The rise of automated operational technology poses an increasing risk to Australia’s critical infrastructure including systems that provide food, water, energy, transport, communications and healthcare, a strategic policy think tank says.
A new report launched in Canberra on Monday says increasing connectivity via the Internet of Things has brought both “benefits and new risks that Australia is not yet prepared for”.
The Australian Strategic Policy Institute’s International Cyber Policy Centre (ICPC) identifies significant shortfalls among Australian critical national infrastructure providers, many of which are government agencies or government-owned entities.
These include a skills shortage as well as a lack of understanding of the specific risks of operational systems and the appropriate commercial solutions.
It also found a “concerning” gap in knowledge and experience on boards.
Author Rajiv Shah said while the importance of data security is generally appreciated, the risks around the emerging field of operational technology is less well understood.
“Over the next couple of years we can see a lot of significant development with the Internet of Things, 5G, and a range of new capabilities coming along that will mean we’ll start connecting these systems up and making them much more useful and valuable, but also much more liable to hacking,” he told Government News.
“We’ve seen a lot of work around cyber education, but have we done enough to really educate people about some of the basic awareness around operational technology systems? If we’re going to build a fully automated system, how do we know we can trust it, and do we think about what will happen if that system gets attacked?”
Increased pressure on providers
The ASPI report found critical national infrastructure providers are under pressure to deliver services more efficiently and at lower cost, due to market competition, technological change, reduced government funding and price regulation.
As a result, organisations have sought to automate and integrate more and more of their IT and OT systems. Stakeholders expect a rapid increase in convergence over the next two years, the report says.
“Most providers interviewed for this report expect a high degree of convergence and extensive two-way connectivity,” it says.
Shah says it’s a global problem and it’s already on our doorstep.
In 2001, a disgruntled subcontractor used remote radio access to release sewage into town water, parks and other areas in Australia.
Meanwhile, there have been attacks on Saudi Arabian industry, including a 2012 attack on the national oil company Saudi Aramco, that disabled 35,00 computers and crippled operations, as well as a breach at a Saudi petrochemical plant.
In 2015 an alleged attack by Russia breached the control systems of a Ukrainian electricity distribution company, and the Russians were also blamed for targeting US energy, nuclear and water sectors in 2018.
Keeping ahead of the curve
Australia has taken action to address critical infrastructure resilience via a strategy plan which was launched in 2015, as well as a policy statement which says that critical infrastructure underpins the functioning of Australia’s society and economy and that without these services, the nation’s social cohesion, economic prosperity and public safety are threatened.
The Critical Infrastructure Centre was also established in January 2017 with a mandate to work across all levels of government and with owners and operators to identify and manage the risks to Australia’s critical infrastructure and to manage espionage, sabotage and foreign interference.
Mr Shah says these are the right structures but they are under-resouced to do their job properly.
“What they need to be doing is getting the resources to make sure our critical infrastructure providers are aware of the issues,” he said.
“It’s really about getting ahead of the curve. The history of the internet shows that we tend to do something and then work out how to secure it later. We need to do the work now.”
Recommendations of the APSI report, Protecting critical national infrastructure in an era of IT and OT convergence:
- Boards of critical infrastructure providers need to set their cyber risk tolerance and monitor performance against it
- Better education and information including general awareness training for boards, specialist courses and enhanced information sharing
- Prioritisation of resources to ensure the appropriate organisations are able to implement required measures
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.