Safeguarding essential infrastructure from attacks in a digitised world: why Australian utilities need to put cyber-security on the agenda in 2020

cyber security shield lock protect
Who_I_am / Getty Images

The extraordinary life of operational infrastructure in utilities means that many devices that were never designed to be accessible from an IP network are now vulnerable to external attacks

And even new systems like the Siemens DCS SPPA-T3000 are not foolproof, with the company recently announcing 54 CVE level flaws in this technology alone.

They’re not called essential services for nothing. Turning off the power or water for more than a short stretch is a recipe for immediate and widespread disruption; something Australians weathering the summer fire and cyclone season know all too well.

Wild weather in late November saw 20,000 Sydneysiders advised, several days later, to relocate or prepare for the grim prospect of an electricity-free weekend and more recently the huge disruption caused by the bushfires has been felt by the whole country.  Even those not directly impacted may suffer service disruption across power, water and telecommunications.

In 2020, our reliance on centrally controlled electricity, gas, plumbing and telecommunications networks is almost absolute. That’s why utility companies are always ready to spring into action to restore supply as quickly as possible, whenever a natural disaster knocks out infrastructure and systems…and it looks like these will become more frequent and intense!

Cyber-attacks can be every bit as disruptive to regular service as the most savage category five cyclone – but are local providers properly prepared to repel them and recover from them? Or has digital transformation created new layers of vulnerability and risk which they have yet to mediate as entirely as they might?

The Australian Energy Market Operator (AEMO) has released guidelines in response to the Finkel Review recommendations, and these go a long way towards ensuring responsible self-assessment in the Energy Market – however, indications are that few will measure up to the standards required by AEMO.

Smart technology is changing the sector – fast

Australian utility companies are operating in a state of flux, and that doesn’t look like changing any time soon.

In addition to considerable regulatory uncertainty, KPMG Australia notes the sector has faced an unprecedented period of transformation, with further change still to come. Significant challenges identified by the consultancy include: operating in an environment in which resources are becoming scarcer, due to population growth; urban densification and climate change; higher consumer expectations, coupled with price sensitivity driven by cost of living pressures; and the maturation and convergence of a range of technologies which look set to disrupt the sector further.

On the latter front, digitisation has already delivered significant efficiencies and safety improvements to transportation hubs, power grids and communications networks. Large-scale Internet of Things (IoT) installations look set to do likewise.

Upping the efficiency – and amplifying the risk

That’s good news for utility companies. The bad news is that digitisation doesn’t just make systems more streamlined and economical to operate. Because it opens up the attack surface, it also makes them more prone to compromise, by attackers and cyber-criminals.

In the past, centralised control infrastructure could be well secured by perimeter protection, but this traditional model of cyber-defence is less effective in highly decentralised environments comprising tens of thousands, perhaps even millions, of endpoints. The security challenge is compounded by the fact that many of the digital devices or ‘things’ being connected to networks don’t have robust, in-built security systems and are thus more vulnerable to attack.

In the Siemens advisory, for example, one of the recommendations is to use the firewall to restrict access – which is good advice…except that most successful attacks are already through the firewall, or have gone around the firewall as part of their attack plan.  A firewall won’t stop a legitimate access request.

In this setting, solutions which offer visibility and early detection of threats inside the network can enable providers to circumvent attacks more effectively than traditional perimeter-based technologies.

Given the disruptive repercussions of even a relatively brief outage, exploring alternative security models which may potentially create a more robust defence structure should be imperative for utilities which are serious about service continuity.

Leading attackers up the garden path

Deception technology is an emerging defence strategy which is increasingly being employed by critical infrastructure operations around the world who are looking for innovative ways to outwit adversaries intent on causing damage and disruption to their complex networks and systems.

The term deception technology is used to refer to the use of traps and decoys which mirror genuine networks and systems, including bogus files and simulated SCADA, ICS and IoT devices.

Decoys can run in either a real or virtual operating system environment. The goal is to deceive attackers into thinking they’ve located a vulnerable set of systems and devices on the network. While they’re accessing these decoy assets such as PLCs, Historians, and other systems, security professionals can monitor and record their behaviour, capture IoCs, develop TTPs, and glean valuable intelligence about their motives and modus operandi.

That intelligence can feed into existing Threat Information Platforms and other security controls to inform the security strategy and strengthen defences against future attacks.

Safeguarding the services that keep society running

The security of Australia’s utilities sector is far too important to leave to chance. Digital transformation has opened companies up to greater cyber-risk, and it’s incumbent upon them to review their security posture and mitigate emerging vulnerabilities by putting commensurate protections in place. New generation solutions, such as deception technology, can provide greater visibility into the network and assist providers in detecting and derailing attackers before they cause significant damage.

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?