Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance
Transportation

Australia’s CISC delivers risk assessment to transport sector, assisting in determining critical assets

March 01, 2023
Australia’s CISC delivers risk assessment to transport sector, assisting in determining critical assets

A day after the Australian Cyber and Infrastructure Security Centre (CISC) released a risk assessment advisory for critical infrastructure focused on the healthcare and medical sector, the agency has turned its focus on the country’s transport sector. The CISC’s latest risk assessment advisory can assist the transport sector to help to determine which sites and components of an asset should be considered critical. It also offers assistance to understand which sites and components are critical and provides examples to help determine critical assets.

The CISC advisory focuses on the sector’s reliance on third parties, including domestic and international collaboration, distribution centers, and independent contractors. It also outlined that safety is at the center of risk, where the prevention of injury and loss of life is built into the fabric of the sector; large dependence on skilled labor forces, as many workers have safety-critical operational responsibilities; and collaboration with external entities which is required to maintain domestic international supply chains for both imports and exports.

The CISC document also covers risks involved in the transport sector’s highly susceptible to physical threats through acts of unlawful or operational interference, areas of public investment and economic importance to maintain and expand transportation infrastructure as the Australian population grows, and long-term infrastructure much of which is designed to last for decades, and may not always be ready to be networked. 

The advisory also includes risks of heavy reliance on communications, as all areas of transportation – air, land, and sea networks – are heavily reliant on the availability and integrity of communications and navigation information. It also focuses on the susceptibility to cyber attacks launched through third-party resource providers, as cyber-attacks are an increasing threat as assets are networked and reliant on OT (operational technology).

Some entities in the transport sector have security-related regulations already in place, the CISC document said. “Entities in the sector may need to consider guidance such as the Aviation Transport Security Act 2004 (ATSA), the Maritime Transport and Offshore Facilities Security Act 2003 (MTOFSA), or look to their state or territory government for regulatory frameworks and consider how they can incorporate national security-related risk into existing risk management frameworks. Entities should also refer to other CISC sector guidance for further information,” it added.

For the transport sector and critical infrastructure providers, determining which sites and components of an asset should be considered critical involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards. 

“The process is vital for all-hazards risk management, providing input into the identification of plausible risk scenarios that may impact operations,” the CISC document said. “The critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s national security interests. Establishing criticality is designed to provide guidance on the allocation of resources to best protect the operational capability of the asset,” it added. 

Emerging trends in the transport sector include Machinery as a service (MaaS), a new form of transport operators such as Uber and Lyft have shifted parts of the sector to a less rigid ‘transportation on demand’ industry. The CISC document also identified diversification in methods of private transport from personal aircraft to electricity or hydrogen-powered vehicles, to autonomous vehicles, new developments present imminent, potentially disruptive forces in personal transportation. High-speed rail offers an alternative to flying for transportation between major hubs. Drones and automated transportation have the potential to revolutionize the ways logistics and distribution operations.

It also listed climate change will continue to weigh on consumer minds: Increased scrutiny from regulatory bodies will impact transport sector providers to consider both current emissions production and the technologies that may be required to reduce it. While new technologies and more efficient processes reflect efforts to reduce the environmental impact of the sector, governments across the world are moving towards more ecologically sustainable policy standpoints and regulations.

CISC also identified green public transportation, which has increased across the states with widespread public support as an emerging trend. These forms of transportation are usually offset or electric. Lastly, the document pointed to bicycles and human-powered transport, as these transportation modes have gained support in metropolitan areas where conventional methods are impractical. This is supported by advances in lithium batteries, allowing e-bikes to travel further than they have before.

On the emerging technology front, CISC included high-speed rail networks, as public support is increasing and the implementation of high-speed rail may decrease the use of private transportation in populated areas, driving growth in regional areas It also said that OT has expanded the transport sector’s digital footprint presenting a risk in areas where assets are designed for long-term use, or in areas where there has been under-investment in the security of the infrastructure. OT systems are no longer isolated and therefore a cyber attack on an internet-connected OT system, or an attack that starts in the corporate environment and crosses into the OT environment, can have direct physical consequences.

The CISC document includes data analytics which uses increased methods of capturing data means that analytics can improve the overall efficiency of transport systems, coalescing through improved inventory management, use of resources, and operational costs. Data analytics can help streamline processes when it comes to both online and offline channels. Lastly, it covers automation and robotics that in recent years, decreased costs and requirements for employees in the workforce and have led to efficiencies in the transportation of goods and warehousing.

“A disruption within the Transport Sector could have major downstream impacts on other critical infrastructure sectors and the Australian economy. This could range from lengthy worker commutes, halts on domestic and international travel, or delays to the transportation of goods that are necessary for other sectors to function,” the document said. “For example, entities in the Healthcare and Medical Sector may rely on perishable supplies, without which human life could be threatened, to be delivered regularly. Downstream, the Australian economy and way of life are dependent on many international and domestic trade routes.” 

It added that all critical sectors depend on the transport sector for fuel, operational necessities, components for maintenance or medical supplies, and the transportation of personnel. Any disruptions to the transport sector can have widespread impacts on all critical sectors, the Australian economy, and the public’s safety and well-being. 

Both upstream and downstream services provided by the transport sector are dependent on several other crucial infrastructure sectors. Upstream, the transport sector is heavily dependent on the energy sector and the communications sector. Furthermore, aviation and supply chains are heavily reliant on the communications sector to maintain operational connectivity, and on the energy sector to maintain fuel supplies and power infrastructure.

The document assesses that the nature of physical, personnel, cyber, and supply chain threats to the sector are increasingly sophisticated and well-resourced, and the frequency and magnitude of attacks are escalating. “Additional considerations might include geopolitical tensions, pandemics, and the demonstrated potential for cybertechnologies to be used as a long-distance act of aggression by nation states or other actors.” 

Threats will increase and the transport sector, driven by improvements in technology and the need to meet commercial outcomes, will become more interconnected, leaving stakeholders in the transport sector needs to re-evaluate risks regularly. 

“These threats and hazards will likely increase as organisations within the Transport Sector become more technologically interconnected in their daily operations for convenience and efficiency purposes, establishing additional avenues for exploitation; for example, through cyber-connected smart meters and other automated technologies, and through interconnected supply chain providers,” the CISC document said. “These dynamic considerations mean that stakeholders in the Transport Sector need to continuously reevaluate the risks from the cyber threat.”

Addressing risk controls and mitigations, the CISC document said that for a given transport sector asset, the disablement of its resources will cause downstream issues in other sectors that are potentially vast and more detrimental to other industries than the direct damages to the asset. Ongoing analysis of risks can lead to a better understanding of mitigation strategies, including their application at the source. 

“Business continuity planning, consequence management, emergency management, disaster mitigation, vulnerability assessment, insurance, and other related disciplines all provide a variety of possible actions,” according to the document. “Once controls and mitigations options have been identified by an entity, these should be continually evaluated and prioritised, particularly as threats and vectors evolve.”

Some of the criteria factors that can be used for the development of an implementation plan for risk controls and mitigations include ease of implementation, cost-effectiveness, whether the action creates new risks and/or unintended consequences, and environmental impacts (positive and negative). It also covers multi-objective actions, long-term and short-term results, effectiveness, direct and indirect benefits, legal, regulatory, social, and moral obligations, efficiency, equity and acceptability, and timing and duration.

The week is proving to be a busy one for the Australian government as it focuses on improving cybersecurity across critical infrastructure installations. On Monday, the government released a discussion paper seeking views on how the government can achieve its vision under the 2023-2030 Australian Cyber Security Strategy. The paper calls for recommendations as to what it should consider when developing cyber security measures to better protect and enhance collective cyber resilience, both in Australia and in the region. Interested stakeholders have until Apr.15 to submit their views and opinions.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base