Cyber security: Protecting critical infrastructure

Electricity transmission lines

It is estimated that one quarter of all reported cyber security incidents affect organisations associated with Australia's critical infrastructure – that is, things like electricity, gas, water and ports – with significant impacts to businesses and the community.

In May 2021, American oil pipeline system Colonial Pipeline, which carries approximately 45% of all fuel on the east coast of the USA, suffered a ransomware attack that impacted its computerised equipment.

The attack caused a six-day shutdown that sparked supply shortage concerns, resulting in skyrocketing fuel prices. It is reported that 71% of service stations ran out of fuel in Charlotte, North Carolina, and the fuel shortages affected various domestic and international airports and flight schedules.

This example demonstrates the potential impacts of a cyber attack on critical infrastructure and reinforces the importance of systems and processes to protect an organisation's most critical assets from cyber incidents and from long-term disruption.

The Australian Government has proposed legislative reform to the Security of Critical Infrastructure Act 2018 to expand the coverage of critical infrastructure from four sectors (electricity, gas, water and ports) to eleven critical infrastructure sectors including financial services and markets, higher education and research, food and grocery, health care and medical, transport and water and sewerage.

Below, we explore three important ways to protect your organisation from cyber attacks.

1. Keep your inventory of assets up to date

Critical infrastructure organisations often have a significant number of networked assets, adding to the complexity of detecting, managing and mitigating vulnerabilities.

Having real-time visibility of an organisation's inventory of network assets aids in protection and building greater system resilience.

It allows security teams to obtain more accurate data to make better-informed decisions and manage vulnerabilities more effectively and efficiently.

2. Vulnerability management

An attack can only occur if there is a vulnerability for a hacker to exploit. Industrial networks usually contain thousands of operational technology (OT) and internet of things (IoT) devices from various vendors, ranging in age. Most of these devices are not designed for the level of security that is required in a critical infrastructure environment. Therefore, it is essential to undertake cyclical vulnerability scanning whereby all devices are scanned, patched and rescanned periodically.

Further steps can also be taken to mitigate malware delivery, such as application control to prevent execution of unapproved programs, email content filtering, web content filtering and blocking unapproved removable storage media such as USBs.

3. Operational network isolation

Where possible, critical infrastructure providers should avoid modifying cyber security defences to the operational technology environment (OTE) – that is, hardware and software systems that manage, monitor and control industrial operations. There are inherent security benefits of restricting physical and cyber access to the OTE, which is best achieved by having physical worksites such as control rooms and operations floors.

Where this is not possible, such as during the COVID-19 pandemic and the shift to working from home, organisations should take a zero-trust approach and take steps to mitigate the risk. For example, they should supply and configure a work laptop and network connection to remote workers who need to connect to the OTE to circumvent the need to use personal devices and home networks.

For assistance with reviewing your organisation’s frameworks for minimising and responding to cyber attacks, contact our team of experienced legal experts.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.