Just over a year ago, a cyber criminal syndicate carried out a massive ransomware attack against a large U.S. oil distribution network, disrupting fuel supplies and triggering panic buying and widespread gasoline shortages. Soon afterward, a large ransomware group attacked a major meat producer, forcing the company to shut down plants in several countries, and impacting food supplies and prices.
While these were far from the first attacks on critical infrastructure systems, they emphasized the growing threat. Governments around the world sprang into action to strengthen critical infrastructure resilience and information sharing – with Australia in particular taking several significant steps.
Australia’s Steps to Strengthen Critical Infrastructure
As these major ransomware attacks unfolded in 2021, the Australian government was pushing for critical infrastructure reforms – from expanding the definition of “critical infrastructure” from four to 11 sectors, to mandating incident reporting and providing government assistance for incident response efforts.
Australian leaders pointed to the U.S. attacks to highlight the urgency in keeping pace with the evolving threat landscape, and in December 2021, the Security Legislation Amendment (Critical Infrastructure) Act 2021 was passed. Several months later, Australia joined the United States, Canada, New Zealand and the United Kingdom in issuing a joint cybersecurity advisory, signaling readiness to tackle issues such as “destructive malware, ransomware, DDoS attacks and cyber espionage” and providing collaborative mitigation strategies. These recommendations included guidance on securing credentials – today’s No. 1 area of risk – and following Zero Trust principles such as least privilege and just-in-time access to protect against evolving cyber threats.
In the country’s latest effort to bolster critical infrastructure protections, Australia’s new Prime Minister Anthony Albanese recently appointed Clare O’Neil as minister of cybersecurity, marking the first time cybersecurity has had a dedicated position in the Australian cabinet.
An Expanding Attack Surface
Australia’s efforts come at a critical moment. According to the Australian Cyber Security Centre (ACSC), approximately one quarter of cyber incidents reported between July 2020 and June 2021 were associated with Australia’s critical infrastructure or essential services. ACSC officials write, “Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.” The ACSC also saw a 15% spike in ransomware during that same period, noting that ransomware “poses one of the most significant threats to Australian organizations.”
Meanwhile, a confluence of technology trends continues to expand the threat landscape, opening new avenues for critical infrastructure attackers to steal information, disrupt systems and, increasingly, threaten human safety:
IT/OT Network Convergence: To reduce expenses, simplify operations and support industrial IoT (IIoT) initiatives, many information technology (IT) and operational technology (OT) networks are converging. However, this eliminates the “air gap” that once separated these two environments, providing a pathway for external threat actors to gain access to industrial control systems.
Push to Standards-Based OT: Industrial control systems were once based on proprietary hardware and special-purpose software. In the current shift toward standards-based OT, many systems run on Linux-based commodity servers and leverage commercial-off-the-shelf (COTS) software, making them vulnerable to software supply chain attacks.
Widespread Cloud Adoption: Critical infrastructure operators are adopting Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions to accelerate the pace of innovation, streamline operations and support IoT programs like Smart Grid, Smart City and Smart Transportation systems. While essential to digital transformation, these cloud services also provide new ways for adversaries to penetrate systems.
Zero Trust Architectures Protect Against Modern Cyber Threats
Australia is just one of many governments and industry regulators around the world that have recently enacted cybersecurity mandates and guidelines to protect critical infrastructure. Many of these are grounded in a Zero Trust cybersecurity model, which assumes that all digital identities – human or machine – are implicitly untrusted and must be authenticated and authorized regardless of their network or location.
While there’s no such thing as a “Zero Trust technology,” the model requires one consistent point of security control. Unlike a traditional perimeter-based security model, a Zero Trust architecture centers on identity – and requires a comprehensive Identity Security solution and strategy to encompass cloud-based IT and OT systems as well as on-premises IT and OT systems; to defend against internal and external threats; and to provide inherent security for remote workers and mobile users.
For critical infrastructure owners and operators taking a close look at critical systems and practices, the Australian Cyber Security Center Guidance for Critical Infrastructure, the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) provide a variety of resources for improving cyber readiness and addressing evolving regulatory requirements.