Protecting our critical infrastructure is more important than ever
The recent series of attempted cyber attacks on Australian organisations has highlighted the need to place national focus on the security of Australia’s critical infrastructure.
Cyber attacks on commercial organisations are damaging enough, but the impacts of a successful attack on any of Australia’s critical infrastructure could be catastrophic, such as shutting down the electricity grid. Now more than ever amid the current global pandemic, cyber attacks against critical infrastructure have high potential to cause significant disruption and public health risk.
To understand why, we must examine the rapidly changing and expanding definition of critical infrastructure. Traditionally, power, water and fuel came to mind when we thought of critical infrastructure — but it has now grown to encompass some important services, including transport, banking and finance, food and grocery, and health care.
The recent disruption to the supply chain, resulting in the mass shortages of food, medical supplies and other essential items, highlights the importance of protecting critical infrastructure from cyber attacks.
As a result of the pandemic, there is a greater appreciation for the availability of these vital services and the capability to pivot quickly and safely to support a surge in workers who need to work from home. The need for a safe, reliable supply of food and water, consistent power and reliable telecommunications will never waver.
Critical infrastructure represents not only the most important assets in the country, but equally some of the most vulnerable, so it warrants a high degree of prioritisation by the Australian Government.
So how do we secure it?
Securing critical infrastructure networks has been a difficult task for many organisations. Critical infrastructure operates using operational technology (OT) networks, and these legacy networks are in many ways different from modern information technology (IT) networks — many of them far predate the onset of digital transformation and the need for modern cybersecurity programs.
As digital transformation takes hold in all industries, we are seeing a growing interconnectivity between IT and OT environments. And while this IT-OT convergence yields many benefits and efficiencies, it also introduces the dynamic, ever-changing world of IT cyber threats to OT networks, which had historically been isolated from such threats.
There are many security tools available in the market that have been specifically developed for OT environments, which provide full visibility into all connected assets and processes on a network, to automatically identify suspicious behaviour and mitigate potential threats. However, investment in these tools is often hindered by myths about what OT security entails, how it compares to its IT counterpart and why it is so important. For example, many organisations believe traditional IT security tools are perfectly suitable for OT networks. In reality, modern cybersecurity tools developed for IT environments are completely incompatible with legacy OT environments, leaving networks highly susceptible to attack.
This already high level of risk has been significantly increased by COVID-19 and the subsequent increase in remote working. Given this reality, there are several strategies that should be deployed to protect Australia’s critical infrastructure and national security.
Assess what risk looks like in this new world
The world around us has changed, and some impacts of COVID-19 such as the increase in remote working will be lasting. It is therefore necessary to reconsider the risk landscape.
One result of an increasingly dispersed workforce is that data and systems are now being accessed by a massive number of remote endpoints, which has significantly increased the attack surface for organisations. As a result, ensuring that all employees have secure remote access has become imperative.
Foster a dialogue on critical infrastructure cybersecurity standards
The federal government has announced the development of minimum cybersecurity standards for businesses, including critical infrastructure, as part of its next cybersecurity strategy.
This is a welcome move, and ideally such baseline standards would encourage investment security tools that have been specifically developed for OT environments. Furthermore, it is important to foster a national dialogue with critical infrastructure providers on the differences between OT and IT security approaches, and why it is imperative to invest in protecting both types of networks rather than just IT networks, to reduce the likelihood of a cyber attack.
Evolve our crisis response plan
Australia’s current set of procedures was put in place for a different work environment, when data and systems were supported by personnel that could, for example, rapidly convene face to face if needed. We should now pull those plans off the shelf and review them in detail within the context of an increasingly dispersed workforce.
It is important to revise and update security plans to ensure a fast response, for example should an outage, cyber penetration or ransomware attack happen in the near future.
Prepare for this scenario again and implement changes to Australia’s supply chain
The interconnected world drives tremendous economic efficiency and growth, but it also makes businesses vulnerable in some ways, as this crisis has shown. What happens in one part of a world, will likely affect the rest of the world.
It is important to start thinking about the investments that can be made now, including adapting how supply chains could be more resilient, by building capacity in new areas and pulling back in others.
Identify and start to build the new skill sets required
The government must invest more money in Australia’s own local cybersecurity industry, to boost the skills pipeline and create a culture of resiliency.
With a severe shortage in cybersecurity workers in Australia and 17,000 workers needed by 2026 (according to AustCyber), now is the time for a proactive plan to address these gaps. This can only be achieved through a coordinated effort between government, schools, tertiary institutions and companies to invest in cybersecurity apprenticeships and jobs.
Air-gapped networks give a false sense of security
So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...
Maximising automation flexibility: the ISV-driven approach
Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...
Cybersecurity challenges in Australia's industrial sector: an urgent call for action
Australia, much like the United States and Canada, is facing significant challenges in protecting...