Internet-connected devices have become an important part of Australia’s critical infrastructure, but they have also created a new problem, writes Giuseppe Porcelli.
They provide an opportunity to improve efficiencies across the network, allowing governments and infrastructure providers to automate data-led processes and decisions.
But the have also created new interconnected and interdependent networks that have disrupted historic security procedures and created a need for a standard-based approach to protecting Australia’s national interests.
‘Castle and moat’ approach no longer works
Historically, critical infrastructure providers designed their systems to be reliant on network isolation as a protection from security threats, creating a ‘castle and moat’ approach to preventing threat actors from gaining access with static firewalls placed at choke points.
But the new decentralised environment moves isolated environments to open connected systems that communicate over the internet, creating a patchwork of manufacturers, service providers, software, components and application developers that require access to our critical infrastructure systems.
This interconnected network creates a threat environment that is both broad and deep and requires careful consideration of how to protect every access point from unauthorised access.
Threat to infrastructure network
While security is a concern for many businesses supplying the Australian critical infrastructure ecosystem, it does not mean they operate with Australia’s interests in mind. While some will provide the appropriate security processes, others will prioritise speed to market or other benefits to their business over security protection.
This lack of security on the device and its need for connectivity allows threat actors to hack the device to gain access to the wider critical infrastructure network.
One such example is Australia’s emerging renewable energy market. Solar power is decentralising the energy market, enabling Australians to purchase their panels to generate their electricity and connect excess power back into the grid.
The problem is, there isn’t an overarching standard for security applied to the systems available to buy and install. Approval of suppliers and their panels is limited to their technical, material and electrical compliance, with no regard to the security and management of the data these devices produce.
This leads to Australians choosing their renewable energy suppliers based on price and quality, without any consideration for security.
The lack of standards is causing some consumers to choose solar panels and inverters that are sequestering data off Australian shores. While one person’s solar usage may seem harmless, when you have the data of a large community, international threat actors could have access to critical information such as surges of energy use.
Because of this, governments around the world are implementing IoT-led policies and standards. Even the Australian Government has an IoT voluntary code of practice. But is this enough? Will vendors voluntarily adhere to the code or will they put shareholder returns ahead of regulation?
The UK certainly didn’t think so and is now moving to mandate similar security features for IoT devices, with the UK’s Digital Infrastructure Minister Matt Warman stating: “Change has not been swift enough”.
Creating a mandatory critical infrastructure standard
Australia should not rely on voluntary codes either. We should require compliance with high security standards. Standards which Australian critical infrastructure providers, its third-party ecosystem and even consumer devices must meet.
These standards should authenticate anything that requires access or connectivity in a critical infrastructure context.
The government could look to implement this standard similar to the Electrical Equipment Safety Scheme whereby any software, device or application must comply with the standard before being able to be embedded in Australia’s critical infrastructure or within consumers’ homes.
Other examples include Telstra, the Australasian Furnishing Research & Development Institute, Marine Steward Council and even Instagram’s ‘blue tick’ of approval.
Risk levels could be determined based on what authentication is required within the network. For instance, if a sensor requires access to the SCADAmaster, then it would need to conform to higher requirements compared to an application that requires access to a non-sensitive database.
A peak body could authenticate and record entities in a critical infrastructure systems and devices safety registry, managing authentication against the standard regularly and ensuring those requiring connectivity maintain a high minimum-security standard within critical infrastructure.
Creating a critical infrastructure standard will ensure all ecosystem members build security into their solutions that could potentially compromise critical infrastructure operating systems. It means only authorised, and more trusted entities could gain access to critical devices and communicate within the network.
Giuseppe Porcelli is CEO at Lakeba Group
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter