Identifying blind spots: OT infrastructure vulnerability
June marked 12 months since the JBS Foods ransomware attack, an event that shut down meat plants globally including within Australia. This served as a stark reminder of the susceptibility of our mission-critical infrastructure to cybersecurity vulnerabilities, threats and potential outages — and the widespread fallout from such events.
In 2021, approximately a quarter of all cyber attacks in Australia targeted critical infrastructure and essential services. These attacks included transport, energy, education and agriculture, highlighting how attractive these industries have become to cybercriminals as interconnectivity between external networks and operational technology (OT) networks accelerates.
Why is this convergence significant? As OT intersects with external networks, the threat surface expands exponentially, creating infinitely more vulnerabilities and attack paths which can be exploited by bad actors.
If high-profile attacks such as the JBS Foods incident have taught us anything, it’s that cyber attacks on critical infrastructure not only impact the target organisation but also have implications that cascade across geographies, supply chains and economies. There are also significant impacts on the organisations themselves, including financial and reputational. Therefore, OT cybersecurity must be recognised as highly critical for gaining better visibility, security and control over critical infrastructure environments in Australia.
Here are four examples of how OT can be indirectly compromised in different sectors operating critical infrastructure.
The importance of cyber hygiene cannot be overstated
Another widely publicised incident was Colonial Pipeline, a $4.4 million ransomware attack and the largest cyber attack on an oil infrastructure target in the history of the United States. This throws a spotlight on how critical it is to maintain basic cyber hygiene.
For Colonial Pipeline, the initial attack vector was the use of a password for the account of a former employee — an account that had VPN access to the corporate network. The simple step of enabling multi-factor authentication and disabling dormant accounts would have thwarted this attack from the beginning. Such examples reinforce the need for basic cyber hygiene practices to be codified, implemented and rigorously audited in order to reduce exposure.
Renewable energy systems: cybersecurity risks in the supply chain
The energy requirements of the 21st century are rapidly growing alongside population increases. Efforts are being made to create a more intelligent and greener electricity grid — to both reflect expanding consumer needs and reduce the environmental impact of power systems.
In Australia, renewable energy is growing at a per-capita rate that is 10 times faster than the world average. It also continues to lead the world in the per-capita rollout of energy generated by solar and wind, resulting in lower greenhouse gas emissions and falling electricity prices, according to new analysis from The Australian National University (ANU).
While the benefits of green energy are well established, cybersecurity risks in the supply chain are a key concern facing the renewable energy sector. An attack on third-party infrastructure could cause epic disruptions and set off a chain reaction with widespread consequences for the entire power grid.
Airports and baggage handling systems
As part of the country’s critical infrastructure, airports are integral to the economy and impact — either directly or indirectly — the lives of all Australians. For these reasons, airports are attractive targets for cybercriminals seeking high-profile attack opportunities that will disrupt daily life, causing massive disruption and damage to Australia’s reputation.
Traditionally, airport security has focused on the physical threat from terrorists, but as the aviation industry becomes increasingly digitalised the interconnectivity of systems and dependence on technology has led to the emergence of new risks.
Baggage handling systems, for example, make compelling targets as they are the most customer-facing OT system at the airport. A malicious actor can hack into baggage handling systems to redirect bags to other flights, prevent bags from being screened for security checks, or just shut down the system altogether in order to create chaos and costly disruption.
Dams and water flow controllers: scattered devices, lesser visibility
Cities along Australia’s coastline, rivers and canals usually have intelligent flow meters installed at strategic locations to determine the rate of flow.
Attacks on water infrastructure are a very real threat to our highly developed rivers and waterways. This is especially true when the flow of water through dams and other water systems is determined by new automation technologies within industrial control systems, which amalgamate into a cloud or a data centre for information to be used for water storage and flood control.
Malicious attackers can manipulate water flow monitoring systems which would misrepresent true flow rates, causing operators to make incorrect decisions. This could result in the loss of precious water or alternatively devastating floods that cause loss of homes, crops, livestock and human life. If vulnerabilities in remote monitoring systems are not addressed, they can be used to indirectly manipulate how critical infrastructures are managed.
Best practices to protect critical infrastructure
Asset visibility: Whether it is IT or OT, the foundation of a security framework more often than not finds its inception in asset visibility. It is essential to comprehend the network layout of an environment, the systems that exist on those networks, the software that is installed, its configuration, access and the functions it performs in the organisation’s mission. Only with this level of transparency can security teams begin quantifying risk profiles, prioritising risks and developing plans of action to mitigate risks.
Structured vulnerability strategies: Well-defined Common Vulnerabilities and Exposures (CVEs) scores enable organisations to identify weaknesses in their environment, see how these critical systems are configured and know when configuration alterations occur. It is important to follow the configuration management program and have a clear process for solving identified issues through patches and configuration management programs that consider the complexity of the system and the significance of assets to the organisation. Including information on which weaknesses (vulnerabilities) are being exploited in the wild adds value to CVE scores by allowing ‘popular’ vulnerabilities to be prioritised for remediation.
Access reviews: Whether it is Active Directory trust between the corporate domain and the OT domain, or remote access for monitoring and troubleshooting purposes, external networks intersecting with critical infrastructures are already a reality. Continuous reviews of external access and the impact of that access in these environments is necessary.
OT and cybersecurity upskilling: Since the OT environment has long been isolated within a larger dynamic, the idea of protecting it is relatively new to both IT professionals and OT engineers. Cybersecurity training should be essential for OT engineers who have never before had to analyse the cyber risks that are readily present within their infrastructures. IT security teams in these organisations also need to be trained to better comprehend the differences between OT systems and IT, as well as the peculiar and distinctive obstacles associated with safeguarding critical infrastructure.
As industries increasingly reap the benefits of new and emerging technologies and the subsequent interconnectedness of IT and OT, our responsibilities as cybersecurity experts must also grow. The stakes are getting higher. It’s no longer enough to understand and mitigate potential threats to business operations, because it goes beyond protecting reputation and the bottom line — now we must consider the potential for OT threats to impact whole ecosystems, communities and lives, both near and far.
Organisations of every size across every industry have had to evolve their security practices to...
In today's business landscape, perimeter-based security is no longer sufficient.
Businesses across Australia and New Zealand continue to be targeted by cybercriminals as...