenges in OT cybersecurity can be varied depending on the organisation and the industry sector, there are recurring trends.

There are still human and cultural barriers in the relationship between process engineers and cybersecurity professionals, historically fraught with misunderstandings stemming from divergent priorities and terminologies. For instance, imposing enterprise cybersecurity controls on process environments is often unfeasible due to the sensitivity and age of industrial equipment.

Legacy systems and vendor-controlled equipment are also prevalent in industrial environments. These systems are typically designed to operate continuously for decades, often with minimal maintenance windows, presenting technical hurdles to be overcome to implement modern cybersecurity tools.

In addition, critical processes often cannot afford downtime, making it difficult to implement and test security measures. This necessity for uninterrupted operations leads to a conservative approach, prioritising stability over security.

The Australian threat landscape

The Dragos Australian ‘2023 OT Cybersecurity Year in Review’ provided a view of the significant cybersecurity trends impacting industrial infrastructure organisations, which recorded 905 global ransomware incidents last year. Of these, 13 incidents involved Australian organisations, such as DP World Australia, which brought into focus the possibility of cascading effects and impacts of ransomware on industrial operations, supply chains and consumers.

Australia’s threat landscape is not unique and does mirror global trends, with three primary categories of cyber threats affecting industrial organisations.

Firstly, commodity malware and ransomware pose a significant threat to industrial environments, and while the ransomware itself might not directly damage industrial processes, it can disrupt operational visibility, causing substantial operational and safety concerns.

Secondly, insider threats — often unintentional — arise from poor security practices and inadequate understanding of cybersecurity protocols. This can be instances of unauthorised devices connecting to networks, improper use of USB drives and inadvertent internet connections, which can expose critical systems to external threats.

Lastly, advanced persistent threats (APTs) from state-sponsored adversaries that engage in industrial espionage and reconnaissance are sophisticated threats involving detailed knowledge of specific industrial systems and require extensive reconnaissance to exploit vulnerabilities effectively.

Addressing these challenges necessitates a multifaceted approach. Improving the collaboration between cybersecurity professionals and process engineers is crucial. Joint training programs and cross-functional teams can bridge the gap, fostering a culture of mutual understanding and cooperation.

Given the technical constraints, a phased approach to cybersecurity implementation is also advisable. Organisations should first prioritise critical vulnerabilities and gradually integrate advanced security tools, ensuring minimal disruption to operations.

Organisations must also move beyond theoretical planning with regular testing and drills essential to help validate the effectiveness of security measures. This includes testing backup systems, incident response plans and recovery protocols to ensure readiness in the unfortunate event of an attack. Comprehensive threat modelling should also be undertaken to understand the full spectrum of potential threats, identify and prioritise risks, and tailor cybersecurity strategies accordingly.

The path to robust cybersecurity in Australia’s industrial sector is challenging, but not insurmountable. By addressing human, technical and procedural barriers, organisations can significantly enhance their defences against what are rapidly evolving cyber threats. A proactive approach, emphasising collaboration, incremental improvements and regular testing, is essential.

As we move forward, it is imperative for organisations to recognise that cybersecurity is not a one-time effort, but an ongoing process that requires vigilance, adaptability and continuous improvement.

While the road ahead may be complex, with concerted efforts and appropriate strategic planning, Australia’s industrial sector can rise to meet the cybersecurity challenges of the modern era.

*Lesley Carhart is Director of Incident Response for North America at Dragos, Inc., managing a team of professionals in industrial cybersecurity. A retired US Air Force Reservist, Lesley has received numerous accolades, including DEF CON Hacker of the Year. Lesley also teaches, lectures and blogs about cybersecurity.

Image credit: iStock.com/carloscastilla