The links between infrastructure in the utilities sector and security vulnerabilities are becoming increasingly complex. This is becoming more evident as once air-gapped critical utilities infrastructure relies more on converged information and operational technologies.
While information technologies remain far from secure, operational technologies represent a far greater point of weakness. Apart from being typically under-protected and overlooked for updates and patching, the operational technologies supporting critical infrastructure usually comprise outdated software and operating systems.
The harsh reality is that these technologies are highly vulnerable to infiltration and cybercriminals that gain access can perpetrate undetectable, uncontrollable and unrelenting actions. Whatever the criminals’ objectives are, it is inevitable they will achieve them.
To manage these risks, it is crucial that security is well planned and receives strong executive and board support. Up to date security management is vital for every organisation and this article provides key tips on what any company in the utilities sector needs to include in their planning.
Continuous infrastructure breaches cause huge human and financial cost
Gartner states “continuous cybersecurity breaches against critical infrastructure industries will result in environmental events exceeding $10 billion, catastrophic loss of life and new regulation, globally, by 2019.”
With most critical infrastructure depending on other critical infrastructure services to operate, an attack on any physical or virtual system, asset or network could disrupt an entire country’s critical systems. Not only does this have the potential to be detrimental to Australia’s economy, it poses as a serious physical risk to civilians.
The Australian Government’s non-regulatory approach to critical infrastructure resilience means the nation’s social and economic wellbeing relies on business-government partnerships. Under these partnerships, public and private operators and owners of critical infrastructures are entrusted to independently assess their operational risks and determine the most appropriate mitigation strategies.
While many owners accept that ensuring the security of their assets is a cost of doing business, the lack of minimum cyber security frameworks can tempt industries to opt for cost-effective rather than all-encompassing strategies. Defective systems may instigate unauthorised actions, disrupted operation, equipment shutdown and supply outage leading to environmental flaws. Second to the catastrophic, potential endangerment of human lives lies the risk of financial penalties, regulatory investigation and reputational impact.
People central to infrastructure security
The Australian Government has recognised the issue of technology security in utilities and in May 2015 launched the Critical Infrastructure Resilience Strategy. This strategy comprises two core policy objectives:
- for critical infrastructure owners/operators to be effective in managing reasonably foreseeable risks to the continuity of their operations; and
- for critical infrastructure owners/operators to be effective in managing unforeseen risks to the continuity of their operations through an organisational resilience approach.
While the theory underpinning the strategy is strong, the strategy’s effectiveness relies heavily on people working in critical infrastructure to be proactively involved in information sharing, furthering education and taking action to continually improve security.
To ensure the overall strengthening of the utilities sector, all operators and owners have a responsibility to maintain the security of their assets and the safety of the wider community.
Through my years of experience providing information security management and strategy development and implementation, I have established the following five tips for sound security management:
1. Education and awareness: Develop and implement a comprehensive program of activities to build a strong security culture. Your program must extend from the board to frontline employees. To create an organisation-wide shift, ensure that key stakeholders understand the challenges, issues and risks. Awareness empowers change.
2. Enterprise security architecture: Ensure an enterprise-wide security structure is developed. This structure needs to link business objectives and business attributes to security principles, then to threats, risks and controls. The structure must extend from information technology to operational technology to minimise risks and support convergence.
3. Service provider governance: Ensure all key external parties and service providers clearly understand the security controls they are responsible for. If anything needs to change from a security perspective, ensure they are included in the Education and Awareness program described in Point 1.
4. Security in projects: Ensure there is a well-defined and repeatable process for managing security through project life cycles. Harvest good results from projects to improve the efficiency of the process.
5. Build a suitable team: Develop a case to get support for your security team either by adding external help or internal headcount. A good option is to have a number of disciplines available on demand, such as security architects, security testers, security operations experts and security managers. You may never have the need for full time resources, but getting support will be important in building and maintaining the momentum of your strategy.
In conclusion, as information and operating technologies converge, the complexity of maintaining security increases. Over the next five years, the utilities sector will see the volume of security risks climb sharply and consequently, more pressure will be placed on executives and boards to effectively manage these needs.
Regardless of increasing security demands, growing communications and awareness of information security in utilities sees inadequate management of systems and assets as inexcusable. With safety as the number one priority and the knowledge that prevention is better than remediation, the responsibility is everyone’s and the time to act is now.
This article was brought to you by Enex TestLab, content directors for CSO Australia