February 27, 2019
Hardening Australia’s critical infrastructure to ensure cyber resilience
By: Melissa Waldron, Zoe Thompson and Grant Turvey
High profile hacks are making headlines across the nation, with the latest federal parliamentary computing network breaches demonstrating no organisation is immune.
In good news, the World Economic Forum’s Network Readiness Index ranks Australia as 18th in the world for digital maturity and among the leaders (8th) for providing digitally enabled Government and public-sector services. In not quite such good news, this network maturity also means our national surface area for critical infrastructure attacks is expanding.
As a wealthy digital nation, Australia is vulnerable to cyber attackers seeking to achieve significant national impact and hostile state actors looking to exploit weakness without incurring the cost of open conflict. Accenture’s threat intelligence tracking capability, iDefense, shows that Australian critical infrastructure is experiencing an increasing number of attacks from a range of actors. This finding is consistent with recent announcements from Australia’s Information Warfare Division headed by Major General Marcus Thompson. The Division reported that attacks on infrastructure in Australia were on the rise.
National infrastructure is a key target, particularly utilities. Australia, as a digitally mature nation, is vulnerable. As an example, Australia has one of the world’s longest single electricity grids, spanning over 5,000 kilometres from Port Douglas to Tasmania, delivering power to much of the nation—and to our export customers.
The difficulties of protecting the grid and other utilities include:
- Sophisticated actors – Most threats to critical infrastructure are in the form of advanced, persistent attacks that linger and accumulate for years without exposure. Nation-states, organised cyber-crime syndicates and other groups have enormous resources and funds, enabling them to harness highly sophisticated malware. Often, intrusions are disguised as part of day-to-day customer traffic, making them difficult to expose or uncover—so the extent of the damage is not realised for months, or even years.
- Legacy systems – Critical infrastructure is typically burdened by monolithic, bespoke, old IT systems. Due to the scale of these networks, it’s difficult to transition these legacy systems into something less vulnerable. Without appropriate security controls and patches, this infrastructure will be unable to ward off today’s advanced threats.
- Central points of failure – Like many other nations, Australia has a centralised model of critical infrastructure. This creates a central point of failure where one intrusion point can have a ripple effect throughout the entire network. As we modernise utilities, we should rethink the integrations and dependencies of current critical infrastructure.
Building cyber-resilient utilities
The burden of defending our critical infrastructure should not fall on a single party.
Achieving cyber resilience in critical infrastructure requires true collaboration between utilities and government—drawing on the experience of the whole community to ensure the best response. Government must implement a new regulatory environment to support a community committed to risk managed, compliant infrastructure; industry must be prepared to engage closely and share information with competitors.
From my view, some of the important enabling capabilities will be:
- A platform for community response – All critical infrastructure stakeholders should work together to achieve a standard and co-ordinated operating procedure for responding to reports of critical incidents in the community. This could include specific preventative measures, contingency operating capabilities and co-ordinated policy and media responses. Regular reviews and reporting will ensure standards reflect the risk environment.
- Trusted networks – Utilities that are competitors will have reservations about sharing details of their security experience and preparations. The Australian Government will need to establish a high standard of security to maintain confidentiality as data is transferred to and from companies. As this system will store and manage sensitive company data and would also be a target, it should be Information Security Manual compliant, with verification measures for receipt and transmission of materials.
- Standardised risk frameworks and approaches – This is key to a rigorous and robust community approach to cyber security. Standardised risk frameworks at a high level will enhance security measures across the community—from members with immature or absent risk management approaches to those with developed and mature practices. It will assure the critical infrastructure community and stakeholders that a standard of "best practice" risk management has been achieved and also help to defray costs to individual companies. Guidance and remediation governance frameworks will act as an ongoing guide for companies, ensuring their standards are current and creating a pool of capability.
By working together as a community, government and utilities can prepare Australia’s critical infrastructure to become a resilient and effective front line against ongoing cyber attacks.