Critical Infrastructure
Protecting critical infrastructure from cyber attacks
C By John Kendall Public Sector & Security Program Director, Unisys Asia Pacific
ritical infrastructure providers are becoming acutely aware of how dependence on IT systems and connectivity make them increasingly vulnerable to cyber-threats. However John Kendall, Public Sector & Security Program Director, Unisys Asia Pacific, warns that physical system segregation will not keep up with the expectation to adopt new technologies in their business and the resulting evolving security threats. The Internet of Things (IoT) can be a terrifying prospect for organisations responsible for building, operating and maintaining critical infrastructure such as power grids and telecommunication networks. While some critical infrastructure providers are embracing IoT as the path to business success, others have opted to reject integration with the Internet to better protect their IT systems. Recently, AusNet, the largest energy delivery service in the state of Victoria, Australia, declared it has segregated its network into information technology and operational technology, with either an air gap or segregation, so that its networks and operational SCADA systems are “caged off ” from the rest of the company’s IT infrastructure. 1 AusNet’s motivation is understandable, but physical segregation is not a viable long term strategy to protect IT systems as people will inevitably find a way around the air gap. What threats? Cyber-attacks on critical infrastructure are not restricted to big budget movies and popular fiction. The US Department of Homeland Security Industrial Control System Cyber Emergency Response Team (ICS-CERT) reported 2 an eight-fold increase in the number of reported attacks in the US over a four year period – with the largest percentage (32
34 | Australian Security Magazine
per cent) targeting organisations in the energy sector. A survey of critical infrastructure organisations by the Ponemon Institute 3 in 2014 found that 86 per cent of the respondents in Australia and New Zealand reported at least one significant security breach in the previous 12 months. In addition, 79 per cent felt that an attack on an Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) system was at least somewhat likely in the next 12 months. From whom? “Hactivists” wishing to create havoc to make a political or social statement can download cyber weapons and get suggested targets, strategies and current success rates thanks to online networks like Anonymous. Criminal elements also use cyber-attacks to demand ransom payments or steal valuable corporate or customer data. And there is the simple issue of human error by employees. However, the most insidious attacks on critical infrastructure display the characteristics of major state players who are probing critical infrastructure weaknesses and testing sophisticated cyber weapons that could potentially be used to cripple an economy. Isn’t ring fencing a logical response? Some organisations have adopted a policy of physically isolating critical power infrastructure assets by separating information technology from operational technology like SCADA-based ICS via an “air gap”. In the past, “ring fencing” ICS systems in this way was seen as a simple solution that allowed organisations to meet business goals while reducing the risk of cyber exploitation. However more recent experience shows “ring fencing”