Five Steps to Protect National Infrastructure

By Pierre Tagle, Head of GRC Consulting ANZ & SEA, Secureworks

One only has to look at past events to know that nation-state hacking has become an increasing concern for governments worldwide. In 2018, hackers from Iran and China targeted universities and the Lowy Institute in Australia, to steal intellectual property and information.

 In 2015, Ukraine’s power grid was compromised by the Black Energy Trojan, targeting the IT infrastructure of three energy distribution companies and temporarily cutting the supply to consumers for several hours. In 2017, Britain’s National Health Service was held hostage by Wannacry ransomware and NotPetya hit energy and transport organisations in Europe and the United States.

In most of these cases the attackers, methods used, and motives were different. Attackers may target either IT or operational technology environments, but in nearly every case the attacks caused considerable and costly disruption. Many of these systems have processes that are not connected online and are designed to act as fail-safes to prevent disaster scenarios. Nonetheless, disruption occurs and the consequence can be costly, inconvenient and major damage.

Research suggests the energy, utilities and manufacturing sector could do more to improve security through employing more security staff, spending more on security like continuous risk assessment solutions, and implementing advanced endpoint security measures . 

Tackling the problem
Many governments are aware of the dangers that attacks on national critical infrastructure, be it food supply, water, financial services, energy, and government can pose. In 2016, the Australian Federal Government launched its cyber security strategy in recognition that Australia’s interests in a digital age must be protected.
Governments are also translating their security strategies to align with regulatory requirements. In relation to national infrastructure, the Security of Critical Infrastructure Act 2018 requires organisations operating Australia’s electricity, water, gas and port infrastructure to inform the government about their IT environments. The legislation also gives the government the power to force organisations to fix any potential vulnerabilities and bring them in line with government security expectations.

The harsh reality of the digital world is that it is impossible for critical infrastructure organisations to eliminate cyber risk entirely. Businesses need to grow and innovate by adopting new technologies, expanding into new markets or carrying out mergers and acquisitions. However, organisations operating national critical infrastructure must ensure they are managing their cyber risk well. With these five tips, organisations in the critical infrastructure sector can improve their security and avoid a national catastrophe.

1) Map critical processes
The first key step for any organisation in this sector to improve its security is to understand and map what its critical processes and data are and the architecture of its systems. This allows organisations to have a complete understanding of where vulnerabilities may lie and how threat actors might target critical systems.

2) Adopt security frameworks
Once organisations have developed a basic understanding of potential exposure, they can bring the right people (and skillsets), processes and technologies together to build a successful program. By following government security frameworks and other popular frameworks like the Australian Cyber Security Centre’s Essential Eight framework, an organisation will have a benchmark to assess its security capabilities against on an ongoing basis. Organisations should also prepare for a cybersecurity incident by having incident response plans in place and investing in the right people to ensure that the plans can be put into action.

3) Share information
One of the Australian Government’s goals in establishing its cyber security strategy was creating a national partnership that encouraged the sharing of security information. Sharing information about threats and attacks is particularly important to reduce risk for everyone in the industry and stop attacks before they spread. The whole industry is potentially impacted if one succumbs to a major attack.

4) Take employees back to school
Educating people within the organisation and external business partners about cybersecurity hygiene is vital. Many of these events started with someone opening a malicious email attachment or clicking a malicious link in an email. And let's not forget business partners and other third parties – the risks of the supply chain are extreme. 

5) Monitor
Security teams in organisations must continuously monitor and manage IT systems and ensure that the right prediction, prevention, detection and response controls are place, especially as they increasingly operate in the new world of the Industrial Internet.

The threats to critical infrastructure are not going away any time soon. Governments worldwide are actively promoting a culture of improved security for relevant organisations and there are steps that organisations should take to protect themselves according to the risk they face. Especially in the critical infrastructure industry, organisations should not hesitate to reach out to take advantage of the support available, to effectively protect against threats.