Automation is key to protecting critical infrastructure

A circuit key at the center of a system of integrated security: endpoints/devices/networks/apps/etc.
Jackie Niam / Getty Images

Amongst the many lessons everyone has learned since the start of the pandemic is that what we all consider essential services and critical infrastructure is far broader than simply keeping the lights on and water flowing. What we’ve discovered is that there is a powerful link between the physical and online worlds.

“Over the last few years, we’ve seen the physical and virtual worlds converge,” explains Serge Maillet, the head of head of Industrial Cybersecurity at Siemens Australia and New Zealand. “While we may think of a truck rolling down a highway or electrons flowing through a cable as physical actions, they are tightly coupled to information systems that determine what they will do and when they’ll do it.”

Over the last year, the Federal Government has been working on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. This legislation defines, in law, what constitutes critical infrastructure for Australia, and says critical infrastructure includes “physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation”. That broad scope includes everything from utilities through to transportation, educational institutions and medical facilities.

For private companies and public organisations, this means a new compliance regime is coming into force. One of the most critical risks that the legislation brings into focus is cyber-attacks.

While Australia has been somewhat fortunate to avoid the effects of a major cybersecurity incident – unlike the Colonial Pipeline in North America and Ukrainian power grid attacks – the threat is very real. The Australian Cyber Security Centre (ACSC) reported that during the 2020-21 financial year about a quarter of reported incidents affected critical infrastructure with the Parliamentary Joint Committee on Intelligence and Security saying a cyber-attack occurs on critical infrastructure every 32 minutes.

Maillet says that the skills crisis in cybersecurity is acute with Australia now having just a tenth of the cybersecurity expertise it needs to stay ahead of the threats. There has also been a significant change on how the technology supporting critical infrastructure is deployed and used.

“In the past, systems were ‘air-gapped’ – there was a physical separation between the networks used to control industrial systems and those used by back-office operations and other parts of critical infrastructure organisations. But that’s no longer the case.”

The convergence of OT, operational technology, and IT means that a vulnerability or security incident in a back-office system can be exploited by a threat actor to cause damage to an industrial control system. Alongside that convergence there has also been a fundamental shift in how industrial systems are designed and managed.

In the past, OT systems were based on proprietary protocols. But today, they use common protocols often used in Internet applications. As a result, criminals don’t need specific skills and can use the same tools and methods to infiltrate industrial systems as they do for more broadly used applications. This has given malicious parties a broader attack surface and a much greater range of vulnerabilities to exploit.

While much of the attention is placed on external threats, it’s important to recognise that as many as 90% of reported cybersecurity incidents are the result of human error – things like accidental changes to systems, configuration errors, weak passwords, and other factors.

The net result is complex environments under constant attack with too few people to detect and act on all the potential issues.

“If we keep going as we are, it’s almost inevitable that some piece of critical infrastructure will be compromised. We need a new approach to detecting and mitigating the risks we face,” says Maillet. “The answer is to take advantage of automation and to leverage artificial intelligence (AI) coupled with machine learning.”

There aren’t enough skilled people, and the gap is widening. Automation can ensure constant monitoring and continuous compliance. The days of satisfying periodic audits are behind us. Anomalies and vulnerabilities need to be detected in real time to avoid deleterious consequences.

Automation can run continuously and doesn’t make mistakes and when an anomaly is detected it can be referred to a person to deal with. The skills that people bring to decision making and problem solving can’t be replicated by computers. Machine learning and AI can detect issues that can be acted on by people far faster than if we depend on people for the entire process.

“As a technology and automation company, Siemens has the knowledge and skills to work with critical infrastructure organisations to use automation, machine learning and AI to protect the systems we all depend on… it’s all about having real time actionable intelligence,” says Maillet.

With frequency of attacks increasing, a widening skills gap and convergence between the physical and virtual worlds, the protection of critical infrastructure is becoming more complex and challenging than ever before. Automation supported by AI and machine learning gives companies a pathway to improved compliance and security.

Related:

Copyright © 2021 IDG Communications, Inc.