Australia’s second ever cyberwar games took place in Sydney last month. Codenamed “Operation Shell Breaker”, Government representatives from Human Services, the Australian Tax Office and Home Affairs came together with corporate representatives from the banking, telco and energy sectors to take turns to attack and defend critical infrastructure networks on a Lego smart city.
Operation Shell Breaker provided a valuable opportunity for our Government to test and strengthen national security efforts, but it also raised a broader issue that many more will be grappling with today.
From healthcare and transport, to water and power, how do we provide effective cybersecurity for the industrial control systems that underpin the foundation of our critical infrastructure?
Over the past 18 months, critical infrastructure asset owners have been challenged by a mushrooming threat landscape coupled with a significant rise in digital transformation and the industrial internet of things (IIoT). Businesses are trying to leverage the promise of cloud-driven data services in the industrial space while navigating a landscape that can be overwhelming and unpredictable.
We have seen an increase in attacks like NotPetya that expose security challenges in the industrial area including basic controls and practices such as patching. Furthermore, there has been an increase in attack sophistication, such as the Ukraine substation where a multi-faceted attack shut down a distribution load, and the recent Triton/Trisis attack where the attackers successfully demonstrated their ability to shut down a safety system - the final element of a process protecting human life and safety.
Australia is not immune to these threats – and steps being taken at the highest levels indicates the rising level of concern. Earlier this year, the Government passed a critical infrastructure national security Bill that will give the Minister a 'last resort' power to direct electricity, gas, ports, and water entities to 'do or not do a certain thing' to mitigate national security risks.
Addressing this type of threat isn’t easy. We know that most companies are struggling to rapidly deploy visibility, detection and response across the plant floor without impacting availability. At the same time, they are challenged with developing robust security awareness, identity management and privileged access control, that can help minimise the risk from insider threats.
Security and visibility is required through all levels of an industrial control environment. While protecting the network from outside attack is an important part, consideration of attacks from inside is also critical. Industrial operations are not immune from insider threats, and that’s why businesses should consider human-centric approach to cybersecurity, managing the threat from malicious, negligent or accidental breaches of data.
Australian industries can no longer afford a siloed approach to critical infrastructure protection, where information technology (IT) or operational technology (OT) systems are managed separately. The underlying technologies, threats and risks are homogenizing across IT and OT, so now is the time for all security professionals to work together. IT teams can learn how to construct and operate truly critical systems and OT teams can learn how the changing cyber landscape effects their environments.
Our nations, economies, and lives rely on a backbone of critical infrastructure industries. It’s time for critical infrastructure asset owners to draw inspiration from Operation Shell Breaker and take the steps they can to prepare for this complex type of threat.