Ensuring a secure state for critical energy infrastructure

cyber security (critical infrastructure)
Image: Shutterstock

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) has led to significant changes relating to cyber resilience requirements for critical infrastructure1, writes Michael Murphy, head of operational technology and critical infrastructure (Australia) at Fortinet.

Related article: Aussie firms face fines for failing to report cyber incidents

This changing legislation represents the response to the increasing volume and severity of cyberthreats faced by critical infrastructure operators in the Australian energy sector. As threat actors increasingly take aim at critical infrastructure industries, it’s crucial that energy organisations understand what the new requirements are and how to deal with them effectively. For example, energy providers must report a critical cyberattack within 12 hours as part of the new requirements.

In the Australian energy sector, the consequences of even a small-scale cyberattack can be catastrophic. Taking energy systems offline even for a short time can cause significant repercussions for energy consumers. Because of this, it’s crucial that energy organisations understand that protecting their critical infrastructure assets differs significantly from protecting IT networks. For the most part, this is due to the unique nature of the operational technology (OT) that underpins asset-intensive sectors. 

For example, smart grids, clean-energy generators, and electrical substations are OT systems that present significantly different vulnerabilities, risks, and consequences regarding cyberattacks compared to corporate information technology. As such, it’s essential that energy organisations proactively manage risk by developing a solid cybersecurity framework that not only helps protect organisations’ critical infrastructure assets, but also helps businesses continue to run and successfully recover in the event of a cyberattack. And, this cybersecurity framework should be developed specifically for OT assets, rather than simply forming an extension of IT security strategies. 

When it comes to mapping out a cybersecurity framework, energy organisations should consider three key areas to better protect their critical infrastructure assets and OT from catastrophic cybersecurity events. These are: 

  1. Security visibility: visibility is crucial as it helps create an accurate map of what assets need to be considered. However, visibility is not only about seeing all the assets an organisation has but also about understanding which assets are mission-critical and must be protected at all costs. Organisations can leverage the Purdue Model, a framework commonly used to clearly define critical infrastructure assets into distinct layers, to achieve visibility. 
  2. Control of assets: energy organisations must secure and maintain control over available assets to defend against cyberthreats. Organisations without specific security awareness needed to defend against emerging threats are unlikely to proactively limit those risks. Instead, organisations should leverage shared knowledge bases such as the MITRE ATT&CK framework for industrial control systems (ICS) to understand the behaviours that cyber adversaries exhibit while carrying out attacks against ICS networks. 
  3. Non-intrusive methods: the increasing convergence of IT and OT has expanded the attack surface in the energy sector. To help protect critical infrastructure assets against threats, energy organisations should understand what cyber defence models work best for different assets. For example, energy organisations that leverage critical infrastructure assets may use Industrial Internet of Things (IIoT)-connected devices to track energy consumption in machine-dependent facilities. At the same time, these expand the attack surface. In these cases, IIoT decoys might be helpful in tricking attackers into believing they’re in the network even when they’re not. 

The energy sector is one of the most vulnerable targets of cyberattacks against critical infrastructure, with threat actors attacking the assets that drive Australia’s economic development. Without adequate cybersecurity strategies, the energy industry may be subject to ransomware and data theft.

Related article: Cybersecurity report details new groups targeting energy and utilities sector

As such, it’s crucial for energy organisations that manage critical infrastructure to consider a structured approach to prepare for, respond to, and recover from cyberthreats. This will help organisations understand, measure, and manage their risk to achieve the best possible protection for their critical infrastructure assets while maintaining their role in supporting economic stability and national security. 

1https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6833
2https://www.cisc.gov.au/resources-contact-information-subsite/Documents/mcir-guidance.pdf