In Australia, the federal, state and territory governments have defined critical infrastructure as: ‘Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.’
Critical infrastructure is an area where the cyber and physical worlds are converging—the operation of digital systems affects our physical world, and so a cyber incident can have direct and serious physical impacts on property and people.
The security risks are far from just theoretical and have been known for many years. In 2001, a disgruntled ex-employee hacked the systems at a sewage treatment works run by the Maroochy Shire Council in Queensland causing the release of raw sewage into freshwater systems. In recent years the Stuxnet attack on Iranian nuclear facilities and numerous attacks on communications networks in Ukraine, attributed to Russia, have shown countries are active in this area. Few people would contest that ensuring the cyber safety of operational systems in our critical national infrastructure should be a key priority.
However, research carried out for my recent ASPI paper shows that more can and should be done. While there is a recognition of the risk at a conceptual level there is a strong feeling that it is not getting the attention it needs from senior decision-makers. Why is this, and what should we be doing about it?
Firstly, we need to ensure awareness of the differences around securing ‘operational technology’ (OT) systems. In recent years we have made great strides forward in understanding and mitigating information security risks, but often these lessons don’t translate well into the OT world. OT equipment has a long lifetime (10–20 years, compared to five years for typical IT equipment), making it difficult to keep it supported and up-to-date. Even if updates are available, it’s often not feasible to take systems offline to apply them. All the latest artificial intelligence solutions trained to detect IT attacks may completely miss an cyberattack on OT.
The next step is to encourage and empower boards to explicitly understand and define their cyber risk appetite. Critical infrastructure in Australia consists of a whole range of sizes and types of organisations—from small regional councils operating water and sewerage systems to large multinational companies. Varied approaches will be needed, including defining standards and getting the right corporate governance and regulation.
Organisations need to have a clear understanding of the consequences and potential risks of their actions. The risk calculus may be different where the potential impact is catastrophic failure of key infrastructure and this may drive better decision-making on how digital transformation is applied, as well as how mitigation plans are put in place to enable successful change.
Finally, we need to ensure that the right resources and solutions are available to help mitigate risks. This should include programs to educate and develop the workforce, but also ensure better sharing of threat intelligence between government and industry, as well as between businesses. In his address to the ASPI National Security Dinner earlier this year, former NSA chief Mike Rogers made a convincing call for a stronger real-time partnership between critical infrastructure players and the government.
We are at an inflection point in the convergence of physical and cyber systems—the people we spoke to for our research said there had been little change in the last two years, but they expect this convergence to accelerate in the next two years. The arrival of 5G and the internet of things are just two of the factors driving this.
The history of the internet shows that too often we have been playing catch-up and trying to apply security as an afterthought. In this field we have an opportunity to change that narrative.
However, none of the suggestions above are quick fixes, so we need to prioritise resources and get moving quickly before technology overtakes us.
Rajiv Shah is the managing director of MDR Security and a non-resident fellow at ASPI’s International Cyber Policy Centre.
This article was published by ASPI on July 3, 2019.
For the graphic and a related article, see the following:
“The physical security world is becoming increasingly IP-enabled….”