Australia’s new baseline for critical infrastructure security needs assistance in this Federal Government Budget

Simon Howe

By Simon Howe, LogRhythm vice president sales Asia Pacific

Nation-states altered the state of nationally significant critical infrastructure security forever; the response is a work-in-progress, with more work needed on the operator side.

Attacks on and threats against critical infrastructure are only growing.

Australia was warned early of what’s possible when Maroochydore Council’s sewerage system was hacked in early 2000, releasing up to a million litres into rivers and coastal waterways.

The story reverberated worldwide. It was seen as a “wake-up call”, a portal into the devastation that could be wreaked by a single threat actor. After all, the same industrial control systems underpin critical infrastructure used in the supply of most utility services and manufacturing operations. 

Two decades on, challenges persist. Threats have evolved substantially, there are more of them, and some are now bankrolled by nations instead of being the work of an aggrieved but under-resourced individual.

A recent PwC survey found 56 per cent of cyber and business executives think state-sponsored attacks on critical infrastructure over the next year are likely. If that seems a lot, consider that in 2015, “54 per cent of the 500 US critical infrastructure suppliers … reported attempts to control systems, while 40 per cent had experienced attempts to shut down systems.” The consistency and long-term nature of the threat is real.

The fear in cyber security is always what damage an ambitious, motivated and skilled hacker could do. It’s a question one university researcher posed in 2016 as he tried to reimagine in passing what the Maroochydore attack might look like in the present.

A mere five years later, imagination wasn’t required. Hackers remotely accessed a Florida town’s water supply and tried to poison it.

With that, the issue of cyber security of critical infrastructure was well and truly back in the public view and on the priority list for policymakers.

Taking names and action

In Australia now, there are moves afoot from the federal government to broaden the definition of critical infrastructure and to increase cyber security obligations on operators.

If passed—the bill is currently before parliament—operators will be subjected to “mandatory cyber incident reporting”; “enhanced cyber security obligations” if their assets are considered to be of national importance; and “government assistance … in response to significant cyber attacks that impact on Australia’s critical infrastructure assets.”

That last part has garnered significant attention from operators concerned at another party stepping into their incident response.

“Government recognises that industry should and in most cases, will respond to the vast majority of cyber security incidents, with the support of Government where necessary,” it said in response to the concerns. “However, [the] government maintains ultimate responsibility for protecting Australia’s national interests. As a last resort, the bill provides for government assistance to protect assets immediately prior, during or following a significant cyber attack.”

It’s already common practice for authorities like the Australian Cyber Security Centre (ACSC) to be called into most large-scale attacks, from ransomware infections all the way up to nation-state hacks. They aid the post-incident mop-up and investigations, and advise on hardening systems and reducing attack surfaces.

In a critical infrastructure context, the government is also working with owners to deploy technologies to secure industrial control systems (ICS) and operational technology (OT). Its 2020 cyber security strategy, for instance, promised $66.5 million “to assist Australia’s major critical infrastructure providers to assess vulnerabilities to enhance their cyber security posture”.

In other words, the government acknowledges its role, and that acknowledgement is anticipated to continue into the next federal budget period and beyond.

Alert and alarmed

Critical infrastructure operators themselves must also independently bolster their defences—and that starts at the architecture level.

Traditionally, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks.

Airgapping meant outbound network security wasn’t much of a priority for critical infrastructure. However, the desire to take advantage of cloud-based add-ons, internet of things (IoT) and analytics—loosely ‘Industry 4.0’—has meant traditional air gaps have fallen away, and a long-touted convergence of IT and OT is finally occurring. IT is also attractive to operators because it is off-the-shelf and orders of magnitude cheaper to buy and run.

With that linkage, the trajectory of threats against critical infrastructure—in number and sophistication—has increased.

Any organisation using information technology in critical infrastructure operations needs to ensure proper protection protocols are established, ranging from threat detection to preventative controls and response controls to quickly thwart and identify potential catastrophes.

Lagging detection and alerts can result in a disaster if controls or data are obtained by domestic or foreign adversaries. But equally, strong detection and alerting, combined with skilled personnel and a government invested (and investing) in cyber security as part of this Federal Government budget, are crucial ingredients to securing services critical to the day-to-day lives of all Australians.