Credit: ID 82522159 © Vladislav Lukyanov | Dreamstime.com
Australia’s energy crisis continues to dominate headlines, with reliability and rising cost of power placing increasing pressure on Australian families. Unfortunately, this isn’t the only crisis facing the nation’s power supply. At 5,000 kilometres long, Australia boasts the world’s longest single electricity grid which provides power to the majority of the country. A cyberattack has the potential to take down the entire grid, shutting down power stations and causing major hospital blackouts. The consequences could be devastating.
This is the reality of the world we are living in. Cybercriminals are growing bolder every day and are turning their sights to critical infrastructure, which includes the nation's energy supply. And the government has taken notice. It has been nearly a year since it passed the Security of Critical Infrastructure Act 2018 bill. It introduced new measures to secure around 165 of the “highest-risk critical infrastructure assets” and their operators nationwide against foreign interference, such as hacking. These measures are required as critical infrastructure is a very complex and often brittle system.
More often than not, critical infrastructure operates on aging SCADA systems with very long life-cycles that weren’t designed with safety measures to protect them from a variety of vulnerabilities that are present today. And the number of vulnerabilities emerging increases every day. According to the National Vulnerability Database, there were 16,500 new vulnerabilities disclosed in 2018 alone.
A connectivity conundrum
A recent report by the Ponemon Institute on behalf of Tenable found that over a quarter of respondents (28%) had experienced an attack against OT infrastructure that resulted in downtime to plant and/or operational equipment in the past 24 months. When operating critical infrastructure, once-isolated Operational Technology (OT) systems are increasingly connected, leaving both OT and IT security teams faced with the challenge of defending an amorphous attack surface with devices from numerous vendors and multiple access points. This concern is exacerbated by the fact that many organisations lack basic visibility across their OT environment and are unable to reliably measure or manage their cyber risk.
This sentiment is supported by the same body of research, which revealed that only 29% of respondents cited that they have visibility into their organisation’s attack surface. This blind spot is putting tremendous pressure on security teams to identify assets and their associated vulnerabilities before they are compromised.
Lack of visibility
The increased convergence of IT/OT has expanded the attack surface and created a massive gap in an organisation’s ability to truly understand its Cyber Exposure - their ability to understand their entire cyber attack surface and manage its risk. Organisations require holistic visibility across converged environments in order to understand which vulnerabilities pose the greatest risk to the business.
Passive monitoring capabilities enable security teams to safely monitor OT environments without impacting sensitive systems, meaning the risk of downtime is minimal. Once all security teams have visibility into both the IT and OT assets in their purview, it’s crucial to focus on proactively prioritising the threats which pose the greatest risk. This will close the Cyber Exposure gap over time whilst reducing the level of cyber risk and enabling the secure continuation of critical services.
Rising geopolitical tensions and an expanding attack surface have left governments and organisations vulnerable to targeted attacks on critical infrastructure, such as the nation's power supply. As threat actors become more sophisticated, CISOs and their teams need a complete and reliable view of the entire modern computing environment so they can take a proactive approach to managing the security challenges of today and tomorrow. They should seek to implement security practices such as passive monitoring and the prioritisation of threats in order to better manage, measure and reduce their cyber risk across the entire IT/OT attack surface.