Critical infrastructure sectors more exposed to attacks
Critical infrastructure and essential services industries have been in the spotlight for the past two years. As a result, Australia has made great strides in addressing threats to vital elements of our economy and society.
Following changes to the Critical Infrastructure Security Act 2018, which came into force on July 8, many more Australian businesses are now subject to strict cyber incident reporting requirements within 12 hours. In addition, the Security (Critical Infrastructure Protection) Amendment Act 2022 April 2022 introduced a new requirement for responsible entities to establish and maintain a critical infrastructure risk management programme.
However, a global report by security expert Thales – Cyber Threats to Critical Infrastructure 2022 – found that critical infrastructure industries around the world still face major challenges and gaps in their approach to protection. and risk management.
A lack of protection around cloud-hosted data and applications, combined with an increase in the scope and severity of attacks over the past 24 months, has increased the threat level from hacktivists and nation-state actors. . Security approaches that are no longer aligned with today’s changing threat landscape now put the lives of nations, organizations and people at risk.
“Previously, few viewed Australia as a major global defense player, posing minimal threat to other countries’ strategic interests,” said Brian Grant, A/NZ Director of Thales Cloud Security.
“That has changed significantly over the past two years with Australia joining the security compacts, AUKUS and The Quadrilateral Security Dialogue, putting us firmly in the democratic bloc,” he says.
“As a result, we have become a target. We are now more exposed than ever to attacks on our society.”
Grant says attacks on critical infrastructure and essential services aren’t always financially motivated.
“Malicious actors often want to significantly damage things or cause physical harm to people,” he says.
“The reality, then, is that many businesses may have already been attacked without knowing it. Once malicious actors have compromised their target, they often remain hidden under the radar, ready for an economic, geopolitical or financial event before they can ‘tackle.”
Grant says the pandemic has reshaped and expanded what Australians view as critical.
“Retailers and logistics service providers have proven to be just as vital as utility companies and telecom operators. Today, many industries and organizations that never had to worry about government regulations must comply with strict requirements,” he says.
“Those recently added to the hotlist are those who struggle because there is not yet a standardized or consistent approach to critical infrastructure cybersecurity within their industry.
“In Australia, we are seeing healthcare remain a very attractive target for attack,” says Grant.
“In some ways, healthcare organizations are increasingly impacted because they’re diverse. They use many different vendors and don’t have an industry-wide approach to cyber protection like you find in public services for example.
“Often, healthcare organizations only consider certain items, such as medical devices, as critical when implementing cyber protection,” he says.
“What they need to do is look at the full picture, including patient data and supply chains, which are equally critical to enabling their organization to function.”
Grant says SOCI isn’t about compliance, it’s about linking the role of cybersecurity to critical services and supply chains and ensuring cybersecurity is part of security practices across the spectrum of critical infrastructure.
According to Grant, organizations that operate in critical infrastructure sectors must do six things to increase levels of protection:
1. Assess what is really important for the sustainable functionality of the organization
2. Map this across physical and digital assets within the organization to uncover critical elements that need to be protected
3. Treat the evaluation of critical elements as an instinctive and integrated process. Assets and data are continually changing, so one-time audits will quickly become obsolete
4. Apply security as soon as critical data or infrastructure is identified don’t wait
5. Protect sensitive data and infrastructure at rest, in motion, and in use, rendering it useless if accessed by an unauthorized person
6. Control access with multi-factor authentication and centralized key management in on-premises and hybrid cloud environments
“The key takeaway is that securing the edge is no longer a sufficient approach to minimizing the impact of attacks on critical infrastructure,” Grant said.
“The CEO’s laptop may be important to him, but it’s unlikely to be critical to the continued functionality of the business.
“Organizations need to ensure that they protect their vital assets and data to avoid significant financial damage, job loss or even loss of life.”
More than 2,700 respondents from critical infrastructure organizations and other critical/essential service sectors globally, including manufacturing, healthcare, financial services, government and more, were surveyed to The report.
The report found that 44% of respondents reported an increase in the volume, severity and/or scope of cyberattacks over the past 12 months. More than a third (39%) of respondents had experienced a security breach in the last 12 months, 6% more than the average. Additionally, only 28% said they can fully classify their data, and only 49% believe they can classify at least half of their data.
Security concerns regarding quantum computing continue to grow; only 2% of respondents are not concerned about quantum risks. Top concerns include future decryption of current data (52%), network decryption risk (56%), blockchain attack risk (49%), and key distribution (46%).
Respondents were asked to identify the targets of the attacks that most affected them; cloud-based storage, cloud databases, and cloud-hosted applications were the top three.
A majority said they have more than 40% of workloads and data in the cloud; 54% said more than 60% of their cloud data is sensitive. Most respondents also indicated that they had more than one cloud provider (IaaS), leading to potential issues with the complexity of securing multiple cloud environments.
Respondents prioritized accidental incidents (human error), hacktivists, cybercriminals and state actors as their top four threats. Remote work has also increased the risk to critical infrastructure: more than three-quarters (79%) of respondents were very or somewhat concerned about security risks and threats from employees working remotely.
Across all critical infrastructure organizations, 55% of respondents ranked malware as the top source of increased security attacks, followed closely by ransomware (53%).
Transportation companies reported higher than average malware increases (65%) and lower ransomware cases (45%), while trucking and shipping reported significantly less malware (32%). ) but much higher ransomware incidents (64%).
The report indicates that criminals have realized that successful attacks against high profile critical infrastructure organizations have a higher probability of reporting. Ransomware has changed the breach economy. Given the mature and regulated nature of these industries, respondents demonstrated a greater aversion to the harder intangible costs rather than the weaker ones of ransomware. Nearly a quarter (24%) of respondents ranked financial losses, such as lost sales or penalties from lawsuits and legal costs, as the biggest impact of a successful ransomware attack, while 19% cited lost productivity and 17% cited recovery costs.
The study also showed insufficient preparedness for ransomware. The power of ransomware comes from the immediate kidnapping of critical data and systems, requiring a rapid and rehearsed response plan. Yet only 45% of respondents have a formal ransomware plan.
Additionally, only 51% of critical infrastructure organizations reported using MFA
The willingness of critical industry respondents to pay a ransom was 20%; companies may not have a good understanding of the effects of all parties involved, such as cyber insurance underwriters, incident response companies, government regulations, and ransomware attribution.
Responses indicated a curious disconnect between encryption selection and key management – When asked to select technologies protecting data in the cloud, 62% chose encryption, while 51% selected management keys. This discrepancy is likely due to organizations not knowing how their keys are managed, says Thales.
It is essential to focus on key management rather than just deploying encryption to tick a box, as poor key management can lead to vulnerabilities and successful attacks. Encryption is only as good as the keys used (and how they are managed).
Critical infrastructure organizations typically have highly distributed infrastructures that include warehouses, shipping ports, power lines, trucks, transmission sites, and rail assets. Adopting zero-trust principles can be a key strategy in ensuring least-privilege access to highly distributed, high-value data and assets.
Only 30% of respondents have a formal Zero Trust strategy and have actively adopted Zero Trust policies, while 26% have a Zero Trust strategy in the planning and research phases and 22% have no formal Zero Trust strategy.