Could critical infrastructure cybersecurity see uplift in Australia?

  • There have been increasing attacks on critical infrastructure in Australia. 
  • 2024 could see more focus on improving cybersecurity in this area. 
  • However, the skills shortage remains a concern for cybersecurity. 

When DP World Australia was hit by a cyberattack recently, it not only disrupted operations in the port but also marked the latest cyberattack on Australia’s critical infrastructure. The latest but by no means the first. In recent years, Australia has witnessed a significant increase in cyberattacks on its critical infrastructure.

In October 2022, Australia’s biggest health insurer, Medibank, suffered a ransomware attack. The cyberattack affected systems including online services and claim processing. Another major critical infrastructure cyberattack on services in Australia was the JBS meat processing company incident. Hackers were able to temporarily shut down some operations in Australia, Canada and the US, with thousands of workers affected, disrupting the supply chain.

A critical infrastructure cyberattack is a malicious act that targets vital systems such as power grids, water supply, and transportation networks, intending to disrupt essential services and cause widespread damage. These attacks can be carried out by hackers, criminals, terrorists, or nation-states, and can have severe impacts on the security, economy, and well-being of a country and its citizens.

While cyberattacks on critical infrastructure are not a new threat, they have become more frequent and sophisticated in recent years, as technology and international trends create new vulnerabilities and opportunities for attackers.

Given the increasing number and frequency of cyberattacks, experts in Australia and New Zealand predict critical infrastructure owners will enhance operational technology security as legislative changes take shape, but skills shortages and visibility over networks remain key issues. In Australia, the predictions come on the heels of the launch of the 2023-2030 Australian Cyber Security Strategy by the Federal Government, and as Security of Critical Infrastructure (SOCI) Act measures make an impact across critical infrastructure providers.

Critical infrastructure cybersecurity is essential.

Improving critical infrastructure cybersecurity

According to Nozomi Networks, Australia and New Zealand critical infrastructure owners/operators will see a major uplift in cybersecurity, particularly in their operational technology (OT) and IoT environments next year. The company’s ANZ OT and IoT security experts called out the importance of improving visibility over networks and devices, ‘secure-by-design’ frameworks, avoiding victim blaming when organizations are attacked, and tackling the skills shortages impacting the industry.

Anthony Stitt, regional senior director for Nozomi Networks explained that as the official and unofficial grace periods come to a close on the SOCI requirements, it’s possible that regulated critical infrastructure providers continue to uplift their OT and IoT security posture. He believes that interest from non-regulated adjacent industries is high and more organizations will begin the journey.

“The inaugural Critical Infrastructure Annual Risk Review highlighted some important risks, including vulnerabilities in the connections between IT, OT and IoT environments, cyber-literacy and security practices are not keeping pace with digitalization, and next-generation technologies are needed to change the way to assess risk.

“One of the key issues to address is visibility over deep, widely connected networks with so many devices potentially talking to each other. All too often, IT and OT networks run together on the same flat network. For these organizations, many are planning segmentation projects, but they are complex and disruptive to implement, so in the meantime, organizations want to understand what’s going on in these environments,” said Stitt.

At the same time, Stitt felt it was really positive to see that organizations are more willing than ever to get their foot in the door. They understand there’s a lot of work to do, but starting with some basic tools and monitoring capabilities, can still make a huge difference, starting the process of maturation.

“In Australia, the government has performed very well by developing and executing the SOCI legislation reforms, and other regions are engaged in or considering similar initiatives. But across the region, we need a generational change to move away from victim blaming when cyber-attacks occur.

“There’s always something an attacked organization could have done to remain protected, but we can’t forget that cybercrime is a crime. Greater involvement and offensive capabilities from law enforcement will help to change that mindset, and it’s great that is a priority from government through the 2023-2030 Cyber Security Strategy,” added Stitt.

Experts in Australia and New Zealand predict critical infrastructure owners will enhance operational technology security as legislative changes take shape.

Experts in Australia and New Zealand predict critical infrastructure owners will enhance operational technology security as legislative changes take shape. (Image generated by AI).

Addressing the skills shortage

Marty Rickard, director of customer success and technical support for Asia Pacific at Nozomi Networks said that the industry in Australia and New Zealand is still embattled with a major skills shortage. The limited talent is spread primarily among vendors, leaving gaps in internal OT teams and partners, which provide a broader range of security-focused services.

“People talk a lot about the skills shortage in IT, but at least there’s a fundamental understanding of the importance of security in IT. That can’t be said of OT yet, but it’s improving – we’re going through the same pain IT did a decade ago, building these skills and understanding, often from scratch, which is positive,” Rickard explained.

As it matures, Rickard mentioned the need to see OT and IoT security become ingrained into governance, risk and compliance (GRC) teams. Nozomi Networks will be working closely with a range of critical infrastructure providers to take or at least build towards that journey in the year ahead, but the inaugural Critical Infrastructure Annual Risk Review reminds the industry that these skills shortages aren’t going away.

Rickard added that in New Zealand, there is some much-needed maturity in the market which is positive and is expected to continue in 2024.

“The ‘sky is falling in’ fear-mongering is being replaced by practical engagement, technology discussions, and compensating controls to recognize and address risks for what they are,” added Rickard.

Skills shortage can be a problem for critical infrastructure cybersecurity.

Skills shortage can be a problem for critical infrastructure cybersecurity. (Image generated by AI).

Critical infrastructure needs to be secure by design

Another way of improving cybersecurity in critical infrastructure is by ensuring networks and devices are secured by design. Dean Frye, a Nozomi Networks solutions architect for Australia and New Zealand feels that this will ramp up significantly in 2024. But he also acknowledges that that there are still too many projects taking place where secure by design isn’t considered, and isn’t known or understood as a concept.

“It comes down to fundamental controls normalizing and recording the privileges granted to each device and network, holding that in a database and reviewing it regularly, assisted with automation tools. We need a major education and upskilling journey to change this, and the advent of SOCI, greater knowledge sharing between facilities managers, OT professionals and others are making a difference,” said Frye.

There is also the challenge of legacy critical infrastructure which Frye believes will be a greater challenge as some of these environments were built before cybersecurity even existed.

“One example we encountered involved a council environment where a sewerage system network had an open line to the council chambers, the library, the dog pound, and more. This creates unnecessary risk, but segmenting and securing these networks in a legacy environment takes time. We’ll see a strong improvement in this space in 2024, but ultimately it will take a long time to fully rectify,” Frye stated.