Taking a risk-based approach to protect critical infrastructure
In February last year an employee at a water plant in Florida noticed his mouse pointer moving strangely on the computer screen in front of him.
Without him guiding it, the mouse had started clicking through the water treatment plant’s controls and was trying to increase the sodium hydroxide mix to an extremely dangerous level.
The attempt was quickly spotted and rectified, but the scary incident highlights the fact that cyber attacks on the infrastructure that is core to our everyday lives are a reality and a matter of if, not when.
The water plant in question reportedly didn’t implement many of the basic techniques that can help critical infrastructure operators take a risk-based approach to mitigate threats. A bonus of a risk based approach is that it can be designed to satisfy the ever-increasing laws and regulations being imposed on organisations by the governments of the world.
There have been a number of recent attacks on pieces of critical infrastructure in the Asia Pacific region. In March 2021, elective surgeries were postponed at several hospitals in Victoria after Eastern Health was hit by a ransomware attack.
Back in March 2016, South Korea claimed that North Korea had targeted its railway employees in an effort to launch a cyber attack on the country’s railway control system, while in November 2017 the tallest hydroelectric and water supply dam in India was hit by malware.
In September 2019 the IT network of India’s largest nuclear power plant was also compromised by a hacker group thought to be acting for North Korea.
Events like these, ongoing Covid-19 disruptions, upheaval and conflict around the world have highlighted just how important critical infrastructure is to every part of our lives, from work to play. And critical infrastructure now extends far beyond telecommunications, energy, water supply and the banks. It includes everything from healthcare to satellites to higher education.
This has recently been acknowledged by the Australian federal government, with amendments passed that significantly broaden the scope of companies covered by critical infrastructure regulations.
CISOs need to take a pragmatic, risk-based approach to securing their operations and networks, and need to be open to working with outside third parties to fill the gaps.
As former FBI director Robert Mueller says, cyber attacks are now inevitable: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
According to Australian Signals Directorate head Rachel Noble, over a quarter of all incidents reported to the Australian Cyber Security Centre last year were against critical infrastructure targets.
This is common across the world. In the US, over half of all energy providers reported data losses or operational impacts in the last year, and in 2020 the European Union Agency for Cybersecurity identified more than 300 major attacks against critical sectors, more than double the year before.
According to PwC’s Digital Trust Insights Survey 2022, nearly 70 per cent of Australian executives predict an increase in state-sponsored attacks on critical infrastructure, and despite a 52 per cent increase in data breaches, there has been no corresponding increase in Australian cybersecurity investment.
According to Gartner, nearly a third of all critical infrastructure organisations will suffer a security breach leading to a halt in operations or mission-critical cyber-physical systems.
Read more on Critical Infrastructure right here.
In Australia the critical infrastructure scheme now includes 11 Australian industry sectors, up from the previous four. Operators of this infrastructure are now subject to increased reporting and security obligations, including to create risk management programs which will see them “embed preparation, prevention and mitigation activities into business as usual activities”.
This includes identifying hazards, minimising the risks of these and mitigating the impact if incidents occur.
The federal government also now has “last resort” powers that allow it to take control of a company’s networks in the event of a major cyber attack.
As a starting point to taking a risk-based approach, critical infrastructure operators can benefit from looking at integration options for their operational technology environments and information technology stack (OT and IT). Regardless of the technology and legal requirements, this approach is good security practice and can deliver substantial benefits at a low cost.
An openness to adopting an innovation framework with cutting-edge technologies such as artificial intelligence, Internet of Things, 5G and digital twins can help solve challenges facing critical infrastructure operators.
For example, these technologies can help companies to monitor their networks and physical systems remotely, and access operational platforms from anywhere.
The new government reforms have imposed much higher obligations and compliance costs on a broader range of Australian companies.
It’s often difficult to get an adequate budget for cybersecurity activities, and it’s crucial for companies to take a holistic approach to compliance across the board to reduce costs and disruption associated with assessment and attestation.
These compliance activities can also be turned into a positive and used to uplift cyber security across the entire company and promote it to employees.
Uplifting the security of critical infrastructure is about building the best defence for the worst case scenario.
According to the 2022 Verizon Data Breach Investigations Report, social tactics are still by far the most common action in the data breaches analysed. Companies operating in critical infrastructure sectors need to train all their employees in cyber hygiene, keep devices and data safe when they’re used away from the office, and help educate in spotting suspicious behaviours online like phishing schemes.
With the water plant hack last year, it was reported that the malicious actor gained access to its systems using an app that hadn’t been used for six months but had not yet been decommissioned.
This demonstrates the importance of regularly auditing apps and access to ensure they are on a need-to-know basis and only the apps currently in use are commissioned.
Operating systems and apps also need to be immediately updated and patched when possible – this is one of the most effective and easiest ways to protect a company.
Two-factor authentication should also be implemented across the board, and minimum standards for the strength of passwords should be enforced.
The water plant in question was reportedly lacking two-factor authentication and strong firewalls.
Critical infrastructure operators should look to implement a security incident and management platform alongside their threat intelligence, threat hunting and response services. This can deliver a more automated approach to threat detection and validation.
A clear incident response plan also needs to be in place, at a minimum detailing exactly what to do and who to contact in the event of a compromise.
This plan can also include having a third party step in and provide emergency response and incident response in the event of a major cyber attack.
Companies shouldn’t shy away from bringing in outside help – budgets are tight and the competition for talent has never been higher, so a combination of global capabilities and sovereign local solutions is needed.
Businesses should look to human capabilities, local capabilities, public capabilities and global standards to determine the right partners to meet new legislative obligations and properly secure their networks and prepare for a cyber attack.
Hackers taking control of key pieces of infrastructure impacting our everyday lives, such as the water we drink or the healthcare we rely on, is no longer in the realm of a science fiction movie. It’s an unfortunate reality, and one that a broad swathe of Australian companies needs to prepare for now.
This should be led by a risk-based approach that utilises third-party solutions and partners to protect a company’s networks and the people who rely on its services.
Read more on Critical Infrastructure right here.
- Samsung introduces a groundbreaking microSD card for enhanced AI capabilities
- AWS strikes AI collaboration deals with Malaysian telcos at MWC 2024
- Retrieval augmented generative AI in backup and recovery
- Five cool gadgets announced at MWC 2024
- OpenAI faces New York Times hacking allegations while exploring deals with Tumblr