How the communications industry can ensure a secure state for critical infrastructure

Fortinet International Inc

By Michael Murphy*
Friday, 01 July, 2022

How the communications industry can ensure a secure state for critical infrastructure

New legislation introduced last year in the form of the Security Legislation Amendment (Critical Infrastructure) Act 2021 as well as the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, which has recently been tabled in parliament, has led to changed requirements around serious cybersecurity incidents for critical infrastructure (CI) operators in communications.

These changing legislations have transformed the landscape for many businesses. It is essential that communications organisations understand what the new requirements are and how to address them effectively to protect their CI assets and the people they serve.

The number of cyber attacks on Australian organisations continues to increase, with one incident nearly every eight minutes, self-reported losses totalling more than AU$33 billion, and more than a quarter of the incidents associated with critical infrastructure, not unlike other areas of the world. In fact, according to the latest findings of Fortinet’s global 2022 State of Operational Technology and Cybersecurity Report, which surveyed more than 500 operations technology (OT) security specialists from 28 different countries, OT systems are targeted more frequently than information technology (IT). As the rate and types of attack vary, so, too, does the impact they can have on businesses.

Attacks may come from hacktivists, nation states, cybercriminals and disgruntled insiders. Threats can include ransomware or Ransomware-as-a-Service (where attackers are driven by financial profit) or sabotage (where attackers are politically or ethically motivated). Attacks can be sophisticated or unsophisticated and the severity of the attack will depend on the experience and skill of the threat actor, as well as the level of protection that the victim organisation has to defend it against malicious threats.

Any attack can be devastating to its target. For critical infrastructure, this impact can be even more harmful. Any type of disruption to critical infrastructure naturally goes beyond impacting on a business — it can have catastrophic flow-on effects to essential services and Australian citizens who are part of the supply chain.

Because of this, it is important for communications organisations to understand that securing their CI assets is a markedly different proposition from securing IT networks. This is largely due to the unique nature of the operational technology (OT) that underpins CI assets; as such, traditional IT security methods and approaches simply do not work for OT in a CI environment.

Communications organisations need to be able to ensure a secure state for CI to protect both the business and the people it serves. Consequently, it is essential that communications organisations can proactively identify and address any apparent friction points between corporate IT objectives and OT objectives, before mapping out an approach that lets them achieve mutually beneficial outcomes in the evolving cybersecurity landscape.

The federal government has released its Critical Technology Supply Chain Principles to help governments and businesses to decide about suppliers and the transparency of their own products.

The 10 principles have been grouped under the three pillars of security-by-design, transparency, and autonomy and integrity.​​

Prioritising cybersecurity for the protection of CI assets

Like any roadmap, the cybersecurity program should outline the organisation’s current and desired future states as well as how the organisation will achieve its objectives. This starts with identifying the CI operator’s assets and assessing its security posture. Then, the organisation can develop a strategy for planning and implementing a program of work.

Before developing a road map, CI communications organisations should consider three key areas:

  1. Operational efficiency: Organisations need to understand what critical components are degrading or damaged to ensure these are included in any road map, and potential operational downtime or onsite safety risk exposure for staff is mitigated.
  2. Security: Businesses need to understand how the road map can help achieve reduced performance overheads, or upgraded host lifecycle management, without impacting on maximum tolerable downtime (MTD) or mean time to recovery (MTTR) through real-time threat intelligence and sophisticated campaign monitoring.
  3. Safety: Naturally one of the most essential components of any CI road map, safety needs to be considered of the utmost importance.

This means organisations should consider how to integrate new technologies into their stack, plus what types, to ensure the continued safety of the people they serve. For instance, cloud-enabled surveillance cameras with artificial intelligence (AI) and machine-learning software can detect anomalies in physical behaviour. In the event of an incident, cloud connectivity can chain together an automated incident response plan alerting the appropriate emergency personal.

These critical moments of action without human interference can be the difference between serious injury, death, irreversible brand damage and expensive lawsuits.

These areas also need to be underpinned by comprehensive cybersecurity components, which should be carefully assessed and included in any operational road maps. This will ensure that CI operators can achieve lasting cyber resilience in the face of escalating cyber attacks.

When it comes to developing such road maps, organisations need to consider three essential pillars around which to build their security framework and better protect their CI assets and OT from devastating cybersecurity incidents. These are:

  • Achieve visibility: To comply with any type of legislation or framework, the organisation first needs to understand what assets needs to be protected. Visibility is crucial as it lets the organisation see what solutions need to be mapped and considered in any potential roadmap. To do this, organisations can leverage the Purdue Model (formerly the Purdue Enterprise Reference Architecture (PERA)), which will let them more easily break down and define CI assets across the network.
  • Facilitate control of assets: Beyond visibility, communications organisations need to be able to maintain control over available assets to keep them protected and defended against threats. This can be challenging for organisations that do not have the specific knowledge required to manage or defend against new and emerging threats. However, leveraging shared knowledge bases such as the MITRE ATT&CK Framework for industrial control systems (ICS) can give communications organisations critical knowledge to help maintain control of CI assets.
  • Prioritise non-invasive approaches: To help protect CI assets against threats, communications organisations also need to understand what defensive approaches work best for different assets. In smart cities, the attack surface can expand exponentially with every new Internet of Things (IoT)-connected device added to the network. For example, communications organisations that leverage CI assets may use IoT-connected cameras for citizen safety. At the same time, these expand the attack surface. In these cases, the use of IoT decoys specific to organisations can be especially beneficial as using non-invasive approaches that leverage the likes of IoT decoys to let attackers think they are in the network without actually being there.

Organisations that manage critical infrastructure could be considered some of the most vulnerable targets for potential cyber attacks. This is not to say that their systems are more vulnerable to security breaches, but certainly that they are high-profile targets for malicious actors.

As such, it is crucial that communications organisations that manage CI take a considered approach to their cybersecurity. This will help to drive the security agenda forward. It will also ensure they achieve the best possible protection for their CI assets and, in turn, the people and services they protect and serve.

*Michael Murphy is the head of operational technology (OT) and critical infrastructure for Australia for Fortinet. His focus is on helping organisations build cyber resilience for OT and understanding how to achieve strong outcomes for OT security. Murphy has held roles as a cybersecurity practitioner and senior sales engineer and has built OT incident response teams in organisations in Australia, New Zealand, London, Hong Kong and Singapore.

Top image credit: ©

Related Articles

Is LoRaWAN a viable option for critical messaging?

What can take up the slack and replace closed paging networks?

New Zealand Police upgrade with Mimomax Tornado radios

Radios selected as part of a nationwide linking replacement and expansion project.

Bonded cellular and beyond

What is it, what is it used for, is it still relevant in a 5G world and, is it enough?

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd