Hitting us where it hurts: cyber attackers targeting Australia’s critical infrastructure for maximum Disruption
As our infrastructure grows more digitised and interconnected, a single cyber incident has the potential to devastate a company or bring an entire city to a grinding halt. While there is some awareness around cybersecurity, the risks around the emerging field of operational technology are less well known.
With the rise of new technologies like IoT and 5G, securing infrastructure is a major area of active development around the world. But Australian infrastructure presents a special challenge.
The scale of the threat
Australia’s infrastructure is particularly vulnerable to cyber threats, as evidenced by the breach of the federal parliament’s network last year and the recent cyber attack on Victorian healthcare providers.
Our infrastructure vulnerability is a symptom of a bigger problem: a Microsoft-commissioned report found that more than half of the Australian organisations surveyed have experienced a cybersecurity incident, which could cost the economy $29 billion per year.
There is clearly a cybersecurity gap across almost all of our commercial and service sectors, but infrastructure is an area which needs radical change.
What makes our infrastructure such a tempting target is the massive level of disruption a single cyber incident can cause. As services grow more interconnected and IoT becomes more prevalent, power systems, transport, the internet, air traffic control and railways are all dangerously vulnerable to cyber threats.
To get an idea of just how far-reaching the consequences of an infrastructure breach can be, check out this 9-minute mini-documentary from Mimecast that explores the impact of disruption on critical infrastructure.
Given the pace of technological development, shouldn’t we be more resilient to disruptions? What makes Australia’s critical infrastructure so vulnerable?
The challenges of securing Australia’s infrastructure
Mixed stacks of old and new technologies – Our critical infrastructure is usually built by adding new technology on top of older, outmoded technology. This means at any given time, our infrastructure is a Frankenstein’s monster of older and newer tech, creating unique vulnerabilities that are difficult to fix.
A centralised structure creates a single point of failure – Our network depends on one central control structure. If compromised, it could result in the entire network grinding to a halt. Many services don’t have redundancies in place, which means one failure creates ripples throughout the network, leaving damage and disruption in its wake.
Well-resourced and highly skilled attackers – Infrastructure presents a huge target that is difficult to defend because of its massive surface area. On top of that, knowing the scale of the potential damage it can cause, infrastructure is typically targeted by sophisticated attackers backed by well-resourced groups with long-term attack plans.
What we can do about it
Even though there are massive challenges involved, it’s not impossible. Securing infrastructure is always an ongoing process, and starting with changes in just a few key areas can make a huge difference to its defence posture.
The first step is developing a clear actionable policy for responding to critical incidents. A detailed policy should cover threat response, operational continuity, acceptable downtime, damage control as well as standard and emergency security protocols.
From both a compliance and communication perspective, there need to be clear guidelines on when and how to notify those affected, disclosing the details of an incident, the PR stance to take and the community management efforts, all of which need to be clearly articulated and documented.
Government-enforced cybersecurity and cyber resilience standards
Given the level of interdependency critical infrastructure tends to have, one system’s vulnerability becomes everyone’s vulnerability. We need to ensure a baseline security standard for any network. That’s why government-mandated compliance with a standardised framework for infrastructure security is vital. Ensuring every critical system possesses a certain degree of resilience is also essential in the event a disruption does happen.
Transition is always uncomfortable. Some infrastructure companies may feel their autonomy is being compromised and argue that the additional cost is not justified. But considering the potential costs of damages, even loss of life, infrastructure failure can cause, better resilience is no longer just an option. It’s a necessity.