Login
iscover
Opinion: Michael van Rooyen from Orro Group outlines strategies Australian stakeholders can employ to shore up critical infrastructure security amid growing threats from malicious actors.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Critical infrastructure has long been a goldmine for attackers. But the volume, frequency, and sophistication of threats are far outpacing the protections that many Australian critical infrastructure owners and operators put in place decades ago.
Last year, the Australian Cyber Security Centre (ACSC) observed a continued increase in sophisticated, high-impact ransomware incidents against critical infrastructure organisations, especially in the healthcare, financial services, education, and energy sectors.
More broadly, the ACSC’s Cyber Threat Report revealed that a cyber attack was reported every eight minutes in 2020-21, costing Australian businesses an estimated $33 billion-plus a year.
Today’s threats to critical infrastructure now range from state-sponsored actors to “hacktivist” non-state actors, to financially motivated global crime syndicates.
According to PwC’s Digital Trust Insights Survey 2022, 69 per cent of Australian executives expect an increase in state-sponsored attacks on critical infrastructure.
As geopolitical tensions rise around the world, the federal government has been on high alert. Ukraine and its allies suffered cyber attacks that caused blackouts, while ransomware shut down multiple major health care providers in the US and brought Costa Rica’s Ministry of Finance to a standstill.
To protect Australia from experiencing a similar fate, the government introduced two new laws — the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (the SLACI Bill), and the Legislation Amendment (Critical Infrastructure Protection) Act 2022 (the SLACIP Act) — placing more stringent obligations on owners and operators of critical infrastructure.
For example, these organisations must now meet new disclosure requirements for threat incidents (SLACI Bill) and adopt a risk management program (the SLACIP Act).
These laws are aimed at ensuring the critical services Australians rely on every day — such as electricity, water, telecommunications, healthcare, transport, financial services, and groceries, among others — remain secure and available, always.
They also give the federal government new powers to force an organisation to act in some circumstances, such as where an entity is unwilling or unable to resolve an incident itself.
These obligations are a first for many industries — and they will need to move quickly to achieve the level of resilience expected of them.
In this new threat landscape, critical infrastructure organisations need to go beyond protecting the bare bones. You don’t want the situation to get critical before you start taking action.
Lack of visibility — a critical issue to solve now
So, what’s been standing in the way of achieving our vision of a more secure Australia?
Lack of asset visibility is the biggest problem for critical infrastructure owners and operators. This is one of the issues the legislative reforms are trying to address.
To put it simply, you can’t secure what you can’t see.
To gain visibility across your IT infrastructure, organisations need a single cloud-based “watchtower” from which an entire network can be monitored in real time.
Where organisations operate multiple networks, a cloud-based command post also needs to give consolidated visibility.
This full visibility is vitally important in order to detect threats early and prevent them moving laterally across your organisation’s critical infrastructure.
Many underestimate the number of devices on their network. One critical infrastructure organisation we worked with estimated that less than 20,000 devices were connected to its network, when in fact there were more than 50,000 connected to one segment of the network.
This is a critical mistake, because each of those 30,000-plus additional devices were a potential attack vector for their network and key business systems.
This situational awareness and increased visibility provided Orro the ability to create a baseline of the current state and produce a report detailing 22 recommendations for board consideration and approval. These remediation activities covered a broad range of areas including cyber security governance, cyber capability and capacity as well as cybersecurity risk and asset management.
Understanding the impact of this report and the pending requirements of the Critical Infrastructure Bill, the organisation has taken the opportunity to implement all of the recommendations, ensuring that it is well placed to provide its critical services to customers.
Start with the fundamentals
Securing critical infrastructure can feel like a race against time. But organisations need to start small — for example, by enforcing multi-factor authentication (MFA).
Implementing MFA means requiring users to provide two or more pieces of information (such as username and password plus an auto-generated temporary passcode) to authenticate to a system.
This might seem like a simple first step, but you would be surprised at how often the lack of MFA ends up being the crack in the armour that attackers exploit.
If you want to take it to the next level, you can also consider passwordless MFA, which authenticates users based on biometric factors (i.e. fingerprint or facial recognition), access codes, or via a secondary device (including by SMS or email).
There are also other security measures that will never go out of style, despite the ever-evolving threat landscape and the ever-expanding attack surface. This includes encrypting data at rest and in transit. Keeping up with firmware updates and software patches is also critically important.
Plan for a data breach
Organisations also need to create a robust incident response plan that outlines all the steps to be taken at each stage of a potential security incident.
- Preparation: conduct a thorough risk assessment to identify vulnerabilities across critical infrastructure, train staff on their role in managing threats, have contingencies in place for incidents that impact communications, energy, and other core systems.
- Identify threats: implement the systems, reporting, and workflows needed to spot unusual behaviour fast.
- Contain threats: leverage cloud-based systems to rapidly respond to any potential attacks before they can impact vital data, systems or infrastructure assets.
- Remove threats: identify, secure, and patch any exploits used by malicious actors to access your network.
- Restore systems: secure the network fast to minimise downtime for key stakeholders.
- Follow up: after everything is restored, hold a team meeting to discuss lessons learned throughout every stage of the data breach.
Remember, an incident response plan isn’t something that organisations can just set and forget. What worked in the past might not work in the future. An incident response plan should continuously be updated and improved as the threat landscape evolves.
Partnerships — your best defence against cyber attacks
The current geopolitical environment isn’t likely to change any time soon. That means critical infrastructure will remain a target for malicious actors around the world.
Instead of trying to play catch up internally, bringing the right partners on board can help organisations get up to speed on cyber security best practices and keep critical infrastructure secure in an age of growing insecurity.
Michael van Rooyen is the CTO at Orro Group.
