Businesses, no matter what size, are at risk of suffering attacks from malicious actors. Such attacks can lead to severe consequences for the business, affecting their critical infrastructure and leading to a shutdown of all operations.
In particular, ransomware has become one of the most significant threats currently facing businesses. By illicitly obtaining login details of users, malicious actors can access computers on networks and load ransomware, effectively shutting down operations and demanding significant payments of money to allow that business to resume operations. These amounts are often not able to be paid by the business and without comprehensive backups, can be crippling.
Organisations need to remember that risks lie not only from cyber-criminals but from physical threats as well. In addition, internal fraud can often impact a business as much as a cyber-attack, especially if the right controls and processes are not in place to mitigate these risks.
What is Critical Infrastructure?
Critical Infrastructure is a term not often used within Corporate Australia and is synonymous with essential services provided by Federal and State Governments. In fact, the government’s definition of critical infrastructure is as follows:
Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.
Why is Critical Infrastructure important to business in Australia?
If critical infrastructure relates to essential services, the question is how does it impact businesses in Australia?
What businesses need to consider is not what critical infrastructure is generally defined as, but rather, what is that business’s critical infrastructure? That is, what are the essential operations that exist within a business which, if impacted, could cause catastrophic consequences to the business, including shutting down operations or the inability to conduct key processes such as payroll?
When viewing critical infrastructures through this lens, businesses in Australia may suddenly feel exposed and lacking effective controls and systems to:
- Document and understand what their critical infrastructure is;
- Have policies, procedures, and systems in place to protect this critical infrastructure; and
- Test these policies, procedures, and system to ensure that if an incident does take place, the business’s response to that incident is effective and can address the issue.
Failing to be able to answer any of the above questions in the positive most likely means a business is exposed, or at best, lacking in understanding how to react if an attack on its critical infrastructure does take place.
A case study on critical infrastructure
On 5 February 2021, an attempted attack took place on a city water treatment plant in Florida, USA. According to reports, an operator at the Oldsmar water treatment plant noticed someone accessing the network for the plant from his computer. This then turned into the operator’s cursor being controlled and the settings on a system being changed to increase the sodium hydroxide ratio in the city’s water (Read the full article here).
Thankfully, the operator was able to reverse the changes made by the malicious actor who took control of the operator’s cursor. Reports released on the incident state that the malicious actor was able to take control of the cursor by exploiting remote access software. It was further identified that the plant was at risk due to further poor practices, including shared passwords for remote access and connecting directly to the internet without effective (or any) firewall protection installed.
One of the fundamental problems with the Oldsmar plant was that no risk assessment had been undertaken. A risk assessment could have highlighted where the key risks for the plant were and provide a roadmap to ensure that the plant’s critical infrastructure was secured and priority given to implementing urgent controls to combat high risks.
What the attack on the treatment plant highlights is the very real reality faced by many businesses in Australia – while big corporates and federal government agencies have the budget and resources to spend and secure critical infrastructure, smaller businesses and local government agencies often do not.
Not only does the failure to protect critical infrastructure provide a potential risk to an organisation itself, but, depending on the nature of the business and what work it does for other organisations, it could place those organisations at risk as well.
Recent stats on cyber-attacks on corporate Australia
The Office of the Australia Information Commission (OAIC) reported that for the period of 1 July – 31 December 2020, 539 notifications of breaches were made to it by organisations. Of these 539, 310 were as a result of malicious or criminal attacks (Find the Notifiable Data Breaches Report: July–December 2020 here).
Further, the ACSC Annual Cyber Threat Report for July 2019 – June 2020 states that the Australia Cyber Security Centre (ASCS) responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports over the period of July 2019 – June 2020.
These statistics show that Australian organisations (and even individuals) are under increasing levels of cyber-attacks. In particular, the reporting data from OAIC shows that health service providers and the finance and education sectors are the top sectors by notifications (for the reporting period of July – December 2020).
What does a business need to do to protect critical infrastructure?
1.Acknowledge that risks exist
The first step for any organisation is to acknowledge that the organisation may be at risk and that resourcing needs to be dedicated to protecting its critical infrastructure. This acknowledgement includes understanding that the organisation may not have the maturity or internal capability to evaluate where or what the risks to its critical infrastructure may be.
2. Conduct risk assessment
Once the organisation has acknowledged that it is at risk and may not be equipped to properly understand that risk, the next step is to engage someone to conduct a thorough and comprehensive risk assessment of the organisation. This risk assessment needs to consider and take into account:
- What that organisation’s critical infrastructure may be;
- The physical security threats that exist to the organisation;
- What cyber-attacks the organisation may be open to and what the current controls are to mitigate these risks; and
- Where there may be a risk of internal fraud
3. Develop an action plan
Once a thorough assessment has been conducted, and risks appropriately rated, a viable and realistic action (or treatment) plan to mitigate key risks can be drawn up as a roadmap for the organisation to take to protect itself. This action plan needs to holistically consider aspects such as budget constraints – which is often a major huddle in critical infrastructure not being protected in the first place – and the impact controls may have on the workforce who still need to go about their BAU tasks.
4. Engage relevant stakeholders
To successfully implement controls to protect critical infrastructure, the relevant stakeholders also need to be engaged with from the beginning. This will ensure that they understand what the risks may be and the potential impact / consequence of a risk materialising. This will lead to buy-in from relevant business units that may be impacted by any controls put in place to protect critical infrastructure.
Take action to protect your unique critical infrastructure
As referred to above, one of the first steps to protecting critical infrastructure is to conduct a thorough risk assessment that looks at the organisation in totality, taking into account risks that may exist from physical attacks, cyberattacks and internal fraud.
This can often be a time-consuming and somewhat mammoth task. Organisations should invest in capable resources or get assistance from third parties who are trained and experienced in conducting these assessments.