How a combination of training, checklists, and technology can help critical infrastructure managers meet new obligations around managing and reporting security threats
Organisations classified as critical infrastructure are set to be subject to stringent requirements under the government’s proposed Critical Infrastructure Act, which is expected to be debated in parliament prior to the next election.
In this blog, we will review the insights from a recent Cloud Insights Series webinar hosted by industry experts from Secure Agility and Fortinet on the topic of countering cyber threats to critical infrastructure.
Andrew Sheedy, Director of Operational Technology Solutions at Fortinet, said operational technologies and IoT are increasingly coming under attack, but by following the right methodology, gatekeepers of critical infrastructure can enhance their security maturity and fend off this growing threat.
“We have experienced advancement in technology to the point where entire businesses can be run and managed in the cloud from a laptop or iPad. While that advance in technology has been substantial and has made life a lot easier, it has created different kinds of threats, particularly around cyber security,” Sheedy said.
“By using core firewalls and applications, organisations can deploy advanced technology to manage their environment and make it secure, so they know only the right people are accessing the right systems at the right times.”
Sheedy acknowledged that it’s not a simple process by any means, but rather a complex one that is multi-faceted, requiring a complex solution to combat it.
Soren Reichelt of Secure Agility, said the process of meeting the new security obligations will not be a straightforward one for many businesses, for several reasons. “A lot of Australian organisations face operational hurdles in building their preparedness to leverage IoT securely. Most have operational technologies that have been in place for 20 years or more and most organisations also have a productivity first, security second mindset, but that is slowly changing as knowledge of the security threats and their implications increases,” Reichelt said.
“Maturity levels vary considerably from one organisation to another, with some just embarking on the path to enhanced security and others several years down the track.”
New regulations for critical infrastructure providers
The Critical Infrastructure Act is looking to address security loopholes by imposing reporting obligations for critical infrastructure managers, so that there is a consistent level of security across the board.
“Most critical infrastructure, such as power and water, is now highly automated and can be monitored both internally and externally. That external monitoring by its very nature creates risk, so the Act addresses this by requiring organisations to conduct risk assessments so we can gain a better understanding of their security maturity and preparedness,” Sheedy said.
The key threats come from cyber criminals, hacktivists, disgruntled insiders and nation state attacks”, adding we have seen the latter just this week targeted at Ukrainian websites, which are thought to be perpetrated by the Russian government.
“Without having systems and processes already in place to deal with such an attack, it’s very difficult for an organisation to come out from under it.”
The Australian government has recognised that critical services, such as energy, water, food supply, education, defence, transport, and healthcare, need to be protected, so that none of these are disrupted in the event of an attack.
“If we don’t have proper systems, processes, and technologies in place, then these things are vulnerable and will remain vulnerable,” Sheedy said.
Simple checklists bring structure
Just as a pilot goes through a checklist before being cleared for take-off, from a security point of view, Sheedy believes that we need to make sure that organisations do a much better job of going through a checklist for control of people, processes, and technology to achieve a compliant status, as their risk would then be substantially reduced.
“Mandatory reporting is also important as it is designed to help organisations that have been compromised and don’t know how to deal with it. They have to report on it and seek help, and this is where Home Affairs can intervene and assist them, so they do not compromise the operations of the nation,” he said.
The panellists agreed that having a checklist also takes the guesswork out of security, and that having a very structured approach with clear controls and deliverables against those controls can help organisations achieve a level of maturity that protects them from threats emerging both locally and from around the world.
Actions: Time to comply before fines arrive
Organisations will face penalties for non-compliance, but Sheedy said it is unlikely that any fines will be handed down for at least the first 12 to 18 months, as organisations will need time to put systems and process in place to be compliant with the new requirements.
“For some organisations, that will take 12 months or more, so it is likely the government will give them some leeway to get themselves in a position to meet these new conditions,” he said.
The panellists said the three key elements for critical infrastructure organisations to address to achieve compliance with the new requirements and improve their security are:
1. Conducting a risk assessment to identify any gaps in your security.
2. Document and enable architecture and security visibility and incident detection across the network.
3. Incident response management and reporting. This includes enhancing management capability; developing IR and DR plans; and conduct scenario planning at frequent and regular intervals.
Reichelt added that a combination of training and adding the right tools will help organisations build that “human firewall” and uplift the security culture.
“Undertaking that risk assessment and choosing a framework to align to is going to really inform how organisations can meet those new mandatory requirements, with investment in the right technologies also key in achieving those outcomes,” he said.
Secure Agility and Fortinet can help you assess your exposure to the Critical Infrastructure Act and the actions to take. To book a one-on-one workshop to explore your organisations’ specific needs, click below.
View the related webinar video here.
“The key threats come from cyber criminals, hacktivists, disgruntled insiders and nation state attacks. Without having systems and processes already in place to deal with such an attack, it’s very difficult for an organisation to come out from under it,” Andrew Sheedy, Director of Operational Technology Solutions, Fortinet.
Looking for managed services for information technology? We’re here to help. Get in touch with us.