Navigating new and existing waters of cybersecurity for critical infrastructure

Last year’s nationwide outage from Optus, which saw millions of Australians lose mobile data temporarily, caused the government to reconsider its stance on telecommunication providers not being classified as critical infrastructure. A week later, Clare O’Neil, Home Affairs Minister, introduced new laws to recognise telecommunication providers as such, opening them up to new benefits, regulations and standards. However, arguably most important, especially given the current spate of cybercriminal activity, is the need for telcos to now follow strict rules under the Security of Critical Infrastructure Act. New regulation for telcos may require some to uplift their cybersecurity posture, but ultimately tighter regulation is necessary to protect Australia’s livelihood moving forward.

Government reaction causes telecommunication action

Defined as an infrastructure which has services that are essential for everyday life, critical infrastructure’s undoubted integral role in society places immense focus on its operation wellbeing. The government therefore continues to refine the standards and responsibilities placed on critical infrastructure not only internally, but through external support and initiatives, such as the Critical Infrastructure Centre, established in 2017, which aims to develop coordinated risk assessments, risk management strategies, compliance support and more.

Although not considered as critical infrastructure at the time, the Optus outage served as an example of the consequences that happen when critical infrastructures face downtime. Following their new classification, telcos now join the essential services list along with banking and finance, government, communications, energy, food and grocery, health, transport and water. Sitting among the top priorities for these industries is cybersecurity, as critical infrastructure organisations are required to sign off on new or updated cyber-risk management programs every year to the government, or they risk facing hundreds of thousands of dollars in penalties.

Furthermore, the government’s recent announcement of its new cyber policy stated that $143.6 million will be invested in strengthening the defences of critical infrastructure organisations and improving government cybersecurity. Therefore, given the national agenda on protecting critical infrastructure, it becomes imperative that the relevant industries are taking the correct steps to uphold strong cybersecurity, especially as they face unique challenges.

More threats looking to attack

Critical infrastructure organisations walk a thinner tightrope when it comes to cybersecurity. Not only do they face harsher regulation, but the disruption caused by their breaches is far greater than a typical organisation.

Critical infrastructure companies tend to fall victim to cyber threats as they operate heavily with unprotected Internet of Things (IoT) and operational technology (OT) devices and equipment. All of this digitalisation — newly connected devices, new communication flows and data exchange — expands the attack surface for cybercriminals.

Furthermore, hacktivists are targeting critical infrastructures given the disruption it will cause to countries and potentially political parties. Industries such as transport and banks become expected targets; however, due to the widespread use of IoT and OT equipment such as UPS, VoIP and building automation controllers, industries such as telecommunications and health care also fall victim.

It therefore becomes imperative that critical infrastructure organisations implement the right practices to meet these heightened regulations and protect against their unique challenges.

It’s critical to remain protected

As threats towards critical infrastructure continue to grow, cyber hygiene practices such as hardening connected devices, network segmentation and monitoring must be extended to encompass every device in an organisation — not only traditional IT and managed devices. Critical infrastructures need to implement several strategies.

Fortify connected devices

Organisations must identify every device connected to the network and its compliance state, such as known vulnerabilities, used credentials and open ports. Default or easily guessable credentials should be upgraded to secure, unique passwords for each device and unused services should be disabled. Vulnerabilities should also be patched immediately.

Segmentation

Critical infrastructure organisations need to ensure unmanaged devices are not exposed directly to the internet, with very few exceptions such as routers and firewalls. Companies can look to segment their network to isolate IT, IoT and OT devices. This limits network connections to specifically allow management and engineering workstations or unmanaged devices that need to communicate.

Monitoring

Organisations can implement IoT/OT-aware, DPI-capable monitoring solutions that alert on malicious indicators and behaviours. Solutions can watch internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorised use of OT protocols. Furthermore, monitoring large data transfers will help to prevent or mitigate data exfiltration. Finally, critical infrastructure organisations should look to monitor the activity of hacktivist groups on Telegram, Twitter and other sources where attacks are planned and coordinated.

The Australian Government will continue to hold critical infrastructure to a high standard when it comes to cybersecurity, and as threats continue to evolve, industries must keep pace to avoid regulatory, financial and operational consequences. By addressing the unique challenges with specifically tailored cybersecurity solutions and practices, critical infrastructure organisations can remain protected in the future.

Top image credit: iStock.com/Bill Oxford