Securing Australia's Critical Infrastructure
Blog Article Published: 08/24/2022
Originally published by Onapsis here.
For more than a decade, cyberattacks on critical infrastructure have been growing as core systems, like power generation and distribution, have become more complex and reliant on networks of connected devices. In fact, over the past 18 months, we’ve seen a rapid acceleration in attacks on a wide range of infrastructure targets.
Within the last financial year in Australia, a cyberattack was reported to the Australian Cyber Security Centre (ASCS) every eight minutes with overall reporting volumes up by nearly 13% from the previous financial year. The ACSC received over 67,500 cybercrime reports–and 25% were associated with Australia's critical infrastructure or essential services.
Digital transformation that has already been underway in the critical infrastructure sector accelerated during the pandemic, seeing a greater merger between the formerly separate worlds of information technology (IT) and operational technology (OT). That in turn has increased the attack surface and opportunities for unauthorized access to major threat actors, many of whom are nation-state sponsored.
Ransomware has become the most popular type of attack on the critical infrastructure sector, where disruptions can have devastating consequences. The attack on Colonial Pipeline in May 2021 that compromised its billing system caused a six-day operational shut down that sparked widespread panic buying, hoarding, and fuel shortage across the southeastern United States.
Globally, 80% of critical infrastructure organisations experienced a ransomware attack in 2021. That’s been compounded by the armed invasion of Ukraine by the Russian Federation this year: for example, 72% of cybersecurity decision makers at UK critical national infrastructure organizations reported a rise in cyberattacks since the start of the conflict. Earlier this year, the Costa Rican government declared a state of emergency after ransomware attacks affected 27 Costa Rican institutions, impacting foreign trade and tax collections in the country.
Business-critical SAP applications running these organizations’ enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and other IT systems have become a key target for threat actors. Why? Because breaching and compromising these applications can stop or severely damage operations directly, or be used to access and take over interconnected OT assets and systems.
In response to the issue, the Australian Government has expanded and deepened cybersecurity obligations for the critical infrastructure sector. Under recent amendments to the Security of Critical Infrastructure (SOCI) Act, cybersecurity obligations now cover 11 sectors: communications, data storage or processing, financial services and markets, water and sewage, energy, health care and medical, higher education and research, food and grocery, transport, space technology, and the defense industry.
The amendments to the SOCI Act have also stipulated mandatory positive security obligations which go far deeper than ever before. That’s made it imperative for any organization covered under the legislation to ensure that application layer security is not just in place; it also needs to be integrated into the organization's risk management program. The Australian Government now requires that critical infrastructure organizations have a program in place for the identification of threats, mitigation of risks, minimization of impact, governance and oversight. They also must undertake vulnerability assessments and provide access to system information as directed.
As a cybersecurity professional for an Australian critical infrastructure organization, it’s important to assess how well the organization can demonstrate compliance with its positive security obligations for its core SAP business applications.
One issue is oversight. Business-critical SAP applications are typically maintained by a combination of in-house teams and third-party developers and service providers, and hosted in a hybrid of cloud, hosted and on-premises infrastructure. Critical SAP vulnerabilities are being weaponized in under 72 hours, and new unprotected SAP applications provisioned in the cloud are being discovered and compromised in less than three hours.
The two key questions are:
- Does the cybersecurity team have visibility and control on vulnerabilities and risks at the application layer?
- Do the organization’s current security providers and solutions go deep enough into the code base of these critical SAP systems?
For most organizations we talk to, the answers to both are typically ‘no’. Vulnerability identification, alerting and management often stops at the server and application layer, and not into the code base. The controls that might have been in place when the application was first deployed have not necessarily been maintained as the code has been developed over time. That has potentially exposed the application to hundreds of vulnerabilities. For example, during the course of study for our 2021 Threat Intelligence Report, over 300 successful exploitations were observed, targeting vulnerabilities specific to SAP systems.
However, in the context of the SOCI Act, the new positive security obligations require more than just visibility and oversight into the SAP code base. It’s also critical that organizations both mitigate risks and minimize the impact of breach. To do that, cybersecurity teams need to be able to assess threats and vulnerabilities according to their impact and likelihood, advising on best practice action and prioritizing remediation. Ideally, they should also be able to introduce levels of automation to that process, which will also help to meet the Australian Government’s directives for supplying security information.
While complying with Australian legislation is important, the issue is much bigger. Critical infrastructure protection is vital to keep essential services running everywhere, and infrastructure breakdown due to a cyberattack is the number one concern for senior cyber leaders globally. It’s how we all work together and collaborate in the security ecosystem that can really make a difference.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.