New CISC document focuses on risk assessment advisory for communications sector

Australia’s Cyber and Infrastructure Security Centre (CISC) published its risk assessment advisory for critical infrastructure for the communications sector. The CISC document highlights that an outage affecting a critical asset in the communications sector could have substantial economic or societal implications. These impacts could be significant in severity, depending on the geographic breadth of the outage and the extent of the effect on the broader network, resulting in financial, loss of life, and/or reputational impacts ranging from financial penalties to sustained communications interruptions.

The CISC document comes in the wake of international and domestic threat landscapes continuing to evolve; the prevalence of natural hazards with longer-lasting impacts and, critical infrastructure networks continuing to be targeted globally by both state and criminal cyber actors. 

“As a result, stakeholders within Australia’s Communications Sector must adapt their risk management strategies to ensure risks to the operation of assets critical to the nation’s economic and social well-being are being appropriately captured,” the agency assessed in its latest document. Through the provision of suggested risk assessment approaches, the material aims to assist sector stakeholders to adapt existing risk practices and help organizations understand risks within the broader national critical infrastructure context. 

The advisory for the communications sector follows similar risk assessment documents for critical infrastructure across the energy sector, and the food and grocery sector. In its latest document, the CISC recommends an all-hazards approach to determining risk for critical infrastructure organizations. “All-hazards is an integrated approach to risk management, preparedness, and planning that focuses on businesses enhancing their capacities and capabilities across a full spectrum of threats and hazards to Australia’s critical infrastructure. All-hazards risk assessment considers both threats (human-induced) and natural and environmental hazards that could impact on a critical infrastructure entity and its operations,” it added. 

Some of the emerging trends in the communications sector identified in the CISC document include increased self-sufficiency, where telecommunications providers are reducing their reliance on energy providers by integrating their power generation and transmission infrastructure into their existing networks. These changes often include adding infrastructure such as solar panels, generators, and uninterruptable power supplies to meet internal needs and reduce energy-sector dependency. Rapid changes in communication needs in the shift to online working and online education that was necessitated by the COVID-19 pandemic, and long-practiced ways of working may continue to shift, necessitating further scalability planning.

The agency also said that the need to reassess cybersecurity and risk management in the 5G era. While the widespread adoption of 5G offers many benefits, it also creates new security concerns and challenges. It also covered the increasing ubiquity of online platforms with the rise of internet platforms and intermediaries are firms that provide or facilitate transactions between third parties over the internet, creating value through connecting users on a shared platform and capturing value through charging for access. The document also covered more diverse viewing patterns, as the demand for mobility and growth in the range of content is affecting Australian viewing patterns. Consumers are increasingly able to shape their own viewing experiences, choosing what, when, and where they consume media.

In its evaluation of the ‘Emerging Technology’ scene, the CISC document covers the deployment of substrate blockchain technologies, such as 4G, 5G, and the National Broadband Network (NBN), into existing infrastructure across Australia and helping other sectors and industries innovate. It also included an increasing need for high-capacity wireless communications in remote areas where technology integration and high demands for communications capacity and availability continue to increase.

Additionally, the CISC document pointed to the rising interest and increased momentum in multi-access edge computing and private cellular networks. Network operators will have to compete against other players, who may prove key partners in delivering their solutions. Lastly, the CISC document highlighted the emergence of over-the-top (OTT) services, referencing those applications and services that are accessible over the internet, without any direct influence or control from network operators or internet service providers. 

For critical infrastructure providers within the communications sector, the CISC document said that “determining which sites and components of an asset should be considered critical involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards. This process is vital for all hazards risk management, providing input into the identification of plausible risk scenarios that may impact operations,” the CISC assessed. 

The document added that “the critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s national security interests. Establishing criticality is designed to provide guidance on the allocation of resources to best protect the operational capability of the asset.”

Critical sites are those in which assets assigned proper functions are located, including 5G towers, DNS server rooms, or other areas based on the context of the specific asset. It is important to identify if the asset is networked, standalone, or non-networked to appreciate the level of criticality. Additionally, critical components are those required to maintain the function of the asset, or whose absence, damage, or compromise could cause significant damage to the asset. For a communications organization, critical components may include a dish antenna that is used to receive or transmit information by radio waves to or from a communication satellite or a transmitter that produces radio waves to transmit data. 

The CISA document said that an outage affecting a critical asset in the communications sector could have substantial economic or societal implications. Impacts could be significant in severity, depending on the geographic breadth of the outage and the extent of the effect on the broader network, and could result in financial, loss of life, and/or reputational impacts ranging from financial penalties to sustained communications interruptions. 

For example, outages to telecommunications systems create a tangible impact on health and safety where communications for emergency services are unavailable. It also cited that outages to broadcasting services could prevent important communication to the public during an emergency incident, such as a bushfire or flood. The compromise of a broadcasting system could also disseminate misinformation to an unwitting public as part of a campaign undertaken by a hacker.

The CISC document said that without DNS, or due to a DNS compromise, internet users may be unable to access the websites they are looking for and/or could be routed to malicious sites, or not connected at all, leading to losses in productivity or availability of government or critical infrastructure internet services. Furthermore, outages to telecommunications networks can have flow-on effects on banks processing payments for retail. 

Well-resourced nation-state actors could target undersea cables or submarine cable landing stations that connect Australia to the rest of the world, the CISC document added. Remote access to operational technology and industrial control system devices controlling critical infrastructure could be affected by an outage to communications infrastructure. Communications infrastructure providers could, as a result of any service impacts to clients, be subject to financial penalties or litigation undertaken by customers.

The CISC document said that due to interdependencies among different critical infrastructure sectors and assets, it is necessary to manage many risks collectively. Many risks may be poorly addressed because their causes or effects are still misunderstood, they are novel, or there is a lack of guidance on how to address them. “Accountabilities for addressing some risks may also be unclear. Some risks may be too rare to justify allocation of resources to mitigate them. Finally, the consequences may be too large for any entity to address by itself,” it added. 

“For a given communications sector asset, the disablement of its resources will cause issues downstream issues in other sectors that are potentially vast and more detrimental to other industries than the direct damages to the asset,” the CISC document said. “Ongoing analysis of risks can lead to a better understanding of mitigation strategies, including their application at the source. Business continuity planning, consequence management, emergency management, disaster mitigation, vulnerability assessment, insurance, and other related disciplines all provide a variety of possible actions.”

Companies in the telecommunications sector have become an attractive target for attackers, as their networks can be used as a back door to other organizations, thereby making it attractive for cybercriminals to gain unauthorized access. These telecoms networks are also used to build, control, and operate other critical infrastructure sectors, including energy, information technology, and transportation systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.