Categories for Blogs & Articles

Why OT cybersecurity should be a high priority

September 9, 2021Published by Jeffrey Eaton

Cyberattacks on operational equipment, processes, systems, and platforms continue to rise. Hackers are targeting operational technology (OT), resulting in disorder and sometimes destruction. Many operating environments are left vulnerable because of a lack of means to detect and respond to these cyber intrusions.

You’ve likely heard about the SolarWinds and Colonial Pipeline attacks, and there are many more examples added to the list of significant breaches every day. Coupled with legacy infrastructure and rapid digitisation in this space, a significant threat looms and it is only a matter of time before the impact of an OT cybersecurity breach proves disastrous.

Beyond accessing and exploiting data, OT attacks create a level of disruption not seen before. The consequences of an OT cybersecurity breach have far-reaching implications; when the bad guys target assets that are essential for a functioning economy and society, the stakes are raised significantly.

Traditionally, cybercriminals have set their sights on Information Technology (IT) to access data and information that can be stolen and used for their continued benefit. In addition to targeting data and information, OT focused cybercrime is also about gaining control of software or hardware that regulates physical systems and processes within critical infrastructure. Disruptions across platforms and systems that operate water and electricity plants, oil and gas plants, transportation systems, and mining equipment can and do affect communities, towns and cities.

What makes OT so vulnerable?

If it’s digitised, it’s a risk. Industry OT assets are evolving from legacy systems with outdated hardware and unpatched configurations to include new technologies that can leave gaps for hackers to leverage. Infrastructure sourced from multiple vendors without security considerations leaves open vulnerabilities that are notoriously hard to protect.

The complexity of OT network assets means organisations frequently struggle to gain visibility of their operations, making it even harder to detect an intrusion. IT updates and vulnerability patching can be done on the fly; this isn’t the case for OT assets, which have longer lifecycles and less flexibility than IT assets, creating security holes and increasing exposure to threats.

In the event of an IT breach, software can be turned off or isolated, but it’s not that simple to flick the switch on a critical service when availability is essential. For the organisations that provide these services, the risk of losing customers due to a breach might be high, but the cost of damage to reputation and equipment can be far more destructive to the business.

Overcoming the OT cybersecurity challenges

Proactive awareness and education are key. OT asset operators should be made aware that cybersecurity threats and risks need to be mitigated in the same way as occupational health and safety issues. In many ways, the risk of an OT breach is an occupational health and safety issue, as an attack could result in injury or even death. Placing cybersecurity on the list of formal training and education topics for employees will help engrain knowledge and understanding. Cyberattacks on OT environments frequently begin with Social Engineering, such as Phishing emails. So the importance of cybersecurity education in helping to mitigate and reduce the impact of a digitised operational control systems breach cannot be understated.

Improving collaboration between OT/IT environments

While OT/IT environments are different, they are increasingly interconnected and need to work together. Aligning security standards, processes, policies, and even teams across IT/OT serves as a more robust approach in responding to threats. Creating and sharing best practices is one thing but putting them into practice is another. Providing teams with the right tools to practice proactive cybersecurity across both IT and OT will strengthen the resilience of organisations facing these threats.

Prevention is better than cure.

Organisations with OT/IT environments need to start by understanding their assets and associated risks. Putting in place multifactor authentication, multi-patching, malware blockers, detection software, and forensic tools will get the basics right. Following this with an OT threat and vulnerability management platform to stay ahead of evolving threats can further protect these assets from OT security threats, allowing intrusions to be immediately exposed. Coupled with an effective and appropriate OT/IT cybersecurity education program, organisations can achieve effective security that will help to prevent their essential infrastructure from significant breaches.

Not a Wake Up Call

September 4, 2021Published by Jeffrey Eaton
In 2021, calling a cyber attack a wake-up call is not only wrong, it is dangerous.

It’s true that we have seen some of the most serious cyber-attacks in history in the last 18 months.

In May this year, a state of emergency was announced across the east coast of the United States, with widespread fuel shortages and panic buying after its main fuel supply line, the Colonial Pipeline, was shut down by one of the largest cyber-attacks on oil infrastructure in the country’s history.

The same month, the information systems of the world’s largest meat processing company, JBS Foods, fell victim to cyber-attacks that shut down production around the world, including in Australia, putting thousands of jobs at risk.

Also in Australia, our corporate watchdog ASIC was struck by a cyber-attack in January which left credit license applications exposed. And last year, wool sales across the nation were cancelled after the IT system underpinning auctions and exports was hit by a cyber-attack.

According to first annual report of the Federal Government’s Cyber Security Industry Advisory Committee, released last week, the Australian Cyber Security Centre responded to 1786 cyber security incidents between 1 June 2020 and 31 May 2021. Many of these affecting essential services including electricity, water, education, banking and finance, health, communications and transport. There was a 400% increase in calls to the ACSC’s 24/7 cyber hotline in May 2021 compared to May 2020.

In June 2020, Prime Minister Scott Morrison announced all levels of the Australian government, critical infrastructure and the private sector were being targeted in cyber-attacks organised by a “state-based cyber actor”.

Around the world, critical infrastructure and services including water and electricity supplies, hospitals, and transport services, are regularly compromised by cyber criminals – and these attacks will become more common.

Researchers Cybersecurity Ventures expect global cybercrime costs to grow by 15 percent per year over the next five years, reaching $US 10.5 trillion per year by 2025, up from an already gob-smacking $US 6 trillion in 2021.

By the end of this year, it predicts the rate of ransomware attacks to reach one business every 11 seconds.

Yet awareness and preparedness among Australian businesses remains alarmingly low. Each time a serious cyber attack occurs, news headlines inevitably react with shock, describing it as a “wake-up call”.

“Hacking American beef: the relentless rise of ransomware – Cyber attack on JBS has been a wake-up call for governments and businesses to strengthen defences”

“Australian cyber attack not ‘sophisticated’ – just a wake-up call for businesses, experts say”

“The Colonial Pipeline attack should be a wake-up call for hardening our cyber defenses”

What more will it take for us to accept the threat of cyber attack is all pervasive and here to stay?

How many jobs or lives lost before we embed cybersecurity into our day-to-day operations in the same way we have incorporated other important concepts like occupational health and safety?

In particular, the danger to our critical infrastructure is very real. And we have known this for decades.

As far back as 1984, former US President Ronald Reagan directed his administration to create policies to protect the US Government’s information technology and systems after the science-fiction film ‘WarGames’ made him doubt his own government’s cyber security capabilities. After looking into his concerns, US generals confirmed the seriousness of the risk.

In recent years we’ve seen State and Federal governments commit millions to bolster Australia’s cyber security capabilities and strengthen relevant legislation. This is encouraging.

But we are vulnerable on countless fronts. It can’t just be left to the government of the day to determine Australia’s cyber security readiness.

What if criminals decided to hack into airline systems, rendering them incapable to receive crucial communications mid-air? What if they shut down the ABC’s emergency response system during bushfire season? All organisations – public and private – need to seriously consider their investment in defensive and comprehensive cyber security measures.

In December last year, the ACSC launched its ‘Act Now, Stay Secure’ campaign targeting the general population and small to medium enterprises. We understand the Federal Government is developing  a further campaign to raise awareness of cyber security, to be launched in 2021-22. For the sake of the Australian community, not just businesses, I hope the message gets through.

Cyber attacks are not new but the threats that accompany them are becoming increasingly dangerous. It is beyond time for us all to take responsibility for protecting our people, businesses and critical infrastructure.

With more than 20 years of experience in electronic warfare and cyber security, I have seen first hand the speed at which defensive technologies have grown and improved.

The technology is there – we just need to use it.

How to strengthen cybersecurity protections for critical infrastructure

August 18, 2021Published by Jeffrey Eaton

Immediately strengthen your cybersecurity protections through network assessments

If you really want to tackle cybersecurity threats, you need to understand, manage, control and mitigate the risks to your critical infrastructure. Senior leadership teams and the board are spending time defining the cybersecurity vision and plan but have fallen short of taking action. The time for talking is done. The bad guys will retain the upper hand if organisations don’t build now and remediate along the way.

Identifying and evaluating the external and internal risks for your OT assets.

You’ve got to know what cybersecurity risks you’re going to address and their degree of priority. A cybersecurity network assessment will investigate threats, vulnerabilities, impact and probability of occurrence. It’s designed to provide informed decision making and recommendations for patches and updates.

Evaluate the likely impact on areas such as data availability, integrity and confidentiality, as well as calculate the potential financial impact of suffering a cybersecurity breach. Measuring the cost of a cybersecurity hack includes financial loss from damage to equipment and hardware, as well as intangibles such as damage to brand and lost partner/supplier confidence.

The list of potential threats grows by the day, from hardware failures and interference to interception and impersonation, not forgetting the risk from natural disasters. Vulnerability identification is an essential part of the process, done through analysis, auditing, database referencing, testing and evaluation, and automated scanning platforms.

Questions to ask.

Ask yourself, what are your most critical infrastructure assets and what impact would a data breach or network exposure have on your operations? What business processes will be impacted? Would your organisation be able to function as expected?

Armed with this detail, you’ll be in a better position to customise your cybersecurity and protection controls aligned with your company’s degree of risk tolerance. Depending on the network assessment results, technical controls such as encryption, intrusion detection, multi-factor authentication, or even administration mechanisms could be customised to your environment.

Implement regular, ongoing assessments

 Network assessments should be a recurring event to give you ongoing posture reporting. Performing cybersecurity assessments regularly will provide you with a thorough understanding and adjust as new threats emerge. These insights will help identify and fix cybersecurity gaps, prevent breaches, select targeted solutions and controls to mitigate risks and prioritise assets according to value and level of risk. Ongoing assessments will also streamline cybersecurity efforts by eliminating unnecessary controls and help support any compliance measures.

You can also use the results from ongoing assessments to increase employee awareness of cybersecurity concerns. Data can inform and educate your teams on threats to your organisation, how likely to take place and how to mitigate them. Network assessments can improve the way your organisation communicates about cybersecurity, providing regular updates on possible breaches or a way to report on suspicious activity.

Click here to learn more about how Sapien Cyber network assessments can help you gain insight and protection immediately.

Critical Infrastructure 4 of 6

August 14, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 4

Author: Mel Griffiths

Cost and Duplication are Major Concerns from Industry

This time we are looking at the Energy and Higher Education sectors and the impact of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill). Despite assurances from Government, there are several key concerns that reoccur across almost all sectors impacted by the Bill, including the Energy and Higher Education sectors which we will be discussing in this post. Industry has been vocal in asserting that the Bill lacks detail in its legislative form, that Governance Rules cast too wide a net, that existing regulations already govern many areas that the Bill seeks to upraise, and that there is little understanding of the financial implications. Delivery of the Framework objectives without unintended impacts and business costs continues to be the one of the primary messages from all areas of industry and the Higher Education and Energy sectors are no different.

The Higher Education sector has provided a scathing assessment of the Bill and its relevance to the sector. Innovative Research Universities has gone as far as to request that universities be removed from the Bill entirely. Both Swinburne University and the Australian Technology Network of Universities (ATN) have argued that the Bill leaves too much to be developed within the rules, noting that the significant powers the Bill provides to Government are largely enacted by these rules which sit outside of the legislation. Universities Australia, the peak body for Australia’s 39 comprehensive universities, is concerned that the Bill leaves a range of very significant matters to the rules, with little guidance as to rule making and determination in the primary legislation. They have argued that the details of the legislation are more appropriately contained in the primary legislation. The Bill is seen as somewhat of a broadsword where a scalpel is required in order to mitigate the risk facing diverse industries. The Higher Education and Research sector has called for the government to further develop and refine the Bill in order to produce a statute that is more nuanced and detailed in its application, and also to consider individual level of institution risk.

The Energy sector has also called on the government for further development of details, particularly regarding the proposed intervention powers. The proposed powers would essentially allow Government to shut down, change, analyse, remove or control infrastructure and its component parts. Essential Energy has requested more clarity be provided on the circumstances under which enhanced obligations for systems of national significance would be enforced, given that operators will not be obligated to comply, but “may be required to do so from time to time”, following written notice from the Secretary of Home Affairs. Santos has likewise expressed the need for further detail as to the circumstances in which investigatory powers will be used, the potential operational impacts, and any potential consequences and penalties associated with the use of these powers.

But Aren’t We Already Doing That?

The risk of regulatory duplication within and across sectors has been identified as an issue by almost every sector. Deakin University has indicated that the Higher Education sector is already subject to significant scrutiny by the Commonwealth and sees the new measures as an unfair regulatory burden, adding to already existing compliance regimes. Many stakeholders in the Higher Education and Research sector have advised that they already have standard risk process in place through business impact analysis and disaster recovery planning. As a result, Murdoch University has questioned why universities need to be included in the Bill at all, arguing that there are already numerous existing agencies and legislation that appropriately manage the risks faced by the sector. These concerns about duplication and regulatory over-burden have been echoed by such Energy sector organisations as Ausgrid, the largest distributor of electricity on Australia’s east coast.

Like many organisations, Ausgrid are worried about the potential overlap in accountability between state and federal requirements. Essential Energy, which distributes electricity across 95 per cent of New South Wales (NSW) and parts of southern Queensland, have highlighted that they are already subject to a number of critical infrastructure obligations through conditions that were added to their Distributor’s Licence in 2019. Likewise, the National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA), the Australian Government offshore energy regulator, is of the view that oversight of offshore facility cyber security threats falls under the existing Maritime Transport and Offshore Facilities Security Act 2003 and its associated regulations. There are fears that this duplication and overlap of legislation will trickle down to the day-to-day processes of Cyber Risk Management. Ampol and Shell believe that the potential duplication of existing regulatory systems and processes will lead to duplication in the risk/hazard identification, mitigation, and assurance processes. Some have even argued that the application of irrelevant and duplicative legislation actually elevates the risk to the sector by diverting resources into “rechecking every corner and ticking boxes instead of watching the gate”.

While many sectors have pointed to these areas of legislative overlap, some have argued for the appropriation of them to achieve the Bills aims, rather than apply a potentially cumbersome and expensive duplicative approach. AMEO have asserted that any changes to enhance the Commonwealth critical infrastructure regime will be most effective if they operate alongside the existing State-based legal frameworks for the energy sector. As with many other sectors, the Energy and Higher Education and Research sectors feel that if additional regulatory impositions are inevitable, more needs to be done in regard to increasing clarity around obligations and processes and reducing any regulatory burden and cost. In order to facilitate this, many organisations have set forward their expectations of the framework.

If a Job’s Worth Doing…

Ampol has been clear in their expectation that only the most significant of critical infrastructure assets will have a positive security obligation. There has been much comment from industry on this point, and many sector-specific cases highlighting the realities of what would and would not be captured under the Bill. Industry also expects more detail from Government on a range of areas that are currently characterised as vague and unhelpful in enabling organisations to plan for, and move forward with, preparations for compliance. For example, Santos, Australia’s biggest domestic gas supplier, have requested more detail on the current rules around the “on switch” for implementation of positive security obligations.

There is also concern from both the Higher Education and Energy sectors that timelines for compliance may be unrealistic or may not consider varying levels of organisational maturity. Ampol has argued for realistic compliance timelines to be provided for any new obligations, systems, or processes, while Universities Australia have requested that implementation timeframes are tailored to match the different maturity levels of the various sectors.

Many sectors are interested to know what the implications would be if blanket compliance timeframes were to be unrealistic or unachievable for a less mature organisation. Santos has noted that the civil penalties for failure to develop appropriate systems, monitor, and report, appear to be more punitive than the current legislation, and has asked for more details about Government’s approach and expectations in regard to timing for implementation.

That’s a little outside my budget

Concerns in the Energy Sector in regard to the regulatory impacts and associated costs of the new measures are being magnified by the impacts of the pandemic and negative fiscal outlooks. The Higher Education and Research sector has also called on the Government to quantify the likely additional compliance costs that the proposed changes will impose. Many operators in the Energy Sector want to ensure that costs of compliance are kept to a minimum and are concerned that a number of unknowns are making it difficult to prepare appropriately. This perception of regulatory imposition with an unknown price tag is fuelling calls for Government financial support. The Australian Institute of Petroleum (AIP) believes that if the Government has national security objectives associated with the Bill that go beyond current commercial imperatives, then government support should address any cost from these imperatives.

One of the key factors at the root of the associated costs is the lack of clear and appropriate definitions provided thus far, which most sectors have described as inadequate. Definitions frequently capture too many assets, or the wrong assets, while obligations are described as vague, and processes for the “switch on” of government intervention powers are shrouded in mystery. As Shell pointed out in their submission, without clear and agreed definitions of assets, it is impossible to assess whether the significant costs associated with the implementation of cyber security measures need to occur company-wide or only to specific assets and infrastructure.

We’re Not Critical, You Are

Definitional confusion and disagreements range from debate over which assets are critical to the nation, to confusion over what it means to be “using” an asset. For example, the University of Sydney has called for tightening the definition of a “critical infrastructure asset” owned and operated by a Higher Education provider, only to those whose compromise would truly represent a threat to the nation, while AEMO have pointed out that the terminology of an agent “using” an asset may unintentionally capture third-party systems.

Many organisations and peak bodies in both the Higher Education and Energy sectors have taken issue with the broad nature of the definitions in general, and of several specifically. The Australian Institute of Petroleum (AIP) noted that the broad nature of many asset definitions and thresholds  highlight the importance of identifying only truly critical infrastructure assets. Many areas of industry are attempting to provide feedback on these definitions in order to make them clearer and more usable. For example, the Clean Energy Council (CEC), peak body for the clean energy industry in Australia, has reiterated its position on the definition of ‘critical electricity asset’ after seeing no change based on their Consultation Paper feedback. The CEC has strongly reaffirmed that the proposed electricity generation capacity threshold is currently too low and should be increased from 30MW.

The Australian Energy Market Operator (AEMO), who manage electricity, gas systems and markets across Australia, have argued that the definition of “energy sector” in the Draft Bill should also include transmission as well as distribution and supply. AMEO have also proposed changes to the new definition of “critical energy market operator asset”, arguing that AMEO should be excluded from the definition to avoid duplication of critical infrastructure responsibilities existent in the Security of Critical Infrastructure Act 2018. The Group of Eight (Go8) also have taken issue with asset definitions, calling the proposed definition of a “critical education asset” a vague and ill-defined over-reach of the “intent and purview of the proposed reforms”. They have called for the definition to be made tighter and clearer. The definition of “significant impact” is another example which Ausgrid has raised as requiring more clarification in reference to security incidents. Shell Australia have argued that clearer definitions are required on critical cyber breaches and critical infrastructure asset data to assist asset owners in navigating reporting and sharing requirements.

What’s next?

Recounting the journey of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) thus far, we see that the initial consultation and amendments to the proposed legislative changes occurred just over one year ago in August and September 2020. Before the end of 2020, the Government had consulted for three weeks on an Exposure Draft of the Bill before introducing the Bill to Parliament on 10 December 2020. This was followed by the Parliamentary Joint Committee on Intelligence and Security commencing a review into the operation, effectiveness, and implications of the reforms. In March 2021, the Government began the co-design consultation phase for the development of the Governance Rules for the Risk Management Program aspect of the Positive Security Obligations introduced in the Bill. It is expected that the staggered co-design process will continue into 2022. In April 2021, the Government published the Draft Critical Infrastructure Asset Definition Rules and thresholds, welcoming further feedback. The remainder of 2021 and early 2022 will see the Government continue a staged sector by sector approach and work with industry to design the sector-specific requirements.

Cybersecurity Insurance: A Cautionary Tale.

August 2, 2021Published by Jeffrey Eaton

According to the latest statistics, a ransomware attack is likely to occur every 11 seconds, with catastrophic consequences for both organisations and broader society. With global cybercrime costs set to top US$10.5 trillion by 2025, cybersecurity insurance policies rising and reducing protection for ransomware attacks, what can organizations do to protect their systems, brand and bottom line when transference of risk and cost is no longer an option?

Ransomware attacks at the IT level are how cybercriminals gain access to locate your OT and go after your critical platforms and systems. All it takes for an employee to unknowingly click on a malicious or phishing link. During the San Francisco water supply attack, the hacker obtained the username and password of a former employee’s account. Within minutes, the bad guys have encrypted files and are holding them hostage. The fallout of such a breach can last weeks or months. Ireland’s health service ransomware attack in May continues to disrupt critical services for doctors, nurses and patients today.

If you’re hoping to call your insurance company in the scramble following a breach, think again. Historically this may have been a safe bet to ward off harm, but that’s now changing. Insurance providers have introduced more onerous requirements to get hold of a policy and premiums are much higher. Besides these challenges, if your organisation falls victim to a breach, regardless of whether you hold insurance or not, you’ll face more scrutiny from the government and regulators regarding the ‘Why’ and ‘How’ your OT was vulnerable.

On top of everything else, did you know that simply having a cybersecurity insurance policy could make you an easy target?

The cybersecurity insurance dilemma.

It’s little surprise that ransomware attacks on organizations with cybersecurity insurance are on the rise. Hackers are seeking out those organizations that hold a policy and identify their vulnerabilities within a few clicks. Insights from recent ransomware attacks show that organisations with cybersecurity insurance are viewed as prime targets because the cyber criminal is guaranteed a ransom payment. Being covered by an insurance premium that includes a guaranteed ransom value means the bad guys will almost certainly be financially rewarded for their efforts and will continue to do so, creating a perpetual spate of cybercrime.

Speak to any cybersecurity or cybercrime expert and you’ll get an explicit recommendation against paying a ransom, as this only encourages more of the same behaviour. As they say, you don’t negotiate with terrorists and the same goes here. Increasingly, nation-states and known international groups are behind the crimes and insurance companies are flagging such attacks as terrorism or acts of war – all of which are generally not covered by cybersecurity policies.

Relying on insurance to pay your way out of an attack might help financially, but what about reputational damage, loss of sensitive data, revenue loss and impact on customers? There’s no catch-all policy to manage the significant fall-out.

Underwriting ransomware just got tougher.

Anyone organisation looking for cybersecurity insurance will come up against increased examination by underwriters. You’ll need to comprehensively demonstrate what you’re currently doing to protect your OT. Are you regularly testing staff against phishing attacks? What education programs do you have with your employees, what types of security patches do you have in place and how long will it take to roll them out in the case of an attack? Reviewing these questions and more is a good place to start for any cybersecurity planning process. If you get these basics done right, you can protect your business and avoid hefty insurance premiums.

Mitigate the risks by preparing and planning.

What is clear is that you shouldn’t be choosing insurance over a cybersecurity planning, vulnerability management and prevention investment.

Attacks are preventable if you can secure your infrastructure. Protecting your OT infrastructure by ramping up protocols, practices and policies will safeguard you from a breach. This, coupled with top-down knowledge and awareness programs for employees on the threats posed by email attachment harm and phishing ploys, will provide an even more vigorous defence.

Smart City Risk

July 30, 2021Published by mikesITguys
Smart Cities

The rise of user-friendly ‘smart’ cities, where many services are automated, networked and online, has put Australian businesses at greater risk of cyber-attack.

To read more download our press release below.


Four emerging cybersecurity trends

July 26, 2021Published by Jeffrey Eaton
Author: Mel Griffiths

Four emerging cybersecurity trends

 As new technologies, systems, platforms and operating models materialise, cybercriminals continue to make global headlines by taking advantage of any detected vulnerability. We’ve analysed five cybersecurity trends for 2021 along with some ideas on how to mitigate the impacts of such an evolving threat landscape.

  1. The Rise of Machine and deep learning.

The capabilities from sophisticated machine and deep learning technologies offer valuable insights and systems to replace the human intervention factor to analyse the masses of threat data.  Identifying every kind of malware is nearly impossible but applying machine learning techniques is one way to use autonomous cybersecurity techniques to your advantage. These systems may use databases to quickly pull information about previously detected threats and examine them to determine if it is malicious.

Again, even with the advent of this technology, the cybercriminal is evolving.   They are also using advanced machine learning techniques to manage their attacks and deploy techniques such as data poisoning and model-stealing. These sophisticated attack techniques are also using technologies and tools to make their hacks more effective. They are creating automated malware and ransomware to gain access to the increasing breadth of corporate technologies.

Looking ahead, machine and deep learning cybersecurity tools will continue to evolve, and trends are showing that even organisations that suffered an attack but also had advanced cyber security technologies still saved millions in 2020. Unfortunately, threats and attackers will also learn the norms of the machine and deep learning techniques and build attack capabilities to counter the advanced technologies in cybersecurity space.

  1. Increased remote working arrangements and cloud computing.

Today, the shift to a hybrid model of the workplace has become the norm.  Yet remote work and cloud computing continue to pose a cybersecurity threat. The remote working environment is appealing to threat actors because most home networks aren’t professionally managed, and companies have been rushed to accommodate this new remote landscape.  Many of the typical security measures may have been overlooked or side stepped to keep operations running and therefore created new risks for all industries.

We have seen that organisations use VPN networks to connect to corporate networks for work tasks, however attackers have learned how to exploit the VPN technologies and connections to take advantage of the trust model of a VPN connection. Hence, organisations are now rethinking their remote working security by exploring a zero trust model where every user and connection receives verification before accessing any resources. This means identities, endpoints, applications, data, networks, and visibility are protected by security elements such as multi-factor authentication.  Again, threat actors have found weaknesses in this technology through the actual phone network and now the trend is to move away from SMS passcodes.

  1. Attacks on critical infrastructure.

Critical infrastructure such as water, gas, transport, electricity, ports, healthcare, and telecommunications are under constant threat now.  Public services and privately operated infrastructure are becoming increasingly interconnected between the physical and virtual environments and therefore increasing the attack vectors.  Typically, cyber-attacks targeting critical infrastructure focus on control systems rather than and information systems or data as seen in IT related cyber-attacks.  By disrupting control systems within Operational Technology (OT) the physically connected devices that support extensive industrial processes are likely to cause the most devastating impact.

Security within OT is reacting to this threat by implementing updated security mechanisms to deliver automated and real-time alerting and visibility of their networks.  Governments are also legislating the protection of these operational environments as the consequences can be devastating to the communities and populations that depend on these services.

  1. Social engineered attacks.

Increasingly, emotional tactics to gain access to systems and information are being favoured by threat actors. According to recent statistics, 98% of cyberattacks use social engineering ploys, with COVID-19 giving rise to these incidents.

Organisations are now stepping up their measures to educate the workforce of these tactics and conduct employee training on phishing and scareware will help identify malicious attempts before they cause harm.  Some organisations conduct regular exercises and assessments with employees to test and learn and ultimately stop social engineering tactics from getting past the inbox. Other techniques include improving the identity management strategies to combat an insecure remote workforce.

Critical Infrastructure 3 of 6

July 22, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 3

Author: Mel Griffiths

The threat to Critical Infrastructure is increasing

Michael Pezzullo, Secretary of the Department of Home Affairs, has stated that an increase in exploitation of the vulnerabilities in critical sectors has been building over the course of the last five years and “has accelerated over the course of the global pandemic”. He has characterised the new threat landscape as soon to be reaching “global pandemic proportions”. These attacks have highlighted the extreme vulnerability of a much broader swathe of sectors critical to the Australian economy and way of life.

Sapien Cyber believes that it is the responsibility of trusted information-sharing networks the educate the community on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. This series of articles aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Transport and Food and Grocery sectors. Submissions for comment on the Bill from organisations in these sectors and sectors examined in our last post have highlighted several common views, including a lack of specificity in the legislation, concern over costs associated with the increased regulatory burden, and overlap with existing legislation potentially creating duplication of effort and bureaucratic process.

A “lazy” approach to the Transport sector?

At the time of writing, the Australian Logistics Council (ALC) has called on the Federal Government for more time to facilitate the proper identification of which freight and logistics assets are to be made subject to the new law. ALC interim CEO Rachel Smith has criticised the threshold approach as “lazy”, and ALC members have argued that this approach is a catch-all which will fail to capture key assets, capture assets not of strategic importance, and increase regulatory burden.

The rules define a critical freight infrastructure asset as a road or rail network, or intermodal transfer facility that acts as a critical corridor for the transportation of goods between States, Territories, or regional centres. A critical freight services asset is defined as a network critical to goods transportation by road, rail, inland waters, or sea, and also as any national logistics provider with an annual revenue threshold of over $150 million. The critical freight infrastructure asset definition of “a critical corridor for the transportation of goods” is limited to road and rail in the proposed legislation, however, several critical sea corridors such as the Torres Strait fall outside of this scope.

Ports are defined as critical if they encompass land that forms part of any of the named security regulated ports, although there appears to be no intention of extending the requirements that currently exist to Australian vessels under the Bill. The Maritime Industry Australia Ltd (MIAL) has highlighted that supply chain security is incomplete unless the vulnerabilities that exist due to the majority of sea transport capability being performed by foreign entities is also addressed. MIAL has also argued that ships act as both pipelines and storage and are therefore captured under the critical liquid fuel asset definition, without explicit recognition of vessels themselves.

Critical public transport assets encompass public transport networks that are managed by a single entity and have a 5 million passenger journeys per month capacity (excluding aviation assets). V/Line, who provide public transport services to regional Victoria have indicated that a more mature understanding of the Transport sector and sub-sectors is required. In their submission for comment on the proposed legislation, V/Line have pointed to pre-existing issues, such as the absence of a specific transport connection to the Australian Strategy for Protecting Crowded Places from Terrorism, as contributing to the erosion of “operator confidence in the Federal Government’s ability to manage the implementation of the proposed legislation and its regulatory provisions”.

V/Line has also have asserted that identifying the most appropriate regulator in this space will likely be contentious. This is evident in VicTrack’s submission for comment, in which they have called for examination of how existing state-based approaches to cyber incident response and infrastructure resilience might be used to meet the proposed Positive Security Obligations.

Critical aviation assets are defined as assets owned or operated by airports or aircraft operators providing a service, or regulated air cargo agents that utilise air services. As with the other areas of the Transport sector, the aviation sector has highlighted concerns regarding the costs of the increased regulatory burden, the lack of clarity around how and when it is likely the Government assistance provisions would be used, and the potential for overlap between the Bill and requirements imposed by exiting legislation.

In Sydney Airport’s submission in response to the proposed legislative changes, it is noted that Airports are already subject to a range of requirements stipulated under the Aviation Transport Security (Incident Reporting) Instrument 2018, and call for “harmonisation between all legislative and regulatory underpinnings in efficiently managing security requirements”. The shift away from the existing ‘unlawful interference’ approach to the more holistic ‘all hazards approach’ will require further consideration of information sharing arrangements between industry and Government. Given the impact of the ongoing global pandemic, the aviation sector is understandably concerned that the increased security requirements imposed will add significant cost to the industry at a time when revenue is increasingly unpredictable.

The Food and Grocery sector requires clarity on criticality

Despite the fact that Australian beef, wool, and dairy supply chains have suffered cyber-attacks in the last 18 months, the Federal Government has stated that applying specific thresholds in this area of the Food and Grocery sector could create unnecessary confusion and regulatory burden, “especially when new competitors emerge in the market or unexpected market fluctuations occur”. As a result, production, agriculture, food manufacturing, and packaging will not be defined as critical assets in the Bill. The Australian Food and Grocery Council agrees with this logic but have highlighted that food manufacturing is not explicitly exempted in the proposed legislation.

The new definitions applied to the Food and Grocery sector will include critical Food and Grocery assets as networks used for distribution or supply of food or groceries, owned, or operated by critical supermarket retailers, or food or grocery wholesalers. It is anticipated the Legislation will include Woolworths Group, Coles Group, Aldi, Costco, and Metcash as critical supermarket retailers, as they collectively account for over 80 per cent of market share in Australia.

The AFCG notes that the term “food and grocery” as used within the industry includes non-food grocery products, such as personal care products, house care products, pet care products, as well as a litany of other items. The distribution of such products and occupy the same supply chains as food products. The legislation is not clear on the status of such non-food grocery manufacturing and supply chains and the AFCG has called for clarity in this area.

Confusion and cost remain significant issues

Looking at the way the Government has defined the Transport and Food and Grocery sectors and the submissions from industry, there appears to be a lack of clarity and understanding around inclusions and exemptions in the definitions. There is also clear concern from industry regarding the costs of increased regulatory burden and a call for support measures. It remains to be seen how the Government will respond to these concerns, however given their ubiquity across these and other sectors, it would be surprising if these issues remain unaddressed in at least some holistic form as the Bill makes its way through the Parliamentary process.

The role of the CFO in enterprise cyber security

July 17, 2021Published by Jeffrey Eaton
Author: Glenn Murray, CEO – Sapien Cyber

Who is responsible for cyber security in your organization? Smart businesses know that it’s not just the IT teams who need to be investing in cyber security.

Faced with increasingly complex and severe cyber-attacks on operational technology (OT) designed by criminals who are well-organized, well-financed and willing to wait for the right opportunity to strike, businesses need everyone in leadership roles to not only acknowledge the situation, but put in place strategies to minimize risk. This includes the CFO.

The Chief Financial Officer (CFO) plays a crucial part in ensuring that the investment in cyber security matches not only the potential risks but mirrors the value and importance of the company’s infrastructure, from financial systems to operational technology networks. In some organizations this can be viewed as a cost drain. As such, investment levels tend to be far too low relative to the scale of the risk.

It is not uncommon for IT teams or their executives to be rewarded based on reduction in expenditure vs budget, breeding an alarming culture of penny pinching each year. This short-term thinking is putting organizations in jeopardy, and at risk of everything from data breaches to system hacks. A boardroom, including the CFO, that recognizes the devastating effect a cyber-attack can have, both financially and reputationally, will be better placed to protect their ‘crown jewels’ from this new age of cyber criminals.

There is an opportunity to engage the CFO in the full spectrum of cyber security and the potential mitigations, from IT to OT networks. Great CFOs don’t act as a blocker or barrier but are ready to invest in comprehensive and robust cyber security systems. Here’s how to make sure your CFO is one of them:

Make clear the opportunity cost

There is, of course, a cost to cyber security systems, but the cost to not having them is far larger. The average cost of an attack has been rising rapidly and now stands at $3.9 million, according to the annual Cost of a Data Breach Report by IBM and the Ponemon Institute, although this rises to $8.64 million in the US. This includes costs of OT systems and hardware, disruptions to critical activity resulting in down time and business lost, and fines. When put in this context, the investment in cyber security will seem minimal. Businesses that rely on insurance as mitigation may feel that they are covering the financial cost, but this does not take into account the cost of reputational damage, which can far exceed any monetary loss. Further, the insurance market is taking a tougher stance due to the rising frequency and scale of cyber-attacks. This makes it a multi-faceted challenge for finance leaders.

Think about long term sustainability

Cyber-resilience is about ensuring the continued success of an organization. Business continuity, reputation and finance are all at stake, but also the potential for injury and even loss of life. Imagine how much money would be lost if you were unable to service clients, and the reputational damage of a splash across the headlines. To continually win new business you need to be able to show you are diligent and trustworthy, and cyber security plays a big role in this. Data security is increasingly important, and customers will not want to do business with you if their own information is seen to be at risk. Similarly, vendors will harbor concerns about stability and ultimately shareholders will become worried about performance.

See cybersecurity not as an IT overhead but an OT asset

Cyber security is not just a tick box or policy adherence exercise, but brings huge value. It’s about more than systems and software of IT – it’s essential for full and essential OT. The CFO’s remit spans the entire business, meaning they are perfectly positioned to support cyber security efforts spanning the entire estate. They are able to look at the technology and systems and what investment in them can bring the business from a strategic standpoint.

Improve the risk management framework

The CFO’s job is to finance things that are business critical. If the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Senior Management Team (SMT) make cybersecurity part of everyone’s role, from team members to those at the top of the organization, it ensures it is ingrained in policy and procedure. By having this shared visibility and responsibility, it will be clearer as to why it needs financing, not just as a cost centre, but an enabler. Cyber security is about protecting the assets that are of value to your company, and so should be embedded in everything that you do. Effective governance is essential to business success.

Help them mitigate potential risks

Across the business we are constantly putting plans and procedures in place to mitigate risk. And most often this risk is based on potential risk, rather than historic experience. Just because it hasn’t happened doesn’t mean it won’t. In fact, threats are constantly changing and cyber criminals are increasingly diversifying the comprehensive strategies that they use to infiltrate organizations.  Most businesses have smoke alarms or defibrillators yet have never had a fire or someone have a heart attack during the working week. They have this equipment installed to minimise the impact of any future disaster. The same is true of cybersecurity. CFOs should think of cyber security as part of the package that a business has to mitigate against risk and maintain fully functioning OT at all times to ensure business activity can proceed as normal. CFOs should therefore be discussing cyber-risk exposure with their CIO and CISO regularly. This ensures it doesn’t just get thought about on an annual basis but is front of mind all year round. That regular reminder of why it is so important will help ensure that it is viewed as a business critical expense that needs to be fully backed financially.

Use their expertise

Your CFO does not have to be a cyber security expert. But their risk management skills will be essential to asking the right questions around issues such as where data is stored and who has access to it. They especially understand the risks and issues presented by protecting financial data. By ensuring that your CFO is part of the process for assessing risk, identifying assets and selecting vendors, they become part of that process of essential cyber security.

Present a united front

The CFO is a business-critical part of strategic and functional operations across the organization. Businesses fall prey to cyber-attacks when they have a weak link. We think of clients as castles, and all of the battlements need to be strong. This includes everyone from the CEO to the cleaner to the connected systems used to make the business run. Vigilance and security are crucial across the board are essential, and the CFO is an integral part of that.

We know that cyber security is essential. In the modern working environment, more and more of us are geographically dispersed and more devices are connected to the internet. At the same time cyber criminals are getting increasingly sophisticated. Cyber security needs to be a top priority for all organizations – and all members of those organizations, including the CFO. Investment in cyber security is absolutely business-critical, and by making your CFO part of the strategic journey of cyber security you will make it easier to get that much needed sign off.