Threats to our critical assets are real: just how vulnerable are we and what should we be doing?

In 2016, a water treatment plant in the US was the victim of a sophisticated and methodical attack, where cyber criminals remotely took control over the treatment process and threatened to poison households.

In 2017, the Triton malware attack caused a complete shutdown of an LNG plant in the Middle East. In Australia, recent reports have highlighted just how vulnerable systems that provide water to homes in Queensland are. The Australian Energy Market Operator (AEMO) is now delivering additional cyber security controls to protect the nation’s electricity infrastructure.

Ernst & Young has listed cyber-attacks as the single largest threat to the world’s power and electricity companies and Siemens has reinforced this statement by saying that 30% of all cyber-attacks globally now specifically target Operational Technology (OT) systems.

These serious threats to critical infrastructure garner a lot of attention, but just how vulnerable is our day-to-day lifestyle? Are we even at risk of physical harm?

What many people do not realise is that the majority of the control systems operating critical infrastructure, not only here in Australia but also globally, were designed and installed in a time when the word ‘security’ meant locking a door or padlocking a gate. This ‘physical security’ prevented unauthorised access to operating systems and safety controls. Now, with the advent of greater communications technology, these systems are being connected to the ever growing ‘internet of things’. These changes help deliver increased productivity and safety to an industrial environment. However, security must adapt in tandem to address implications associated with being an online and remotely accessible system.

Australia’s geographic remoteness is no longer an advantage in terms of security, as the interconnection of devices means that our critical assets are only 32 milliseconds from any computer, anywhere on the planet.

In addition to the vulnerability of these anachronistic critical systems is the fact that the attack surface for these assets is growing rapidly. The list of attackers is diverse, with cyber attacks no longer just the hobby of ‘script kiddies’. Now, industrial cyber attacks are a business for criminal syndicates and a new frontier of espionage and disruption for nation states to utilise.

The attack methods themselves are also becoming more advanced as new malware is being designed specifically to target the OT systems responsible for the water to our taps, the gas to our hotplates and the electricity to our lights. Criminal and nation state threats have greater understanding of industrial network protocols, redundancy systems and operational procedures than ever before, nullifying the protection we once called ‘security by obscurity’.

This problem will not go away and it can no longer be ignored by organisations and government departments who operate our critical assets.

Perhaps the best course of action is a proactive one, best summed up by former Australian Prime Minister Malcolm Turnbull, who at the recent launch of the Australian Cyber Security Centre said;

“We must not and will not wait for a catastrophic cyber incident before we act to prevent future attacks.”

Sapien Cyber is here to help. Read more about our sophisticated solution developed here in Australia.