Russia’s invasion of Ukraine and the resulting prolonged conflict has caused reverberations around the globe. While fighting continues across swathes of country, increasingly intense battles are also occurring online.
Evidence is emerging that established hacking groups have taken sides with one country or the other. They are using their knowledge and skills to wage a campaign of cyber warfare designed to cause disruption and losses.
In some cases, select groups have been reported to be effectively operating as a weaponised wing of each nation’s military and being paid for their efforts. Activities are being undertaken at a scale rarely seen before in global history.
The targets for these motivated hackers tend to be the critical infrastructures of both countries. Everything from water and electricity grids to communications networks and healthcare facilities are coming under sustained attack.
As an example, the Australian Government’s CISC cyber department recently shared a case study detailing that in the hours before Russian military operations started in Ukraine, US satellite company Viasat, which provided satellite communication capability to Ukraine, was the target of a cyber sabotage event. Targeting ground infrastructure, Russian linked entities deployed ‘wiper’ malware against Viasat modems and routers, quickly erasing all the data on the system, which disrupted Ukraine’s communication capabilities.
As a result, governments and private-sector organisations on both sides are on constant alert. They understand the severe ramifications of a successful cyberattack and the flow-on impact it can have for citizens.
Different attitudes ‘down under’
When it comes to awareness of attacks by organised hacking groups in Australia, however, it tends to be a different story. While recently introduced critical infrastructure protection legislation may help to address this, there is still clearly room for improvement.
One of the key challenges faced by many organisations that run critical infrastructure is the legacy nature of their control networks. As well as core IT networks, most are also likely to have older operational technology (OT) networks that actually control the industrial infrastructure.
While they are happy to secure their IT resources, many operators can be reluctant to put similar measures into their OT networks. This is often because these operational networks have been designed and are managed by industrial engineers that have typically been in place for a considerable number of years. In addition, also due to the sensitive nature of the OT delivered services such as nuclear power, air traffic control and broadcasting, a few seconds of delay caused by a security hop or a false positive can have a disastrous impact.
Historically, even though most of these environments were air-gapped and not connected to the public Internet, we have still seen a number of successful attacks across the years ranging from Stuxnet in 2010 which was perpetrated via USB key insertion, to supply chain attacks, physical compromise and insider threats.
But now with the advent of IT/OT convergence whereby many organisations are unlocking digital transformation efficiencies by managing their OT networks via their IT nework (or even via the Internet in some cases) the attack surface floodgates have opened up.
OT and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers. Adoption of Industrial IoT in critical infrastructure also leads to a growing integration of third-party inputs for information, data sharing and data analytics.
Examples of this include cyber criminals attacking US critical infrastructure targets such as drinking water utilities across multiple states, critical infrastructure assets providing power and water to US military sites, and ransomware of critical infrastructure energy targets such as Colonial Pipeline.
Tighter restrictions
In recognition of these risks the Australian Government recently amended the Security of Critical Infrastructure (SOCI) Act 2018 to widen the definition of what is deemed to be critical infrastructure by including 11 new industry verticals ranging from supermarkets to broadcasting.
Organisations that now fall within these parameters are required to meet more stringent security measures to protect their infrastructures due to new requirements of mandatory cyber incident reporting requirements, submission of a documented annual risk management program signed off by the board of directors and details their identified gaps in their cyber posture along with mitigation strategies. And, most importantly, these entities now need to adodpt and comply to a recognised cybersecurity framework such as NIST, ISO or at the very least maturity level one of the Essential Eight.
Those entities deemed ‘significant’ by the government will also need to establish a incident response plan and test their resiliency by undertaking regular tabletop exercises and vulnerability assessments to determine their level of preparedness for an attack.
Whilst the SOCI Act brings more awareness to the threats faced by critical infrastructure, the legacy bastions responsible for the OT networks are traditionally very adversarial towards IT and cyber teams due to concerns noted above and as such a brighter spotlight will need to be shone on the risk of not implementing a diligent approach to securing their industrial control systems. There also needs to be ongoing educational awareness of IT-Cyber-OT across the respective teams, so that they can start to understand each other better in order to deliver a more unified security posture across the organisation.
As a follow up to the Risk Management Program (RMP), we would ideally like to see guidelines more specific to addressing the physical operational networks such as segmenting the networks to reduce lateral movement by an attacker, minimum levels of firmware and patching, and more security controls deeper into the OT network to tighten the exposed gaps and provide greater visibility.
From our experience of dealing with the critical infrastructure industry and with the current compliance frameworks, we feel that these entities would benefit from a more specific critical infrastructure cyber security framework more exacting to their environments and challenges. Think something like a more advanced Essential Eight for example with a more realistic understanding of industrial control systems and SCADA management systems that power OT networks along with the burgeoning Industrial Internet of Things technologies that are starting to see mainstream adoption.
