Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Secure Remote Access
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Foreign interference, espionage identified as principal threats in Australia’s Critical Infrastructure Risk Review

November 01, 2023
Foreign interference, espionage identified as principal threats in Australia's Critical Infrastructure Risk Review

The Australian government published Tuesday its initial Critical Infrastructure Annual Risk Review addressing the dangers posed to the nation’s critical infrastructure sector. The review, developed by the Cyber and Infrastructure Security Centre (CISC), summarizes security risks concerning Australia’s critical infrastructure in the past year. It identifies foreign interference and espionage as the primary threats to Australia’s critical infrastructure. Additionally, the review highlights the increasing sophistication in targeting and exposing narrow risk mitigation efforts, as hackers persistently scan for and exploit vulnerabilities across interconnected critical infrastructure networks.

“Increasing digitalisation and implementation of new technologies are adding new entry points for cyber incidents,” the report detailed. “Over the last 12 months there Australia has witnessed the reporting of cyber incident against high-profile targets, including Australian critical infrastructure providers. Rapid advancement and implementation of new technologies can severely hamper efforts to create a uniform cyber defence, in line with lower levels of cyber literacy.” 

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” Hamish Hansford, deputy secretary for cyber and infrastructure security at Australia’s Department of Home Affairs, said in a media statement. “This review highlights the serious risks posed to our critical infrastructure and need for strong public private partnerships to keep pace with evolving threats.”

Hansford added that “The Australian Government through the Cyber and Infrastructure Security Centre has been working closely with industry to develop effective rules to ensure continuity of service in the event of an outage or attack on Australia’s critical infrastructure.”

Risk levels are very likely to increase during periods of heightened geopolitical tensions, the review warned. “Critical infrastructure remains an enduring target of interest for threat actors seeking to cause harm. Across different geopolitical conflicts, pre-positioning and grey zone cyber operations are used alongside conventional military activities for extensive targeting of critical infrastructure networks.”

It also identified that supply chain resiliency is a multi-faceted strategy of proactive defense and efficient response to disruption. “Australia remains vulnerable to international supply chain disruption and single source supply for critical components and services. Critical infrastructure providers need to develop adaptive supply chain resilience plans, driven by risk analysis, to withstand disruption to global supply chain networks.”

The document said that the levels of risk will shift with fluctuating threat environments, where critical infrastructure can become a legitimate conflict target, impacting the proper functioning of a sector and eroding public trust in institutions. In the Russia-Ukraine conflict, cyber operations have been used alongside conventional military activities for extensive cyber targeting of government and critical infrastructure networks. 

It also said that there is vulnerability in the convergence of operational technology (OT) and Information technology (IT), and the rollout of Internet of Things (IoT) devices. Increasing sophistication of cyber incidents, such as the lateral movement of a cyber incident between systems can create catastrophic cascading consequences.

“OT and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target,” according to Australia’s Annual Risk Review. “Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers. Adoption of IoT in critical infrastructure also leads to a growing integration of third-party inputs for information, data sharing, and data analytics. Digitalisation is outpacing our cyber literacy and security practices.” 

It added that rapid advancements in technology severely hamper efforts to implement uniform protection measures to reduce the risk of cyber incidents. Critical infrastructure providers have different thresholds and practices for ensuring cyber security, which introduces a range of vulnerabilities. Good cyber security practices and secure-by-design principles can help organizations better protect their systems from cyber intrusion or improve recovery times after an event. Significant cyber incidents can also occur as a result of human error. Poorly managed corporate systems, particularly those with remote access, can provide an attractive target for extortion, disruption or espionage.

The Annual Risk Review said that pre-positioning for malicious activity in Australia’s critical infrastructure is a known, but hidden risk. “The pre-positioning of malicious code in critical infrastructure networks as a preparation for future attack is an ever-present challenge for critical infrastructure providers. The capabilities underlying this threat continue to advance and potential impacts from pre-positioned malicious code retains a level of unpredictability or both the intended victim and threat actor, further complicating mitigation efforts as the full extent of this threat remains elusive.”

Interconnected critical infrastructure networks and third-party providers across supply chains expand attack surfaces for supply disruption, it added. “This includes remote access and management solutions, which are increasingly present in critical infrastructure networks. Any cyber incident targeting our critical infrastructure could have major consequences. A sustained disruption in one area of the ecosystem may cascade through other sectors, potentially leading to widespread disruptions to the operations and service delivery of key sectors.” 

As critical infrastructure operations mature, adversaries will exploit tactics including expanded cyber, human intelligence, or technical collection, to target and infiltrate, the Annual Risk Review said. “The aggregation of open-source data can be highly valuable as a supplement to collection, or to assist with intelligence targeting. This information, when combined with other intelligence collection methods, assist foreign states to gain a more holistic understanding of how Australian delivers critical services. Disruptive activities against critical infrastructure will continue putting pressure on risk management.”

The document said that misinformation and disinformation erodes trust in the delivery of services. “Targeting critical infrastructure could be used as a tactic to breakdown confidence in the government’s ability to deliver services, or even to demonstrate foreign state power to influence public support for conflict or support of allies. The use of misinformation and disinformation is extending beyond social media, and the amplification of untruths can be difficult to mitigate and contain. Direct targeting of issue-motivated groups is also a tactic to influence human behaviour, spurning protest, activism or harmful actions.”

It also recognized that “next-generation technologies will change the way we need to assess risk. As our critical infrastructure sectors are willing to adapt new technologies into operations and service delivery, the speed of AI advancements opens opportunities for providers to implement technologies in new ways. AI and data analytics can greatly improve efficiencies; however, entities will need to store more data which will require greater levels of utility support to meet the demand. Predictive maintenance and advice by integrated AI could also be manipulated to influence operational activity and societal behaviour.”

The Annual Risk Review document added that robotics and automation bring benefits but may also create new single points of failure that can be exploited if not adequately protected. “The speed of new technology development and implementation has the potential to catch planners by surprise. It is important that risk management plans consider not just new technology but anticipate shorter timeframes for their introduction and identify potential new areas of vulnerability and impact their implementation may introduce.”

Looking ahead, the Annual Risk Review said that it is difficult to predict how new technologies will pose any new risks, particularly as they advance to the point of integration into aspects of societal and commercial life. “Commensurately, it is also very difficult to plan and build resilience. At a minimum, critical infrastructure providers and governments need to consider the potential impacts of new technologies and their implementation into existing operations, including how they will interact with extant technologies and what potential vulnerabilities they may create or exacerbate.”

Ongoing supply chain disruption, escalation in costs, and construction workforce challenges will pressure infrastructure delivery. Severe labor shortages and supply chain disruptions are causing significant delays and exorbitant cost increases for construction materials, impacting an industry already struggling with low productivity. Increasing supply chain costs, high global rates of inflation, and longer waiting times for equipment and materials result in additional burdens on delivery timeframes for Australian companies involved in large-scale infrastructure projects. While pressures on supply chains have eased slightly, Australia’s limited sovereign sustainment capabilities will continue to pressure the delivery of these large-scale infrastructure projects.

“Any change to workforce shortages in the short to medium term is unlikely. Staffing shortages across all critical infrastructure sectors are likely to worsen over the next 12-36 months, with regional services expected to be impacted most acutely,” according to the Annual Risk Review document. “Organisations continue to rely on inadequately skilled personnel, further exacerbating operational risk and personnel disgruntlement.”

Last month, Australia, the U.K., Canada, Japan, and the U.S. formed a new global coalition called Global Coalition on Telecommunications (GCOT) with the aim of enhancing coordination on telecommunications security, resilience, and innovation. These countries will use the coalition to help ensure that communications networks can remain resilient and adaptable when confronted with challenges ranging from supply chain disruption to cyber attacks, strengthening their ability to stay connected at the most critical times.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness