Lack of focus on security of Australia's critical infrastructure: ASPI

The maturity and understanding of operational technology risk lags that of IT systems. The Australian Cyber Security Centre could take a lead role in bridging the knowledge gap, says a new paper.
Written by Stilgherrian , Contributor

There are significant shortfalls in the security of Australian critical national infrastructure providers, according to a new paper from the Australian Strategic Policy Institute (ASPI) International Cyber Policy Centre (ICPC) published Tuesday.

The problem is one which has been identified previously: the convergence of operational technology (OT) systems that were traditionally kept separate with organisations' information technology (IT) systems.

OT is the combination of hardware and software systems that control the physical works. This includes the industrial control systems that operate everything from power plants and water distribution, to railways and oil refineries. 

"Among Australian critical national infrastructure providers, the level of maturity and understanding of the specific risks of OT systems lags behind that of IT systems," the paper said.

"There's a shortage of people with OT security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience."

In interviews with a dozen critical infrastructure providers cross the key sectors of telecommunications, energy, water and transport, two-thirds felt they were only partially prepared or underprepared to respond to a real incident.

"Many organisations clearly felt there was scope to do better," the paper said.

"Half said there was room for improvement in their understanding of the degree of convergence in their systems and in ensuring that they had a comprehensive view of the risks and vulnerabilities," it said.

"Less than half were able to confirm that vulnerability testing of their OT systems was carried out at least annually."

In a third of the organisations, the OT security incident response plan was the same as the IT security incident response plan.

"The different approaches for isolating and recovering from OT attacks, and the focus on availability in OT, mean that recycling the IT response plan for this sort of incident is unlikely to be effective."

Titled Protecting critical national infrastructure in an era of IT and OT convergence, the paper was written by Rajiv Shah, managing director of MDR Security.

The paper comes at a time when critical infrastructure protection is a live media topic.

According to one report, a hacking group described as the "most dangerous threat" to industrial systems has taken a close interest in power grids in the US and elsewhere.

Only two weeks ago, cyberwarfare escalation took a new and dangerous turn with reports that the US was inserting malware into Russia's power networks.

Meanwhile, here in Australia, "the ability to prevent, detect or respond to these attacks remains low," wrote Andrew Dowse and Mike Johnstone from Edith Cowan University in Western Australia.

"Cyber warfare is a reality. We should expect that cyber criminals and nation states adversaries could have some impact on our lives in [the] future by attacking critical infrastructure, such as the electricity grid," they wrote.

"Securing our infrastructure is a priority for the government and increasingly recognised as such by the market participants. The cost and need for security mitigations may seem unpalatable to many, but steps need to be taken to prevent a return to the dark ages."

The ASPI paper suggests that the problem needs to be addressed by setting expectations from the board level down, identifying and managing the risks, setting standards and guidance, education and workforce skills development, and sharing threat information.

While there's a "general lack of focus", mature understanding, or effective solutions for the OT risks, the paper notes that some of the measures are already being implemented.

These "may still need accelerating or boosting", however, and "some are more critical than others".

The top three recommendations are:

  • Boards of critical infrastructure providers need to explicitly set their OT cyber risk tolerance and monitor their organisation's performance against it. "The Critical Infrastructure Centre would appear to be best placed to coordinate and drive this across Australia to ensure a common best‐ practice approach," the paper said.
  • Better education and information are needed at all levels . This includes general awareness and training, specialist courses at TAFE and other institutions, better threat information sharing, and technical information sharing. "The Australian Cyber Security Centre [ACSC] could lead this activity, aligned with its existing programs of work," the paper said.
  • Resources need to be prioritised. "The longer that action is delayed, the more of a head start malicious actors will have, the more convergence will have taken place without security being at the core, and the greater will be the threat," the paper said.

"Given the potential impact to society and our national security from the accelerating convergence of IT and OT systems, it's important that this issue is prioritised and managed effectively," the ASPI paper said.

Related Coverage

Australia signals Indo-Pacific focus for Five Eyes

Defence Minister Linda Reynolds says Australian-US cooperation will be about coordinating the nation's respective Indo-Pacific strategies, with an emphasis on developing "complementarities" and building self-reliance.

5G just part of technology's 'new Cold War frontline'

As nations search for technology that 'confers a decisive strategic advantage' in controlling the 'global digital commons', the global political trends are reminiscent of the 1930s.

Australia should name parliament cyber attackers

In the case of such a blatant attack on Australia's institutions of government, we should stand ready to point the finger and impose some real costs on the adversary.

Germany to publish standard on modern secure browsers

Germany's cyber-security agency to publish a document on the features of a modern "secure" browser.

How SMBs can better protect sensitive data against cyberattacks (TechRepublic)

Know your enemy and know your risk are two pieces of advice offered in a new report from security company eSentire.

Editorial standards