Overcoming the cybersecurity risk to Australia’s critical infrastructure
Due to their complex nature, with large teams and many contractors, critical infrastructure projects can present significant cybersecurity challenges. These have intensified as the COVID-19 pandemic progresses.
In its just-released $1.7 billion Cyber Security Strategy 2020 the Federal Government has identified the protection of critical infrastructure as a key national security concern.
A focus on cyber risk governance has become an essential consideration through the lifecycle of an infrastructure project and should not be an “after thought”, professional services company GHD - responsible for the planning and design of critical infrastructure projects across several industries - has warned.
“Cyber risk governance includes keeping visibility of key digital assets, considering what security controls and architecture need to be implemented, what the roles and responsibilities need to be, compliance requirements, and how these are going to be monitored and measured as part of ongoing assurance,” GHD Digital’s Regional Director for Southern Hemisphere, Colin Dominish said.
Governance Institute of Australia asked the GHD Digital team to outline the latest cybersecurity challenges - and how organisations can tackle them effectively.
Here’s what Mr Dominish, GHD Digital’s Connected Infrastructure and Cybersecurity Lead Sunil Sharma, and GHD Digital’s Senior Cybersecurity Consultant Peter Clissold had to say:
What are some of the latest cybersecurity issues and challenges faced by organisations involved in infrastructure projects?
- Targeted attacks on smaller entities: Smaller organisations are becoming higher value targets because of their association with larger infrastructure projects. Smaller organisations typically have less advanced cybersecurity controls, resources and management systems.
- Inside knowledge and growing threats: There has been a widespread increase in threat activity involving phishing attacks, ransomware and targeted campaigns against high-value targets. Hacking-as-a-Service is on the rise, creating a new wave of targeted attacks orchestrated by novice users with insider knowledge.
- Work from home issues: A big swing from office-based work to working from home has taxed already lean Information and Communications Technology (ICT) and cybersecurity teams with the potential to exacerbate weaknesses in cybersecurity.
- Navigating cybersecurity guidelines: While there have been further policy and guidelines developed in recent years, translating the policy into effective cybersecurity activities is not a concise or simple exercise. There are many different standards, often overlapping, and coordinating an approach using the right standard for the right activities can be confusing.
Have cybersecurity challenges intensified during COVID-19?
There have been many globally recognised brands sustaining cyber-attacks during the pandemic, and some significant local examples in recent weeks with organisations like Toll Group, Regis Healthcare, and Garmin.
Many of these go unreported. The latest information from the Federal Government indicates there were nearly 450 attacks on Commonwealth-level entities last year.
What can organisations do to reduce the risk of being impacted by cyber threats?
- Devise an effective cybersecurity management system (CSMS): Having a good CSMS in place will address the majority of these challenges. Organisations should take the time to assess their cybersecurity management system and test the effectiveness of their cybersecurity controls against current threats.
- Early identification is key: Early identification of cybersecurity requirements needs to occur across all aspects of the project from design, procurement, construction, and operational phases.
- Listen to the experts: It makes sense to partner with organisations that have domain expertise to help identify, improve and manage cybersecurity. It’s impossible to do it alone. Domain experts with cybersecurity credentials can manage risks proportionately, operate safely and deliver the broadest cyber coverage.
- A focus on procurement: Procurement organisations often overlook cybersecurity requirements when negotiating contracts. By seeking organisations in the supply chain that have a good cybersecurity culture that have implemented a cybersecurity management system, procurement can reduce risk.
- The risk with contractors: Contractors can overlook cybersecurity if it is difficult to define, and competitive pressures may mean that it is not included if it is not requested. Some contractors believe they are not a target due to their small size. Contractors may represent an easier entry point into a larger organisation managing infrastructure assets. These larger organisations need to work with smaller suppliers and clearly communicate their cybersecurity requirements. By helping those smaller organisations understand the importance of cybersecurity to the project, they can reduce their overall risk. Providing a cybersecurity policy with suppliers to comply with can make a big difference.
- Insurance considerations: Cybersecurity insurance can be a good option to cover commercial risk, but read the fine print. You will still need to have your house in order, and you may not be covered for consequential damages if appropriate cybersecurity precautions are not in place. Note that, many companies have collapsed due to cyber-attacks and no insurance will cover you for the worst case.
- Find the gaps – and act on them: While most infrastructure asset operators are audited regularly for cybersecurity issues and risks, the audits seldom enforce action on identifiable gaps. Knowing which gaps present the greatest risks, and taking action on them, is imperative and yet rarely enforced.
What are the key changes in legislation/ regulations that industry needs to be across?
- The Australian Government’s Cyber Security Strategy 2020 that identifies critical infrastructure as a critical focal point across government and private sectors.
- The Security of Critical Infrastructure Act 2018 is now in full effect - amendments to the Act are expected to clarify cybersecurity obligations further.
- Many organisations use a mixture of standards and guidelines to build a CSMS. IEC 62443 is now more prevalent in Australia for the security of Industrial Automation and Control Systems, relevant for plant and equipment. NIST is popularly used to establish a CSF (Cybersecurity Framework) that accommodates both Information Technology (IT) and Operational Technology (OT). ISO27000 is an ISMS (Information Security Management System) primarily referenced for information centric systems. Other government guidelines such as the Australian Signals Directorate (ASD) Essential controls and the Information Security Manual (ISM) exist that derive controls from other international standards mentioned. Safety standards such as AS IEC 61511 are also being updated to include cybersecurity references.
- A new standard for securing Building Information Modelling (BIM) systems has emerged in BS EN ISO 19650-5:2020.