Critical infrastructure sectors at greater risk of attacks
Critical infrastructure and essential service industries have been placed in the spotlight over the past two years. As a result, Australia has made great progress in addressing threats against vital elements of our economy and society.
Following amendments made to the Security of Critical Infrastructure Act 2018, which took effect on 8 July, many more Australian businesses are now subject to strict 12-hour cyber incident reporting requirements. Furthermore, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 from April 2022 introduced a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.
However, a global report by security expert Thales – Cyber Threats to Critical Infrastructure 2022 – has found that critical infrastructure industries around the world are still facing major challenges and gaps in their approach to protection and risk management.
A lack of protection around cloud-hosted data and apps, combined with a rise in the scope and severity of attacks in the past 24 months, has increased the threat level from hacktivists and nation-state actors. Security approaches, no longer fit for todays evolving threat landscape, are now putting nations, organisations and peoples lives at risk.
"Previously, few viewed Australia as a significant global defence player, posing minimal threat to the strategic interests of other countries," says Brian Grant, ANZ Director for Thales Cloud Security
"This changed significantly in the last two years with Australia's membership to security pacts, AUKUS and The Quadrilateral Security Dialogue, placing us firmly in the democracy bloc," he says.
"As a result, we have become a target. We are now more at risk than ever from attacks on our society."
Grant says attacks on critical infrastructure and essential services are not always financially motivated.
"Malicious actors often want to significantly damage things or cause physical harm to people," he says.
"The reality, therefore, is that many companies may have already been attacked without knowing it. Once malicious actors have compromised their target, they often stay hidden under the radar ready for an economic, geopolitical, or financial event before they attack."
Grant says the pandemic has reshaped and extended what Australians view as critical.
"Retailers and logistics providers have proved to be just as vital as utility companies and telcos. Now, many industries and organisations that have never had to worry about Government regulations must comply with strict requirements," he says.
"Those that have recently been added to the critical list are the ones finding it hard because there is not yet a standardised or coherent approach to critical infrastructure cybersecurity within their industry.
"In Australia, we find that healthcare remains a highly attractive target for attacks," Grant says.
"In some respects, healthcare organisations are being hit more and more because they are diversified. They use a lot of different providers and don't have an industry-wide approach to cyber protection like you would find in utilities for example.
"Often, health organisations only view certain elements, such as medical devices, as critical when putting cyber protection in place," he says.
"What they need to do is look at the complete picture, including patient data and supply chains, which are just as critical in enabling their organisation to function."
Grant says SOCI is not about more compliance, it is about tying in the role of cyber security to critical service and supply chains and ensuring cyber security is part of safety practices across the entire spectrum of critical infrastructure.
According to Grant, organisations that operate within critical infrastructure industries need to do six things to increase protection levels:
1. Assess whats truly important to the sustained functionality of the organisation
2. Map that onto physical and digital assets within the organisation to discover the critical elements that must be protected
3. Treat the assessment of critical elements as an instinctive and embedded process. Assets and data are continually evolving so one-off audits will quickly become outdated
4. Apply security as soon as critical data or infrastructure is identified don't wait
5. Protect sensitive data and infrastructure at rest, in motion and in use, making it useless if accessed by an unauthorised individual
6. Control access with multi-factor authentication and centralised key management across on premises and hybrid cloud environments
"The key take away is that securing the edge is no longer a sufficient approach to minimising the impact of attacks on critical infrastructure," says Grant.
"The CEO's laptop might be important to him or her, but its unlikely to be critical to the ongoing functionality of the business.
"Organisations must ensure they are protecting their vital assets and data to avoid significant financial damage, loss of employment or, even, loss of life."
More than 2,700 respondents from organisations in critical infrastructure and other critical/essential services sectors globally, including manufacturing, healthcare, financial services, government and more, were surveyed for the report.
The report found 44% of respondents reported increases in the volume, severity and/or scope of cyberattacks in the past 12 months. More than a third (39%) of respondents experienced a security breach in the past 12 months, 6% higher than average. Also, only 28% said they could fully classify their data, and only 49% believe they could classify at least half of their data
Security concerns about quantum computing continue to increase; only 2% of respondents have no concerns about quantum-related risks. Key concerns include future decryption of todays data (52%), risk of network decryption (56%), risk of blockchain attack (49%) and key distribution (46%).
Respondents were asked to identify which targets for attacks most concerned them; cloud-based storage, cloud databases, and cloud-hosted apps were the top three.
A majority reported that they have more than 40% of workloads and data in the cloud; 54% reported that more than 60% of their cloud data is sensitive. Most respondents also indicated that they have more than one cloud (IaaS) provider, leading to potential issues with the complexities of securing multiple cloud environments.
Respondents prioritised accidental incidents (human error), hacktivists, cybercriminals and nation-state actors as their top four threats. Remote working has also increased the risk to critical infrastructure: More than three-quarters (79%) of respondents were very or somewhat concerned about security risks and threats from employees working remotely.
Across all critical infrastructure organisations, 55% of respondents ranked malware as the leading source of increased security attacks, followed closely by ransomware (53%)
Transportation companies reported higher malware increases than average (65%) and lower cases of ransomware (45%), while trucking and shipping reported considerably lower malware (32%) but much higher ransomware incidents (64%)
The report says criminals have realised that successful attacks against high- profile critical infrastructure organisations have a higher probability of a payoff. Ransomware has changed breach economics. Given the mature, regulated nature of these industries, respondents demonstrated a stronger aversion to harder rather than softer intangible costs from ransomware. Nearly a quarter (24%) of respondents ranked financial losses, such as lost sales or penalties from lawsuits and legal expenses, as the greatest impact from a successful ransomware attack, whereas 19% cited lost productivity and 17% said recovery costs.
The study also showed insufficient ransomware preparedness. Ransomwares' power comes from immediate kidnapping of data and critical systems, requiring a rapid, rehearsed response plan. Yet only 45% of respondents have a formal ransomware plan.
Also, only 51% of critical infrastructure organisations indicated that they use MFA
Critical industry respondents willingness to pay ransom was 20% ; enterprises may not have a good understanding of the effects of all the parties involved, such as cyber insurance underwriters, incident response firms, government regulations and ransomware attribution.
Responses indicated a curious gap between selecting encryption and key management - When asked to select which technologies protect data in the cloud, 62% chose encryption, while 51% selected key management. This discrepancy is likely because organisations are unaware of how their keys are managed, Thales says.
A focus on key management rather than simply deploying encryption to check a box is critical because improper key management can lead to vulnerabilities and successful attacks encryption is only as good as the keys in use (and how they are managed).
Critical infrastructure organisations typically have highly distributed infrastructures that include warehouses, shipping ports, power lines, trucks, transmitting sites and railroad assets. Adopting zero trust principles can be a key strategy by ensuring least privilege access to highly distributed, high-value data and assets
Only 30% of respondents have a formal Zero Trust strategy and have actively embraced Zero Trust policies, while 26% have a Zero Trust strategy in planning and research stages and 22% have no formal Zero Trust strategy at all.