By Robert Di Pietro, Partner, PwC Australia Cyber Security, National Lead for Critical Infrastructure & Operational Technology
An increase in attacks on our key utilities
The national conversation about the cyber threats faced by Australian governments and businesses is ramping up. In May 2021, Mike Pezzullo, Secretary of the Department of Home Affairs and one of Australia’s top national security figures, said cyber attacks against Australia’s critical infrastructure were his “most pressing and immediate concern” – going so far as to call the threat of a breach that could take down the nation’s electricity network “realistic”, “credible”, and “deeply concerning.”
This comes less than a year after Prime Minister, Scott Morrison, revealed that entities at all levels of government, industry, politics, education, health, and essential services had come under targeted cyber attack by a sophisticated state-based actor.
Australian organisations are no strangers to the consequences of a successful cyber attack. The system outages, financial loss, and reputational damage resulting from a ransomware infection or data breach are now part of the weekly news cycle.
What concerns an increasing number of people is the catastrophic possibility of a successful cyber attack on Australia’s critical infrastructure.
After all, the consequences of a breach in critical utilities go far further than financial loss. They include the potential for prolonged outages of essential services and, subsequently, impacts on health, safety, and even national security.
Recent global and local incidents
After discovering a cyber intrusion within its IT systems, the operators of the Colonial Pipeline in the United States proactively took systems offline to contain the threat, grinding its operations to a halt in the process.
As the largest refined oil pipeline system in the US, the outage resulted in widespread shortages of gasoline, diesel, jet fuel, and heating oil along the south-eastern US coast.
Some analysts described the incident as “the most significant, successful attack on energy infrastructure we know of in the United States.”
On the local front, government entities including NSW Health and Transport for NSW were impacted by the worldwide attack on approximately 100 organisations on a file transfer system owned by US technology company Accellion.
Whilst medical records in public hospitals were not affected, hackers exploited a security loophole which resulted in sensitive NSW documents, including health-related personal information, being stolen and posted on the dark web.
The NSW Government launched its refreshed cyber security strategy in May 2021 including significant investment to further enhance overall cybersecurity resilience to ensure the safety and security of citizens and communities online.
The tightening regulatory environment
The Security of Critical Infrastructure (SOCI) Act 2018 brought welcome focus to the security of essential industries, including electricity, water, gas, and ports. But it quickly became clear that those industries alone were not enough.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 intends to expand the SOCI Act to mandate obligations on companies across a broader range of critical sectors, reflecting the changing security priorities identified in the Australian Cyber Security Strategy 2020.
The Draft Bill is expected to begin enforcing its obligations from mid-2021. The enhanced regulatory framework brings additional clarity to the steps required to strengthen cyber resilience, enabling industry and government to work together more effectively.
For some organisations, the additional SOCI obligations will be simple to implement and will complement activities they’re already undertaking.
For others, uplifting cyber capabilities to meet proposed regulatory requirements will involve more significant cost and effort.
Organisations should place equal focus not only on meeting new obligations, but also on ensuring resources are put in place to maintain that progress through increased headcount and annual OPEX budget.
Moving beyond security to build resilience
So, where to start for critical infrastructure providers, including utilities? First, it’s important to ensure you’re aware of your organisation’s
obligations under the Security Legislation Amendment (Critical Infrastructure) Bill 2020, as well as other state cybersecurity legislation such as state-based license conditions.
The traditional view that we can isolate critical systems is becoming outdated as businesses increase levels of connectivity and adoption of technologies like cloud and Industrial IoT.
Many organisations are still looking to the Purdue Model as a framework for segregating operational technology (OT) environments, which was developed before the advent of contemporary technology such as the cloud and IoT.
While this can offer a helpful lens through which to assess an organisation’s security, it should instead be considered just one piece – a technology-centric piece – of a bigger puzzle that cannot be solved by technology alone.
As the lines between physical and digital disruption are blurred and attacks become more of an inevitability than a possibility, there is a growing need to shift from a preventative mindset to a more holistic, resiliency-based approach across people, process, and technology.
Our ability to detect and respond to attacks in a manner that minimises disruption to services is even more urgent in the case of critical infrastructure providers such as utilities, whose provision of services can have health and safety or national security implications.
The key is to make your approach consistent across every aspect of how your business assesses, detects and responds to disruptions, either digital or physical. Consider that the attack on the Colonial Pipeline did not hit the operational technology or gas pipeline assets themselves, but instead started with a phishing email.
As Colonial began to fear the attack would spread and they would lose control of their systems, the business shut the pipeline down themselves.
This failure to adequately protect mission critical systems (such as a gas pipeline) from events impacting lower-security environments (such as email systems) is a glaring example of a need for greater resilience.
We as humans regularly take steps to build our own resilience, so that in the event we become ill or catch a cold, we can recover as soon as possible and carry on with our most important tasks.
We accept, despite our best efforts, it’s not always possible to guarantee prevention, and similarly, critical infrastructure organisations must accept that cyber incidents will occur – the measure of success isn’t stopping them, but how they respond and recover from them.