Security weaknesses and cyber ‘doors left open’, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management.
Examples of how vulnerabilities will be exploited were highlighted in August when ASPI and Providence Consulting Group hosted a workshop with around 30 senior executives from nine critical infrastructure sectors. The workshop was also attended by senior executive officers from the Departments of Home Affairs, Infrastructure, Transport, Regional Development, Communication and the Arts, and the Australian Security Intelligence Organisation and Australian Institute of Company Directors.
It covered the Security of Critical Infrastructure Act 2018 (SOCI Act), obligations of critical infrastructure boards and strategies for developing cost-effective critical infrastructure risk management programs (CIRMPs) in the current threat environment. CIRMPs provide assurance to regulators that the entity is taking steps to manage material risks posed by hazards to the critical infrastructure asset. The risks fall across five key hazard vectors: cyber and information, personnel, physical, natural and supply chain.
The workshop’s timing marked the initiation of the countdown towards the September 2024 deadline for owners and operators of critical infrastructure assets in Australia to report to the Department of Home Affairs or other Commonwealth regulator on the effectiveness and maturity of their risk mitigations as set out in their CIRMP. The annual CIRMP report must be approved by the entity’s board, council, or other governing body.
What does the SOCI Act mean for national security? The threats not only endanger critical infrastructure but also have far-reaching implications for national security. They can compromise the integrity, availability, and continuity of essential services, potentially impacting the safety and wellbeing of the nation. They also present significant risks to Australia’s ability to defend itself.
Some entities have well-established security programs and experience in managing risks while others, including newly classified SOCI entities, may be new to this formal process. However, all entities are dedicated to resilience and business continuity. The key question isn’t just about the cost of achieving CIRMP compliance, which can be significant for some, but rather the potential consequences of not being adequately prepared or compliant.
A litany of harm
Examples illustrate challenges encountered by SOCI entities, some of which may have had well-established risk management, security, or business continuity strategies in operation that did not protect them.
In September 2022, an unknown threat source breached Optus’ security measures by taking advantage of an Application Programming Interface (API) that had no security measures surrounding it. Nor did it have access control policies. This situation provided an obstacle-free entryway into the company’s systems. To prevent that happening, Optus chould have routinely assessed its systems and addressed critical vulnerabilities.
Stolen data, reportedly involving up to 11 million individuals, included customer names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers.
Whilst Optus did not pay the $1.5 million ransom, the breach resulted in its parent company, Singtel, setting aside $140 million for customer remediation. Further, Optus faced significant costs (reportedly up to $2 billion) in investigating the incident, upgrading security systems, legal fees and compensation. The harm to the company’s reputation is incalculable.
The first example demonstrates the impact on supply lines. In 2021, a cyberattack on the 8,850km United States East Coast Colonial Pipeline, which carries gasoline and jet fuel, forced its closure for almost a week. The shutdown reduced the short-term availability of fuel and forced up prices. With no ways to distribute the fuel, refiners had to reduce production. That triggered consumer ‘panic buying’ which exacerbated shortages and drove up costs further.
Within two hours of the attack, over 100GB of data was stolen. Colonial paid the hackers nearly $5 million in ransom for a decryption key. That reportedly pushed up Bitcoin ransom payments by 311% compared to 2019 to around $350 million.
The attack underscored the importance of keeping up with evolving malware and fortifying the last line of defence. Inadequate protection and neglect of system updates can lead to compromises. It also emphasizes the need to safeguard not only critical fuel assets but also related services.
The need for thorough and ongoing vetting of personnel was illustrated by the situation Connected Solutions Group (CSG), a company with significant NT Government contracts, found itself in in 2008 when former employee David Anthony McIntosh, a computer engineer, disrupted government services at Berrimah Prison, Royal Darwin Hospital, and the Supreme Court.
McIntosh also deleted over 10,000 public servants’ records using a former coworker’s laptop and password. This disruption lasted five days, causing chaos at courts and hospitals and leading to prisoners at Berrimah jail being discharged without their belongings. Restoring the system required 130 experts and took five days and $1.25 million.
McIntosh, who received a three-year jail sentence, claimed to have a ‘high-level clearance’ for maintaining the government’s entire IT system. This case illustrates the importance of initial and ongoing suitability assessments and staying vigilant about potential threats from current and former employees with access to critical data. Limited availability of ICT personnel in certain settings raises risks associated with rehiring convicted cyber felons.
The intervention of natural hazards was demonstrated during the 2020 NSW south coast bushfires when the region’s main broadcast transmitter used by the ABC melted, causing widespread devastation and communication issues. Repairing the equipment took months and cost between $1.5 million and $2 million. The ABC’s managing director emphasized the importance of AM radio technology and the need for backup generators during disasters. Analysts have been adamant that it is crucial that future infrastructure is as resilient as possible as broadcast towers remain the weakest link during emergency broadcasts.
These case studies shed light on the challenges faced by SOCI entities, even those with established risk management, security, or business continuity strategies in place. They highlight that no entity is immune to vulnerability, emphasising the importance of vigilance and preparedness in safeguarding critical infrastructure and, by extension, national security. The continual growth and enhancement of enterprise security maturity and achieving compliance with the SOCI Act will be a critical step in ensuring national security.
This article was written by Raelene Lockhorst, the deputy director of professional development at ASPI; and Marina Maydanov, the critical infrastructure security practice lead at Providence Consulting Group. It was published by The Strategist.
