Concerns that cyberattacks could disable critical Australian infrastructure went from hypothetical to imminent virtually overnight, with security consultants recommending CISOs act rapidly as the Russian invasion of Ukraine revs up a shadow cyberwar and as cybercriminals threaten the critical infrastructure of any country acting against Russia.
Flying in the face of near-universal condemnation of Russia’s invasion, a public proclamation by the Contiransomware gang warned that it “will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia. … We will use our resources to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression.”
Australia braces for cyberattacks
The threat to Australian interests was more than hypothetical as the country increased its support for Ukraine, committing $70 million worth of ammunition, antitank missiles, and other weapons to help it fight the Russian invaders.
That move came in the wake of Russian targeting of Ukrainian government sites and other organisations with ‘wiper’ malware, following on from a January 2022 malware campaign known as WhisperGate in an escalation that led authorities in the US, Australia, and elsewhere to warn about likely crossfire as further cyberattacks are launched.
Although there are “no specific or credible cyberthreats to Australian organisations at this time,” the sixth update to an Australian Cyber Security Centre (ACSC) advisory noted, “the threat of cyberattacks on Australian networks, either directly or inadvertently, has increased. … While the ACSC has no specific intelligence relating to a cyberattack on Australia, this could change quickly,” flagging the Conti threat and warning operators of Australia’s critical infrastructure to “take appropriate actions to secure their systems and networks”.
New urgency on critical infrastructure by the Australian government
Long before the current war began, discussion about legislative reform was always gaining urgency after Home Affairs Department secretary Mike Pezzullo warned of “deeply concerning” and “credible” threats against key parts of Australia’s infrastructure.
Months after a Parliamentary committee recommended the Security Legislation Amendment (Critical Infrastructure) Bill 2020 be split into two parts to fast-track “government assistance measures to be used as a last resort in crisis scenarios”—and the first part passed Parliament in November 2021—the process finally moved into the next stage as the second half of the legislation was introduced to Parliament in February 2022.
Developed through consultation with industry, the proposed Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP) includes a raft of additional measures “to mitigate and minimise material risks”, Home Affairs said, and requires critical-infrastructure operators to follow formal critical-infrastructure risk-management programs in line with prescribed guidelines.
“Responsible entities must consider all hazards in their risk management program,” the department advised, noting the range of exposure including cybersecurity and information security, supply chain, physical, natural, and personnel hazards.
The new legislation “really does represent a significant milestone and another important reform to Australia’s critical infrastructure,” said Narelle Devine, who as CISO at Telstra faces the ever-present threat of cybersecurity attacks on the country’s largest telecommunications operator.
With critical infrastructure increasingly dependent on cybersecurity amidst increasing interdependencies, Devine said, “the potential for cascading consequences if we’re interrupted is significant.”
The Australian government’s proposed reforms “seek to make risk management preparedness, prevention and resilience business-as-usual for the owners and operators of critical infrastructure assets,” she said, “and to really improve information exchange between industry and government, to build a more comprehensive understanding of the threats in general.”
A new cybersecurity climate for Australian critical infrastructure
Whether due to public threats from Conti or surreptitious activity by other nation-state actors, the rapid escalation around Russia’s invasion has dramatically changed the cybersecurity climate facing Australian critical-infrastructure operators.
This change comes at a time when, according to newly released figures from internet of things security firm Claroty, vulnerabilities in the industrial control systems (ICS) used by critical-infrastructure operators continue to surge.
ICS vulnerability disclosures increased by 110% over the last four years and grew by 25% in just the second half of 2021—when 797 ICS vulnerabilities were published—according to the company’s latest “Biannual ICS Risk & Vulnerability Report”.
Of these vulnerabilities, 87% are deemed “low complexity”, meaning that they are easy to exploit and that “an attacker can expect repeatable success every time,” Claroty said, noting that 64% of the ICS compromises don’t require any user interaction.
Framed in the context of surging threats against critical infrastructure, the need to maintain security has pushed industry to “a bit of a tipping point around how we think about [risk] as a country,” noted Chris Smith, head of Telstra consulting arm Telstra Purple, during a recent webinar.
IT professionals “need to shore up networks and have the foundational controls in place to understand what and where our critical data is,” Smith said, noting that customers in and out of the prescribed critical-infrastructure sectors had increasingly been tapping Telstra Purple’s expertise to figure out their changing obligations and the best way to protect against ransomware.
This included defining and understanding the risks particular to each organisation and how to mitigate them; undertaking risk assessments on supply chain partners; and continually revisiting those as the business and cybersecurity climate changes over time.