Australian energy companies fear cyber attacks are inevitable, but are failing to put in place appropriate measures to prevent attacks on their critical industrial operating systems, new research from Seclove shows.
A survey of more than 2000 Australian risk, compliance and security specialists found 78 per cent of those responsible for their organisation’s industrial control systems were concerned there would be an attack in the next 12 months, with 45 per cent “extremely concerned”. Fear was greatest among large companies and those operating in high-risk target industries such as energy, mining and utilities.
Cyber attacks on businesses’ operational technology (OT) control systems have been on the rise around the globe. In June, a ransomware attack shut down a US Honda manufacturing plant and US-based power grids have also come under sustained attack.
Despite fears and rising threat levels, the national survey by Australian OT specialist cyber security firm Secolve found many businesses were not actively testing or upgrading their OT systems.
The survey found:
- just one third of respondents with OT responsibilities said their business had implemented new OT technology in last two years;
- only 31 per cent had used a third party to test their OT security; and
- one in 10 businesses hadn’t undertaken any reviews or updates in the last two years.
Related article:Coles shops for clean energy contract
Announcing Secolve’s launch, founder and CEO Laith Shahin said businesses’ industrial control systems were often legacy systems built decades ago with no thought given to security, making them particularly vulnerable to attack.
Shahin said the cost of upgrading security systems to prevent attacks was a fraction of the millions of dollars businesses stood to lose in lost revenue in the event of a system shutdown, which could also leave millions of Australians stranded without access to essential services such as power, food and water.
“Most organisations tend to avoid assessing the security of their industrial control systems because of the impact it can have on the business in terms of downtime or unavailability of critical systems. But an attack on an OT environment can cause the business catastrophic losses, not just financially but also through potential loss of life. A new Gartner report predicts the financial impact of cyber attacks resulting in fatalities will be more than US$50 billion by 2023. It is far more cost effective for businesses to invest in preventing attacks than dealing with the fallout,” Shahin said.
Businesses’ increasing reliance on technology has also exposed their operations to new avenues of attack.
“Industrial OT environments have traditionally been more isolated but with the shift to digitalisation and automation the threat levels are increasing exponentially. The lack of segmentation between IT and OT environments creates additional risks as an attacker can now gain access to OT systems by compromising an IT network,” Shahin said.
The survey highlighted a lack of knowledge of OT systems within businesses, even among those working in related areas. Just 17 per cent of the 737 respondents with OT, IT and risk responsibilities were confident in their knowledge of OT operations.
Of the 484 respondents that have OT as part of their business, only 9 per cent said their business had a dedicated OT team or staff member, with most businesses absorbing OT into the responsibilities of other departments, typically IT (57 per cent).
Related article: RACV Solar gives helping hand
“A common challenge faced by many organisations is drawing the line in terms of the management between OT and IT environments, so they usually end up being lumped together under one team,” Shahin said.
“That being said, organisations with a higher maturity tend to converge IT and OT, so it’s important to make the distinction between convergence and having it lumped together due to a capacity challenge: IT supports business functions, whereas OT is the business itself.”
Shahin said it was this lack of awareness and business preparedness that led to him create a specialised OT cyber security consultancy, helping organisations to identify and address OT risks and threats.
“In many instances there is little alignment and synergy between IT and OT. Secolve’s goal is to step in and fill the gap by working closely with OT teams to understand the environment and then collaborate with IT and security teams to increase the cyber security maturity around the OT environment,” he said.
“You really need external expertise to assess and prevent external threats. You can’t protect what you don’t know, and the stakes are too high just to hope and guess.”