How the defence industry can ensure a secure state for critical infrastructure

New legislation introduced in the form of the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) came into effect on 2 April, focusing on the ever-increasing security risk to Australia’s critical infrastructure (CI). The SLACIP Act amends various infrastructure asset definitions and calls for CI operators to adopt, maintain, update, and comply with a critical infrastructure risk management program. Further amendments also require CI operators to report significant breaches to the federal government within 12 hours of an attack and undertake regular cyber security exercises.

Australia’s defence industry has access to some of the most advanced cyber security technologies and is no stranger to sophisticated phishing attacks, ransomware, and supply chain attacks. Last year, the Australian Cyber Security Centre (ACSC) found that one in four cyber attacks targeted critical infrastructure and services, such as aviation and defence. Threats and associated risks are constantly evolving in terms of what cyber criminals attack and their changing methods of attack; it is an arms race that is ever escalating. These kinds of attacks can have serious implications on defence networks and mission critical systems, and, by extension, Australia’s national security.

Because of this, it’s important for CI operators in the defence industry, including contractors, to understand that securing their CI assets differs markedly from protecting IT networks. This is largely due to the unique nature of the operational technology (OT) that underpins CI assets. For this reason, traditional IT security approaches don’t work for OT in a CI environment. Therefore, it’s essential that defence organisations proactively manage risk by establishing a cyber security risk management framework. However, defence organisations must consider three key areas before developing their frameworks accordingly.

1.        Boost network security visibility
Network visibility makes it far easier to identify and stop malicious activity as it happens. For example, with strong network visibility, defence organisations can better detect a threat actor with unauthorised access to the network, thereby accelerating security measure response time. In addition, network visibility is also useful for assessing which assets are of greatest value and would comprise business operations if affected in a cyber event.

To achieve network visibility, defence organisations should leverage cyber security tools that help break down and define CI assets across the network. This layered approach reduces a hacker’s ability to manoeuvre through the different levels of defence mechanisms with each layer more intricate than the next. However, building a layered approach needs a strategy to be effective. It also needs defence organisations to test their security measures constantly to prepare for an attack and adjust where necessary to comply with industry regulations.

2.        Maintain granular control over available assets
Defence organisations need to be able to maintain control over available assets to reduce additional exposure to cyber threats. As Australia’s defence industry increases its military defence capabilities, including the recent acquisition of nuclear-powered submarines, it’s more important than ever to understand what is needed to manage and defend against new and evolving cyber threats. Without specific cyber security awareness, defence organisations won’t be able to limit risk and defend against cyber threats.

To mitigate risk, defence organisations should leverage shared knowledge bases such as the MITRE ATT&CK framework for industrial control systems (ICS) to better analyse and evaluate the techniques cyber adversaries use while carrying out attacks.

3.        Mitigate cyber security incidents with non-invasive approaches and predictable states of operational change.

There has been a marked increase in cyber attacks, which has exponentially increased the cyber attack surface for defence organisations. And, despite defence-grade cyber security, vulnerabilities remain. To help protect CI assets against threats, defence organisations should implement non-intrusive strategies to respond to cyber security incidents. For example, a vulnerability assessment is a non-intrusive approach that produces a prioritised list of security vulnerabilities. The automated scan can identify flaws that may be exploited during an attack which organisations can resolve without exploiting those vulnerabilities. From there, organisations may choose to use intrusive approaches such as penetration testing to simulate a real attack to determine the robustness of their OT security in protecting CI assets.

Defence organisations are deemed as high value targets by state sponsored threat actors who are well funded with unwavering political motivation and well-crafted zero-day exploits. In many instances, attackers will observe the supply chain to identify the path of least resistance. Without adequate cyber security strategies, protected, secret, and top-secret information and classified assets are at risk of cyber events such as ransomware and phishing. As such, it’s crucial for defence organisations that manage CI to take a three-pillar approach to building their cyber security framework. This will ensure organisations understand, control, and mitigate all forms of cyber risk to not only better protect CI assets and OT from devastating cyber security incidents, but to protect those serving this country.

Michael Murphy, head of operational technology and critical infrastructure - Australia, Fortinet