By James Baker, First Assistant Director-General Cyber Threat Intelligence, Australian Signals Directorate
Hackers are evolving, and cyber defence must change to keep pace with emerging threats.
From ransomware threats to large-scale data breaches, most Australians are now unfortunately aware that the cybersecurity landscape is becoming increasingly perilous, particularly as our world grows ever more connected.
Nowhere is this danger more acute than in the critical infrastructure networks that underpin so much of daily life. While such systems drive sectors like energy, health, water, telecommunications and transport, they are increasingly vulnerable to malicious cyber attackers who are constantly evolving their tradecraft and techniques.
These systems often rely on networks and computer systems built years ago, before many of these cyber security threats were even conceptualised.
Yet now we face a deteriorating geopolitical environment and global conflicts which are driving a highly-contested online environment, and critical infrastructure networks have moved from the fringe to a more central focus.
The last 18 months have seen a rise in global cyber threats aimed at disrupting the technology that keeps these critical networks running.
This is expected to continue. The sheer volume of traffic and the more integrated nature of the internet, including in operational technology and industrial control systems, has created significant risk and vulnerability.
We continue to see serious incidents caused by a lack of cyber security awareness and hygiene, like failing to quickly patch vulnerable software or implement appropriate identity and access policies for vital systems.
That is why the uplift of cyber security across Australia’s critical infrastructure and systems of national significance is a priority for the Australian Signals Directorate (ASD).
Already we have seen malicious cyber actors revising their tactics to avoid regular defences by using legitimate tools and genuine accounts within a network to mimic regular system and network activity, in techniques known as Living-Off-The-Land.
Earlier this year, US cybersecurity officials warned about malicious cyber actors that were compromising and gaining persistent access to US critical infrastructure for the purposes of future disruption.
Australian critical networks could also be vulnerable to similar intrusions. Any network connected to critical infrastructure systems could be a target.
Unfortunately, cybercriminals and hacktivists also continue to remain an ongoing and persistent threat. Ransomware and data theft extortion impose a perverse, costly and highly disruptive threat to businesses and individuals.
The shift in actor techniques and intent poses significant challenges for traditional cyber security approaches and requires a mindset shift in our defensive posture. No longer are we looking for the known bad, but instead, we are searching for a needle in a haystack of ‘usual’ behaviours.
COVID had a significant impact on how businesses operated. In order to access and maintain networks, technology was quickly implemented to enable remote work, including in critical infrastructure organisations, and in some cases direct connectivity to critical infrastructure assets. This has given those malicious cyber actors more opportunity to find weaknesses and get a foothold in our networks.
We have seen a number of vulnerabilities in edge devices – the exact technology that enables remote connectivity – and malicious actors weaponising these at record pace. It is imperative that operators understand their networks and prioritise protecting the most critical assets.
One of the roles of the ASD’s Australian Cyber Security Centre (ACSC) is to identify and disrupt malicious cyber activity targeting Australia. Our goal is to provide a comprehensive national threat picture that informs technical advice and assistance to make Australia the most secure place to connect online.
In many cases, we leverage our unique capabilities and relationships to proactively notify organisations of potential targeting of their networks. However, the majority of the networks providing critical services are privately owned and run on technology, software and services developed and operated by the private sector. The insights and intelligence that enables ASD’s ACSC to warn others and help thwart attacks early also comes from industry and our partnerships.
A more resilient cyber landscape demands we work more closely in partnership, supporting each other across both business and government.
Our greatest defence is our ability to work together to defend against the cyber threats before us. ASD can offer intelligence, advice and assistance.
We need a coalition of willing and able partners to work tirelessly to make Australia’s most sensitive and critical digital infrastructure resilient to intrusion, theft and disruption.
There are steps critical infrastructure entities should be taking to help defend themselves.
Take the time to map and prioritise the defence of your network (i.e. patch those edge devices exposed to the internet as quickly as possible).
Ensure your board understands the consequence and impact of different cyber threats, and is able to prioritise management of those risks. Also crucial is a well-rehearsed incident response plan, so when, not if, an incident does occur, the organisation is able to quickly identify, contain and remediate the threat.
Enhancing the visibility of your network and building detection processes for relevant threats, like Living-Off-The-Land techniques, can also help an organisation identify and mitigate threats early.
Applying strong cyber security practices can help, like ensuring strong multifactor authentication and adopting secure-by-design principles to your supply chain by procuring trusted and verifiable technologies.
ASD is here to help. We provide guidance on hardening and protecting information systems, including systems used by critical infrastructure. We can offer technical assistance, from sharing threat intelligence to preparing and exercising a full-scale cyber incident response.
The ASD Partnerships Program helps organisations to engage with ASD and other partners, drawing on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy.
Our Cyber Threat Intelligence Sharing (CTIS) Platform, which partners can opt to sign up to, shares indicators-of-compromise in real time, within a growing community of Australian government and industry partners.
Meanwhile, CI-UP, our Critical Infrastructure Uplift Program, is a voluntary and nationwide program which focuses on hardening against attack pathways on CI assets and operational technology (OT) environments.
Incidents can be reported via ReportCyber on cyber.gov.au, or the Australian Cyber Security Hotline on 1300CYBER1, 24 hours a day, 7 days a week.
We publish alerts, technical advice, advisories and notifications on significant cyber security threats at cyber.gov.au.
Strong and strategic operational alliances between government and industry, a cycle of reporting and defending, is our best chance to protect ourselves and the nation. In the cyber threat environment we face, we cannot do this alone – cyber security is everyone’s responsibility.