What Is Critical Infrastructure?

Businesses of every size can be exposed to attacks from malicious actors, physical threats and internal fraud. This article explains what critical infrastructure means in a business context, why it matters in Australia, and the practical steps organisations can take to assess risk, develop action plans and engage stakeholders.

Businesses, no matter what size, are at risk of suffering attacks from malicious actors. Such attacks can lead to severe consequences for the business, affecting their critical infrastructure and leading to a shutdown of all operations.

In particular, ransomware has become one of the most significant threats currently facing businesses. By illicitly obtaining login details of users, malicious actors can access computers on networks and load ransomware, effectively shutting down operations and demanding significant payments of money to allow that business to resume operations. These amounts are often not able to be paid by the business and without comprehensive backups, can be crippling.

Organisations need to remember that risks lie not only from cyber-criminals but from physical threats as well. In addition, internal fraud can often impact a business as much as a cyber-attack, especially if the right controls and processes are not in place to mitigate these risks.

Key takeaways

• Critical infrastructure is not just a government concept; businesses need to define their own essential operations.
• Cyber threats, physical threats and internal fraud can all disrupt those essential operations.
• Risk assessment helps organisations identify where they are exposed and what controls are missing.
• A realistic action plan and stakeholder buy-in are both necessary to protect critical infrastructure.
• Businesses should test their controls so they are ready if an incident occurs.

What Is Critical Infrastructure?

Critical infrastructure is a term not often used within Corporate Australia and is synonymous with essential services provided by Federal and State Governments. In fact, the definition of critical infrastructure is as follows:

Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security.

Why Is Critical Infrastructure Important to Business in Australia?

If critical infrastructure relates to essential services, the question is how does it impact businesses in Australia?

What businesses need to consider is not what critical infrastructure is generally defined as, but rather, what that business's critical infrastructure is. That is, what are the essential operations that exist within a business which, if impacted, could cause catastrophic consequences to the business, including shutting down operations or the inability to conduct key processes such as payroll?

When viewing critical infrastructure through this lens, businesses in Australia may suddenly feel exposed and lacking effective controls and systems to:

1. Document and understand what their critical infrastructure is;
2. Have policies, procedures and systems in place to protect this critical infrastructure; and
3. Test these policies, procedures and systems to ensure that if an incident does take place, the business's response to that incident is effective and can address the issue.

Failing to be able to answer any of the above questions in the positive most likely means a business is exposed, or at best, lacking in understanding how to react if an attack on its critical infrastructure does take place.

A Case Study on Critical Infrastructure

On 5 February 2021, an attempted attack took place on a city water treatment plant in Florida, USA. According to reports, an operator at the Oldsmar water treatment plant noticed someone accessing the network for the plant from his computer. This then turned into the operator's cursor being controlled and the settings on a system being changed to increase the sodium hydroxide ratio in the city's water. Thankfully, the operator was able to reverse the changes made by the malicious actor who took control of the operator's cursor.

Reports released on the incident state that the malicious actor was able to take control of the cursor by exploiting remote access software. It was further identified that the plant was at risk due to further poor practices, including shared passwords for remote access and connecting directly to the internet without effective, or any, firewall protection installed.

One of the fundamental problems with the Oldsmar plant was that no risk assessment had been undertaken. A risk assessment could have highlighted where the key risks for the plant were and provide a roadmap to ensure that the plant's critical infrastructure was secured and priority given to implementing urgent controls to combat high risks.

What the attack on the treatment plant highlights is the very real reality faced by many businesses in Australia - while big corporates and federal government agencies have the budget and resources to spend securing critical infrastructure, smaller businesses and local government agencies often do not.

Not only does the failure to protect critical infrastructure provide a potential risk to an organisation itself, but, depending on the nature of the business and what work it does for other organisations, it could place those organisations at risk as well.

Recent Stats on Cyber-Attacks on Corporate Australia

The Office of the Australian Information Commissioner (OAIC) reported that for the period of 1 July - 31 December 2020, 539 notifications of breaches were made to it by organisations. Of these 539, 310 were as a result of malicious or criminal attacks. See the Notifiable Data Breaches Report: July-December 2020.

Further, the July 2019 - June 2020 report states that the Australian Cyber Security Centre (ACSC) responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports over the period from July 2019 to June 2020.

These statistics show that Australian organisations, and even individuals, are under increasing levels of cyber-attacks. In particular, the reporting data from OAIC shows that health service providers and the finance and education sectors are the top sectors by notifications for the reporting period of July - December 2020.

What Does a Business Need to Do to Protect Critical Infrastructure?

1. Acknowledge that risks exist

The first step for any organisation is to acknowledge that the organisation may be at risk and that resourcing needs to be dedicated to protecting its critical infrastructure. This acknowledgement includes understanding that the organisation may not have the maturity or internal capability to evaluate where, or what, the risks to its critical infrastructure may be.

2. Conduct a risk assessment

Once the organisation has acknowledged that it is at risk and may not be equipped to properly understand that risk, the next step is to engage someone to conduct a thorough and comprehensive risk assessment of the organisation. This risk assessment needs to consider and take into account:

• What that organisation's critical infrastructure may be;
• The physical security threats that exist to the organisation;
• What cyber-attacks the organisation may be open to and what the current controls are to mitigate these risks; and
• Where there may be a risk of internal fraud.

3. Develop an action plan

Once a thorough assessment has been conducted, and risks appropriately rated, a viable and realistic action, or treatment, plan to mitigate key risks can be drawn up as a roadmap for the organisation to take to protect itself. This action plan needs to holistically consider aspects such as budget constraints, which is often a major hurdle in critical infrastructure not being protected in the first place, and the impact controls may have on the workforce who still need to go about their BAU tasks.

4. Engage relevant stakeholders

To successfully implement controls to protect critical infrastructure, the relevant stakeholders also need to be engaged with from the beginning. This will ensure that they understand what the risks may be and the potential impact or consequence of a risk materialising. This will lead to buy-in from relevant business units that may be impacted by any controls put in place to protect critical infrastructure.

FAQ

Why does critical infrastructure matter for businesses?

Because every business has essential operations that keep it running. If those operations are disrupted by cyber-attacks, physical threats or internal fraud, the result can be serious operational and financial damage.

What is the first step in protecting critical infrastructure?

A business first needs to acknowledge that it may be at risk and dedicate resources to understanding what its critical infrastructure is and where the vulnerabilities sit.

What should happen after a risk assessment?

A realistic action plan should be developed, taking into account budget constraints, workforce impact and the controls needed to reduce the key risks identified in the assessment.