Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Op-Ed: Our critical is under attack – we must do more to protect it

Australia’s Minister for Home Affairs and Cyber Security, Clare O’Neil, warned Australia’s critical infrastructure networks were being targeted by a range of malicious cyber actors, including criminal and state-backed actors, in an address to the Australian Information Security Association (AISA) back in March.

user iconLeon Poggioli
Thu, 10 Aug 2023
Op-Ed: Our critical infrastructure is under attack – we must do more to protect it
expand image

Minister O’Neil said the types of cyber threats and consequences from these attacks are rapidly changing the risk environment and that the government is committed to working with industry to address cyber threats through continued investment in a dedicated Cyber and Infrastructure Security Centre, among other initiatives.

However, the primary responsibility for the security of critical infrastructure rests with the infrastructure operators themselves, and far too often, these organisations are inadequately prepared for attacks because they lack sufficiently detailed information on their assets, the vulnerability of those assets, and the roles those assets play.

This is particularly the case with many legacy assets that are connected to the internet during the ongoing process of digital transformation, with little regard for what vulnerabilities may lie within them. These vulnerable devices cannot be patched, so they are difficult to protect and present large and open targets for cyber criminals.

============
============

Comprehensive visibility into all connected assets is essential if organisations want to understand the specific risks they face and the wider risk created by the role each asset plays in their overall operations.

This means organisations need detailed knowledge of every asset, including firmware version and how it communicates with the wider network. This comprehensive visibility is a prerequisite to protecting critical infrastructure from increasingly sophisticated attackers.

These attacks are no longer about simply extracting ransoms or exposing personal data on the dark web. They can compromise critical infrastructure or healthcare systems, leading to severe disruption to the normal functions of civil society, or even loss of life.

In today’s hyper-connected world, the range of organisations deemed vital for the normal functioning of society has greatly increased, and the Australian government has recognised this by amending the Security of Critical Infrastructure Act 2018 to expand the range of organisations covered by the act and to introduce new obligations on all entities covered.

While they might not get the same publicity as recent high-profile attacks on Optus and Medibank, there are plenty of attacks on Australia’s critical infrastructure. In fact, 25 per cent of cyber security incidents responded to by the Australian Signals Directorate in 2021 were against critical infrastructure.

For example, in early May, a major Australian health facility was the victim of a cyber attack. The Crown Princess Mary Cancer Centre, part of Westmead Hospital, reported it had been the victim of a ransomware attack by the Medusa Group.

In April, the Isaac Regional Council in Central Queensland was reported to have suffered a cyber attack, forcing it to lock down its systems. A 2022 Australian Cyber Security Centre (ACSC) report raised the flag on the potential cyber threats local councils faced, saying the legacy systems many local councils operate are exacerbating this risk, with councils often unable to update them because of a lack of skills and cash.

Traditional security tools designed to protect modern IT systems often lag behind in securing these legacy cyber-physical devices, but fortunately, there are a number of steps organisations can take to improve their cyber resilience in this area.

Overall, there are four key challenges that all critical infrastructure providers must address:

  • Proprietary protocols
  • The mix of new and legacy devices
  • The complexity of networks in most critical infrastructure organisations, which have a wide variety of connected assets
  • The misplaced belief that a single approach to security can effectively monitor and protect such a diverse range of assets.

A wide variety of devices are used in systems for operational technology. Mainstream IT security tools were never designed to protect and monitor such devices, and they remain largely invisible.

Industrial assets can have decades-long lifespans, so any critical infrastructure environment will likely have devices using many different protocols designed long before today’s threat environment.

Fortunately, there are tools available that enable critical infrastructure organisations to have comprehensive knowledge of all connected assets, whether it be operational technology (OT), part of a building management system (BMS) or other types of industrial assets using proprietary protocols that are simply incompatible with – and thus invisible to – generalised security tools.

It is not only essential to have comprehensive knowledge of all connected assets but to understand how they communicate, their connectivity paths, the processes that use them, and where they fit within the overall network topology.

Comprehensive visibility enables an organisation to prioritise remediation and protection measures and to implement these using some of the many tools available, designed specifically to secure individual proprietary devices and protocols. Some tools boast support for up to 500 proprietary protocols.

When almost every organisation faces cyber security resource constraints, deployment of appropriate tools to aid in every possible aspect of cyber security is essential to minimise the workload on security personnel, enabling resources to have maximum effect and securing all aspects of an organisation’s operations.


Leon Poggioli is the regional director of ANZ at Claroty.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.