The Australian Government needs to consider the specific OT, ICS and IoT cybersecurity concerns in its protection of critical infrastructure plan, explains Diego Betancur, Lead Technical Sales Engineer, APAC for operational technology and IoT security company, Nozomi Networks. He responds to a detailed consultation paper from The Department of Home Affairs.
As the Australian Government continues its push for cybersecurity, critical infrastructure has come into focus. The Department of Home Affairs (DHA) has released a detailed consultation paper outlining the main collaboration initiatives between the government and industrial entities to protect critical infrastructure and systems of national significance.
These are the systems we can’t do without – energy, food, transport and water. They are prioritized during bushfires and other extreme weather and as threats become more digital, the government is correctly putting a framework in place to protect them from the growing threat of cybercrime.
In reviewing, and eventually acting on the consultation paper, the government needs to consider the disproportionately low level of cybersecurity maturity in relation to existing operational technology (OT) and industrial control systems (ICS), as well as a lack of OT/ICS cybersecurity skills.
Breaking down the paper
Within the paper, there are a number of standout discussion points:
- Entities will have a responsibility to take an all-hazards approach when identifying and understanding risks.
- Government should use its unique position and resources to share aggregated threat information, work with critical infrastructure entities of all levels of maturity to build their capability and empower entities to appropriately protect themselves when faced with a serious threat.
- Some entities will already have a mature capability allowing them to voluntarily provide the government with the information required and receive actionable, aggregated information in return. Some entities will be at the other end of the maturity spectrum and may need to build their capability first.
- Government heard that Australia’s critical systems are facing a worsening threat environment and the nation needs to address vulnerabilities in supply chain security, control systems and operational technology.
Several factors must be addressed in order to effectively respond to these points, and the paper is missing a few areas that should also be considered.
Addressing cybersecurity risk management in OT networks
Critical industries understand risk management well – but cybersecurity risk is different and needs to be treated as such.
Specified capabilities and even budget for OT and ICS environments are often scarce, which can lead to unclear cyber plans left to site managers or network admins. Further, penetration testing in these areas can be restricted to basic port scans or high-level assessments.
It’s important that suitable assessments – such as passive discovery and monitoring – and appropriate methodologies for quantifying risk metrics, such as Annual Loss Expectancy (ALE) or Single Loss Expectancy (SLE), are applied.
This can help ensure reliable data is used to make risk-mitigation investment decisions and to apply effective strategies.
Threat intelligence sharing
Sharing actionable and timely threat intelligence is crucial to defending against cybersecurity threats. Australia primarily uses a combination intelligence gathered by the US Cybersecurity and Infrastructure Security Agency, alongside intelligence from the Australian Cybersecurity Center (ACSC).
Locally, we lack a focus on OT and ICS resources, with most of the attention given to the better-known area of IT threats. This is not a fair reflection of the threats each set presents, and this paper should be leveraged to reduce the divide.
To do that, the government should mobilise agencies and alliances to monitor the global threat landscape and create a collaborative threat-sharing community between operators, vendors, researchers and themselves.
Sector-based cybersecurity maturity frameworks
A one-size-does-not-fit-all theme is emphasized throughout the DHA’s paper as critical infrastructure industries are substantially different from each other.
The sentiment is correct – but as it stands, industry-specific cybersecurity frameworks are rare. Energy is the exception here, and the Australian Energy Market Operator (AEMO) has focused on promoting operator self-assessments and enabling collaboration and intelligence sharing. A similar approach would help each critical industry develop a bespoke posture.
Third-party risks: OT/ICS automation vendors and vulnerability management
Vulnerability discovery and patching usually come up early in IT third-party risk discussions – naturally, this has transitioned to OT discussions too, but it’s not always the best approach.
Industrial organizations can achieve better initial risk reduction with approaches more suitable for a low maturity in OT/ICS cybersecurity. These solutions include network and operational visibility, which is more cost-effective and has less impact on operations.
Unlike IT, where the process has matured over time, creating an OT patch management program is challenging for a number of reasons, including slower patch evolution, deployment in segregated remote environments, abandoned and unmaintained software and hardware and a lack of vulnerability disclosures, patch reliability and uptime requirements.
There is greater training and collaboration between vendors and third-party suppliers to ensure they are aware of the specific risks of OT and ICS, with a particular focus on network visibility. This should be addressed and encouraged in the paper’s final report.
Overlooking the skills shortage
A key element missing from the paper is skills shortages – this is already an issue in IT cybersecurity, but it’s particularly prevalent in the area of OT.
CISOs and security operation centers (SOCs) are more and more prevalent in enterprises and governments, but there are not yet any equivalent centers for OT or ICS networks. Leveraging this paper and its wider cyber initiatives, the government can provide education on the importance of training employees, creating roles and suggesting priority actions.
OT-specific cybersecurity training courses are available from AU$5,000 to AU$10,000, which the government can easily facilitate or subsidise to enable greater access to professionals.
The ACSC currently has limited resources to help uplift cybersecurity maturity within critical infrastructure industries. Leveraging regularity compliance to build awareness and visibility for resources like ACSC will serve as a starting point to bridge the skills gap. It will also drive private sector industries to invest in developing adequately skilled people for these unique roles.
It’s important that both the public and private sector work together toward a common goal to ensure we not only protect critical infrastructure and our sovereignty but that we also continue to innovate and evolve security capabilities.
The government is taking the right direction in reforming regulation and uplifting cybersecurity capabilities. However, there are key considerations and challenges around the current state of critical infrastructure that should not be taken lightly.
For long-term success, critical infrastructure organizations must work with the government to dive deeper and develop a clear understanding of the different critical infrastructure sectors and the individual challenges they must overcome. As history has taught us, nation-state or for-profit attackers do not discriminate.
Click below to share this article