Almost all essential services delivered today by government and private enterprises have at least some reliance on the digital, connected world. Historically, critical infrastructure was predominantly classified as power utilities, traffic control systems, and similar entities, which relied on operational technology (OT) for monitoring and control. These OT systems were traditionally separated from IT networks and the internet, making them seemingly immune to cyberattacks. However, as third-party providers introduce internet-connected components to OT systems, the risk of cyberattacks jeopardising services and triggering data breaches has surged to unprecedented levels.
Bringing the protection of critical infrastructure into the modern digital era saw recent reforms to the SOCI Act, which now includes all the following types of entities and services:
(a) critical broadcasting assets;
(b) critical domain name systems;
(c) critical data storage or processing assets;
(d) critical electricity assets;
(e) critical energy market operator assets;
(f) critical gas assets;
(g) designated hospitals;
(h) critical food and grocery assets;
(i) critical freight infrastructure assets;
(j) critical freight services assets;
(k) critical liquid fuel assets;
(l) critical financial market infrastructure assets;
(m) critical water assets.
When cyberattacks target the core networks, applications, or data repositories that are at the heart of providing these vital services, chaos ensues. While power, water, agriculture, and telecommunications services are inherently critical, supply chain disruptions or transport networks can also have severe consequences on essential needs, including food and medicines.
Challenges facing critical infrastructure
As the digital landscape expands, the very definition of critical infrastructure is evolving. In light of this shift, Australia’s digital leaders must proactively assess how cyber security incidents in various industries could impact their businesses.
Recently, Optus suffered a nationwide core network outage, underscoring the vulnerability of businesses relying on Optus for network carriage or telecommunications. The incident disrupted operations for various entities, from government agencies to small businesses, leaving them incapacitated for hours. Furthermore, everyday citizens, particularly the elderly relying on telephone services for medical emergencies, found themselves stranded without the means to call for help.
One of the biggest challenges facing critical infrastructure is the outdated systems in the OT space with inherent security flaws, such as default passwords and weak authentication. The use of Internet of Things (IoT) devices in the industrial sector is also rising, underscoring the importance of prioritised security measures for safeguarding critical infrastructure. The combination of isolated environments, reliance on legacy technologies, and outdated operating systems makes critical infrastructure susceptible to cyberattacks. These attacks, whether financially motivated like ransomware or driven by hacktivism, pose a significant threat to industries perceived as conflicting with certain groups’ goals.
New Zealand, for example, has experienced several high-profile cyber incidents, including denial-of-service (DDoS) attacks. In response, primary sector organisations like Silver Fern Farms adopted a proactive strategy to strengthen its shield for its critical infrastructure and identify gaps to reduce risks. Working with Imperva, Silver Fern incorporated Imperva Cloud WAF to enhance their defence against potential attacks, focusing on minimising false positives. The deployment also harnessed the capabilities of a global Security Operations Centre (SOC), strengthening the organisation’s resilience against evolving threats.
New mandates call for a new level of security
In 2021, the Security Legislation Amendment (Critical Infrastructure) Act 2021, or SLACI, was passed to enhance the security and resilience of critical infrastructure assets in various sectors, such as energy, communications, transport, and health. In a sign of critical infrastructure being viewed more broadly, SLACI expands the scope of the Security of Critical Infrastructure (SOCI) Act 2018.
Operators of critical infrastructure assets are now obliged to report incidents, share information, and comply with government directions. With OT and IT converging, so are the expectations of consumers and authorities that critical services will be maintained. Digital leaders need to apply the same level of information security controls and governance to OT networks as they would with IT.
At SA Power Networks, itself under the remit of SOCI/SLACI, the organisation leveraged Imperva Cloud WAF to defend against a relentless 3-day DDoS attack, deflecting approximately 18.5 million malicious attempts aimed at the digital infrastructure. This prevented service disruption and allowed SA Power Networks to maintain operations throughout the attack, which ensured their customers’ continued access to power.
Securing Critical Infrastructure Assets – Where to start?
Modernising critical infrastructure entities should enhance their resilience, not make them susceptible to cyberattacks and subsequent outages. Bridging the gap now is crucial, as well as being prepared for any unforeseen challenges.
SOCI entities can start by questioning the critical systems and services they possess, along with their real-time visibility and communication capabilities. Without the right level of visibility over OT assets, systems can become susceptible to prolonged attacks from numerous vectors across both OT and IT environments.
A defence-in-depth strategy is recommended to ensure systems associated with critical infrastructure and services maintain high cyber resilience. A defence-in-depth security architecture is based on controls designed to protect network, applications and data’s physical, technical, and administrative aspects. The approach is to implement multiple redundant defensive measures if a security control fails or a vulnerability is exploited.
Smart technologies are reshaping production, distribution, delivery, and maintenance processes. Whether it’s automated robotics, AI-enabled control systems, cloud computing, or IoT devices, smart technology blurs the lines between OT and IT domains. To heighten the defence against the evolving threat landscape, digital leaders must foster collaboration between IT and OT teams, develop and regularly update comprehensive security policies, and invest in targeted security controls and staff training.
Reinhart Hansen, Director of Technology, Office of the CTO at Imperva, emphasises that visibility of the operational environment is imperative. “You cannot protect assets and systems you don’t know exist. One of the biggest security blind spots is the widespread use of APIs for exchanging data and triggering events and actions across critical infrastructures. Maintaining a thorough API inventory, comprehending associated risks, and enforcing protective controls are vital in preventing cyberattacks. Choosing and prioritising robust security controls across edge, network, application, infrastructure (including data repositories), and endpoint layers, alongside a proactive incident response plan, can further bolster cyber resilience. Leveraging threat intelligence that is relevant to the operational environment, governance processes and regular audits will help ensure that cybersecurity measures stay ahead of emerging threats.”
Learn more at imperva.com