by Lauren DeLorenzo, Journalist, Infrastructure magazine
As the Internet of Things (IoT) expands available datasets and smart technology is implemented in the utility and infrastructure sectors, the need for robust cyber security systems has never been greater. A panel at the recent Critical Infrastructure: Digitisation Series Virtual Conference invited industry leaders to discuss potential risks to these systems, the impact of new security legislation, and what asset owners should be doing to protect their infrastructure.
The panel session was part of day two of the Critical Infrastructure: Digitisation Series, Cloud Infrastructure: Opportunities in digital infrastructure. Featured panellists included:
♦ Robert Di Pietro, Partner and National Lead for Critical Infrastructure and Operational Technology, PwC Australia
♦ Elena Sitnikova, Critical Infrastructure Protection, Research Leader at UNSW Canberra at the Australian Defence Force Academy (ADFA)
♦ Frank Zeichner, CEO of IoT Alliance Australia
Cyber security threats
Cyber attacks cost Australia millions of dollars each year, with the Australian Cyber Security Centre (ACSC) finding a 13 per cent increase in cyber crime between the 2020-21 financial year and the previous reporting year. Approximately one quarter of reported cyber security incidents affected entities associated with Australia’s critical infrastructure.
“A bit less than a year ago, the Prime Minister publicly stated that Australia is coming under threat from sophisticated cyber threat actors, and we’ve seen that play out in many organisations here in Australia who have been impacted,” Mr Di Pietro said.
“So I don’t think it’s a question of if it’s a threat. I think it’s a matter of understanding how we need to prepare for that and respond to that, and be more resilient.”
According to the ACSC Annual Cyber Threat Report 2020-21, some of the greatest threats to cyber security included exploitation of pandemic-related services; and ransomware was identified as one of the most significant threats to Australian organisations. Mr Di Pietro said that risks to OT systems could be quite significant, and pose numerous challenges.
“Some of those systems are quite old assets that may have been running for years, if not decades. Some of them are even in pre-internet kind of era systems,” Mr Di Pietro said. “With this increasing trend of IT and OT converging, those systems are finding themselves more vulnerable than they were certainly designed to be.
“So that’s a challenge for many organisations, not only protecting and securing them, but actually understanding what assets they have that need to be protected. “Because if you can’t understand what digital systems you have, particularly in that industrial control systems space, it’s really hard to know how to secure them.”
When discussing the blind spots organisations have when it comes to cyber security, Dr Sitnikova explained that one could be the interval between when an attack occurred and the system recovery.
“It’s where we have the weakest link in their Operational Technology (OT) system converging with IT systems through the new devices,” Dr Sitnikova said. Mr Zeichner explained that these risks can be exacerbated by the ever-expanding application of IoT, for example when it comes to the energy industry for distributed energy resources.
“The Internet of Things open up data sources outside the boundaries of your own operations, in this case, into consumer and business energy use, load balancing and even generation. So it’s no longer an internal SCADA-run thing that’s all under your control, it now spills over – that’s the classic case,” Mr Zeichner said.
“We’re going to have thousands, millions of distributed energy resources that actually provide the low energy grid that we’re going to be using. It won’t be just a few distributors centrally sending out power from their power station.”
Mr Zeichner said that considerations for the energy sector must include, not just the equipment, but also the data generated by consumers. “You may have heard that new saying, ‘prosumers,’ where the consumers are also generators. They’re part of the system,” Mr Zeichner said.
Another security aspect is that with new smart technologies, infrastructure providers are able to see which devices customers are using, and can even turn them on and off.
Such advances open up security, privacy and even safety risks e.g. data on usage infers customer behaviour which can be personally-identifiable data. “It’s a vulnerability, which means the implications are massive. The opportunity is great, of course, in terms of renewable data. But there’s a lot of work to be done in that space,” Mr Zeichner said.
“While we increase the utility of our services in our data, we increase the threat, which means we have to get much smarter about our data management policies and data access policies.”
Security legislation amendment critical infrastructure bill 2020
One of the biggest updates to cyber security recently is the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which intends to expand the Security of Critical Infrastructure (SOCI) Act from 2018.
The amendment expands on the Critical Infrastructure Act from 2018 to include cyber security as one of four identified security pillars alongside supply chain, physical security and personnel security.
Mr Di Pietro said that the obligations of an organisation will depend on the tier of critical infrastructure that they fall into, with systems of national significance at the top tier requiring more obligations.
“I think it’s fair to say many of those obligations are good practice elements of cyber security that most organisations are probably doing or aspire to do,” Mr Di Pietro said.
“Key additions being the government powers or the step-in rights for the government to assist or direct a response effort in the event of a cyber incident. “All critical infrastructure operators need to be aware that there are penalties now for directors, for non compliances if, for example, they are not meeting the obligations or the requirements as part of the act.
“That’s quite new for many of these sectors, they haven’t had cyber security regulation to this extent. So it’s certainly far-reaching in its consequences.” Mr Zeichner said this is something that will really affect many technology suppliers and service providers in this space.
“If we just look at those areas of national significance, if you run our cloud or have a service that provides data as part of a service of national significance, you can be and probably will be brought up under this legislation one way or another,” Mr Zeichner said.
“This could mean a service provider of even a small, but important part of critical infrastructure, may be directed to curtail or even close down their service or technology. “So you might need to think about separating out services.
There are significant consequences to be considered, which is why the government’s now looking at each of these sectors independently because the powers are massive, and the effects could be disproportionate if not done well. “So it behooves everyone to really understand the sector they’re in and how the new legislation affects them.”
Building cyber resilience
A recent PwC report, Building Cyber Resilience in Critical Infrastructure, outlined a five-step approach to creating a more holistic view of resilience. On the panel, Mr Di Pietro from PwC outlined what these five steps included.
“One is what we call proactive assurance activities and security testing. I think many organisations are familiar with security testing or penetration testing of their own systems to understand what vulnerabilities they have in order to remediate them and strengthen their resilience,” Mr Di Pietro said.
“But we are firm believers that this needs to take place particularly in that industrial IoT and OT portion of the network where historically, there’s been some hesitancy about testing in that space. “Two is what we call establishing an OT cyber champion or expanding the role of the CISO.
Point three would be making sure we consider security as part of our drills and rehearsals around crisis management.” He said now, many critical infrastructure organisations do this really well when it comes to natural hazards and emergencies, so there’s an opportunity there to link that into cyber security.
“Related to that, the fourth point is around your business continuity plans, making sure you’re considering scenarios like ransomware and system unavailability,” Mr Di Pietro said.
“What would you do if your most critical systems were ransomwared? Would you pay a ransom? What’s your position on that? How comfortable are you with backups and things of that nature? Make sure that’s understood and again tested.
“The last point would be around making measurement key. So every organisation needs to have a useful set of metrics to measure progress.
“Ideally, you’re using the risk management language of your organisation. So in the same way you talk about other risks and reducing risk is the way you should talk about cyber security risks and report that in a consistent manner.”
How AI affects critical systems
IoT uses machine-to-machine information to analyse data and allow organisations to have high levels of automation, in some cases increasing productivity and efficiency.
However, the proliferation of these technologies further highlights the need for extensive and strong systems of protection, and this poses a particular challenge for remote operational analysis.
For example, it’s difficult to predict the maintenance needed for fully automated devices in the mining sector, which can be difficult to access.
Dr Sitnikova’s research explores the use of artificial intelligence in the analytics of abnormal data that may affect critical systems. “It’s extremely important for us as researchers to understand how we can use new technologies to protect such systems,” Dr Sitnikova said.
“As researchers in the field of cyber security, we’re looking into the data and the analytics using artificial intelligence from the perspective of attackers.”
Dr Sitnikova said one of the key challenges for the OT networks are with edge systems of Brownfield Industrial IoT (IIoT), where new devices and technologies are deployed to interoperate with legacy industrial control systems and leverage the benefits of IoT.
These edge devices, such as edge gateways (a physical device or software program that serves as the connection point between the Cloud and sensors/actuators), have opened the way to advanced attacks such as targeted ransomware.
Thus, they are potentially vulnerable to cyber attacks. Because of the large amount of data, new methods of abnormal behaviour detection and AI need to be used. Dr Sitnikova’s research has helped develop a framework to detect targeted ransomware on edge systems.
“We developed this special design, the testbed which was used in a realistic environment for different attack scenarios. We injected that ransomware into the system,” Dr Sitnikova said.
“We also developed the datasets, which we then use for our machine learning analysis and artificial intelligence. “For this particular one, we used our synchronous peer-to-peer, the deep learning methods to detect these ransomware attacks.
So this is a very important area of research.” Another key area of research is protecting data privacy in critical infrastructure. “As we all know, the critical systems have different aspects to the CIA (Confidentiality, Integrity and Availability)
For SCADA systems that operate in critical infrastructures, the availability comes first,” Dr Sitnikova said. “A very new aspect of research is coming now, not only thinking about how we can make these systems resilient, but we also need to think about how we can make sure that they are antifragile.
“So antifragility is a very new area of research. It really expands the concept of intelligent security, intelligent methods because through their analytics and through the data collection and analysis, we can predict the behaviour of the system and use the methodology.
“We call it micro algorithms, to train the system to behave one or another way. So despite an attack, they will still operate and not be interrupted in a systems lifecycle or whatever the mission is for that critical system.”
Leadership in cyber security
The vulnerabilities created between OT and IT were described by panellists as partially being a workplace cultural issue. Dr Sitnikova said that everyone in an organisation should be aware of targeted attacks, not only staff who have technical skills to identify them.
“With these targeted ransomware attacks and attacks through spear phishing, it’s actually everybody’s business now. So we need to expand that culture to the slogan we use, “Cybersecurity is everybody’s business in ever organisation’.”
Mr Zeichner said, “The cultural problem is that they’re often separate entities with completely different risk management profiles.” “You can only break that down, in a way, at the risk management level to start saying, ‘Okay.
How do we actually manage these risks that are coming over here that clearly affect multiple areas?’” Mr Di Pietro said, “I think good leadership in this space tries to tie the theme of cyber security to core principles and the culture of the organisation.
“It’s difficult to go and talk to an engineer about cyber security. You have to use other words that will resonate with them. “I’ve seen really effective leadership, not necessarily talk directly about cyber, but talk to what is core to the organisation.
Then all of a sudden, you’re getting much better buy-in and cooperation. Then you can continue on that journey of embedding the right culture”.
Missed the Critical Infrastructure: Digitisation Series Event?
You can still watch the panel session, or any of the other presentations on demand. Register for free at www.critical-infrastructure.com.au/watch-digitisation-on-demand/.