Protecting Australia’s Critical Infrastructure
In the current geopolitical upheaval cyber threats to Australian companies and critical infrastructure may well be collateral damage, rather than deliberate targets of attacks. However, the need to proactively collaborate to maximise learnings and minimise cyber risks in today’s ever evolving climate is more important than ever.
This was amongst the key takeaways from the recent AICC lunchtime event supported by Gilbert + Tobin on Protecting Australia’s Critical Infrastructure – the new cyber threat landscape.
Prior to the panel, moderated by Tim Gordon from Gilbert + Tobin, the audience heard a video from Professor Isaac Ben-Israel, the chairman of the Israel Space Agency and the Director of the Interdisciplinary Cyber Research Center Tel Aviv University. The national Israel Cyber Security Unit was set up 20 years ago when Israel realised its critical infrastructure systems were highly technology dependent, even in 2002.
Prof Ben-Israel noted that Israel had managed to shield itself from several international cyber-attacks because the Cyber Security Unit was aware of these attacks and was able to guide its critical infrastructure systems to best protect themselves. He admits that many times when attacks are thwarted, they do not discuss it publicly. Historically the unit was part of the country’s military, but it was later transferred to the civilian authority.
Prof Ben-Israel said that Israel was amongst the first countries in the world to use #artificial intelligence to defend critical infrastructure. Adding, that 5-10 years from now we will all be much more dependent on technology and consequently more vulnerable to cyber-attacks. He insisted on the need for a more holistic approach moving forward in any future technology development where security is an inherent component, not an afterthought.
Recognising Russia’s real-time cyber capability, he noted how 5-6 years ago Russia shut down Western Ukraine’s electricity for 24 hours. The world expected that once the conflict erupted Russia would move to similarly shut down critical infrastructure in the Ukraine. The decision not to do so may be based on Russia’s thinking that they don’t’ want to give the West an excuse to retaliate directly in the conflict.
THE ROLE OF LEGISLATION
Hamish Hansford, Head of the Cyber and Infrastructure Security Centre Department of Home Affairs fielded many questions about the pending Federal legislation re minimising and mapping risk. The legislation has bipartisan support and is expected to return to the Senate for discussion shortly.
Hansford said that there needs to be better partnership between the government and the private sector on this issue, “so we can work together to see key vulnerabilities.” Noting, that while some infrastructure sectors have for many years been highly pre-emptive around minimising the risk of cyber-attacks, there were other critical infrastructure areas that needed to raise their base line. “It is not just about crisis response it needs to be preventive and pro-active” he told the attendees.
“Legislation should be the last line of defence” added Colin Dominish, Head of Podium Services, Lendlease. He too noted the need to work collaboratively. Despite the stigma of discussing successful cyber-attacks, he emphasised the need to maximise learnings from such attacks so they can be shared in larger platforms, and hopefully avoided in the future.
The law should be a minimum standard rather than a target, it’s not enough on its own and organisations that see it this way are not doing enough said Nick Ellsmore, Global Head of Strategy,
Trustwave. He added that a shift was required in thinking about cyber security, “building cyber security systems is in an organisation’s own self-interest”. He noted that if companies were only motivated by cost cutting and bottom lines it was difficult for them to make this transition to realise it is in their best interest to prioritise these protections.
THE COST OF CYBER ATTACKS
While traditionally Australia has largely been shielded from physical attacks it is far from immune from cyber-attacks. Dominish noted that last financial year over 65,000 cyber-attacks were reported with significant economic detriment. Of the attacks 25% were on critical infrastructure facilities.
Globally, it is estimated that there is a ransomware attack on a business every 11 seconds, with ransomware damage losses were projected to reach US$20 billion in 2021.
With such rampant exposure the speakers discussed the many steps that need to be considered in ensuring critical infrastructure was protected, including examining the access that vendors and suppliers had to organisations. Lesley Sutton, Partner, Technology + Digital, Gilbert + Tobin noted that there is “lots of work to be done” In particular she encouraged organisations to “look at their supply chain dependencies” and fill any outstanding gaps.
Aron Calfas, Head of Digital Risk and Assurance, Sydney Water warned “if they can’t get to you directly then they will come to your vendors and partners”. He expressed the need for ongoing testing regarding the robustness of an organisation defences against cyber security, as well as that of its partners. He said that since the outbreak of violence in the Ukraine there had been a marked increase in cyber-attacks in the sector.
Dominish added that although most of the attacks on infrastructure are “more often than not vanilla attacks that are primarily aimed at installing ransomware, accessing data and getting money” the controls in place for political attacks are not that different.