Australian critical infrastructure at risk
Australian utilities and critical infrastructure providers will need to urgently improve cybersecurity to minimise the potential for significant civil disruption in the event of a cyber attack, network security vendor ForeScout has warned.
At a time when many such companies are adopting new and emerging technologies including the Industrial IoT and automation, the security of critical infrastructure will be sorely tested, ForeScout CMO Steve Redman said.
“Utilities and critical infrastructure used to benefit from being air-gapped from other systems. In other words, they weren’t connected to a network so the only way they could be compromised was if an attacker gained physical access to assets,” he said.
“[But] each automated and connected IIoT device is a potential entry point into a company network, and must be treated as such.”
Research firm Gartner has predicted that more than 20 billion devices will be connected to the internet by 2020, and more than 25% of all attacks on enterprises will come via IoT devices by this time.
An even brief disruption of utilities and critical infrastructure can cause significant disruption that could turn into civil unrest, and could even jeopardise a country’s defences in severe cases, he said.
But securing operational technology and critical infrastructure can be a unique challenge, in part because this infrastructure cannot go offline for even a brief period. This demonstrates the importance of being able to monitor the security status of critical infrastructure without switching it off.
In their pursuit of automation and the IIoT, utilities are also often connecting legacy devices that were never meant to go online and so were not designed with security in mind. Therefore, it is essential to monitor the network activities of newly connected equipment.
Other significant challenges include the fact that organisations may have purchased these legacy devices under the expectation that they will not need to be replaced for decades, and therefore may not have budgeted for security upgrades, as well as a lack of awareness about the need for security and the urgency of investing in modern security infrastructure among business leaders.
Any effort to improve the integrity of Australia’s critical infrastructure is likely to require participation of the government as well as industry.
Australian government organisations may be able to take a cue from the Department of Energy’s response to a Trump administration executive order on strengthening the cybersecurity of federal networks and critical infrastructure.
The order, issued a year ago, sought to approve the USA’s cybersecurity posture and capabilities in the face of growing security threats. It consists of three sections, covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure and international engagement aimed at improving the entire nation’s cybersecurity posture.
In line with this order, the US Department of Energy has just released a new multiyear plan for improving cybersecurity in the energy sector, and has created a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER).
A report compiled under the executive order to assess the potential scope and duration of a prolonged power outage as a result of a significant cyber attack found that while to date no lasting damage has been observed from cyber attacks and intrusions targeting US electric utilities, key trends are increasing the risk of such a disruptive attack.
The report, released yesterday, identified a number of capability gaps around enhancing cyber incident response capacity, developing high-priority plans, augmenting scarce and critical resources, and understanding and characterising response efforts to catastrophic incidents.
The new multiyear plan aims to address these capability gaps by strengthening the energy sector’s preparedness to withstand and respond to cyber attacks.
Initiatives include a new cybersecurity risk information sharing program, developing specialised cyber resources that can be deployed during a cyber incident, and developing automated defence techniques for next-generation systems.
Meanwhile the new CESER will integrate a number of existing departmental programs to improve the reliability of energy delivery, and will take the leading role in the department’s work on improving energy sector cybersecurity.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
The AI regulation debate in Australia: navigating risks and rewards
To remain competitive in the world economy, Australia needs to find a way to safely use AI systems.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.