How CISOs can strengthen critical infrastructure strategies amid rising threat levels

In an environment of increased digitisation and integrated technologies, protecting critical assets and infrastructure that keeps society running represents an essential undertaking for CISOs across Australia.

According to Gartner, 30 per cent of critical infrastructure organisations will experience a security breach by 2025, an attack forecast to be so severe that it will result in the halting of mission-critical operations and systems.

As a result, critical infrastructure security has become a primary concern for governments around the world, with Australia – joined by the US, UK, EU and Canada – identifying sectors deemed ‘critical infrastructure’, such as healthcare, utilities, manufacturing, transport and public facilities.

“Governments in many countries are now realising their national critical infrastructure has been an undeclared battlefield for decades,” said Ruggero Contu, research director at Gartner. “They are now making moves to mandate more security controls for the systems that underpin these assets.”

With attacks targeting critical infrastructure continuing to rise – becoming more sophisticated and targeted in equal measure – bolstering security and risk mitigation levels remain a leading priority for organisations nationwide.

In response, forward-thinking CISOs are evolving skills, techniques and processes for securing both digital and physical assets, responding at pace to safeguard critical infrastructure. Yet, challenges remain as security leaders manage ongoing cyber risk with revised business outcomes.

“The top challenge is initially focusing on getting the basics right in a manner that is sustainable,” observed John Karabin, Senior Director of Cyber Security at NTT. “This sounds easy – i.e., the approach of just implementing the Essential Eight to be safe – however, in reality this is proving difficult even for well-resourced businesses.”

While reasons for inaction vary from company to company, Karabin acknowledged that barriers consistently relate to the lack of cyber culture across all levels of an organisation.

“Does the security group have the full support from the board down? Do all employees see security as their responsibility? Is the organisation ready for a major incident? Has there been a secure-by-design approach built into every aspect of the business processes?” Karabin questioned.

Specific to critical infrastructure, Karabin also cited supply chain complexity as a contributing factor in cyber breaches, an ecosystem which also extends to services and technology providers delivering essential support for businesses.

“Figuring out who does what and when in a crisis, usually ends in disaster,” he cautioned. “A clear and tested Incident Response Plan and linked Business Continuity Plan (BCP), with roles, responsibilities and contingency plans around the supply chain are vital yet often fall short.”

When outlining best practice approaches for CISOs operating within the beating heart of the critical infrastructure sector, Karabin stressed the importance of leveraging threat intelligence to manage intrusion alerts in a “reliable and timely manner”, allowing opportunity to mitigate controls to react at speed.

“This is vital,” he noted. “Blocking threats such as malware quickly and at various points in the kill chain are an important defence in depth approach. This type of capability is increasingly being demonstrated in managed detection and response (MDR) services.”

CISOs must also leverage log monitoring technology to provide clear and timely information about what critical data has been impacted and when this occurred. For Karabin, this represents an important component of the incident response process while assisting with organisational compliance requirements such as when to declare a privacy breach.

“NTT plays a vital role in assisting CISOs to work out how resilient their business is, and what priorities are needed to meet the acceptable business and cyber risks that impact their current and future environments,” he outlined. “This is done through our close technology partnerships, global cyber security team and depth of knowledge around connecting assets from the edge to the cloud.”

Preparing for upcoming critical infrastructure reforms

As threats continue to flood the sector, new Critical Infrastructure Reforms aim to enhance the security and resilience of Australia’s critical infrastructure assets and systems of national significance.

Following industry consultation, the Australian Parliament has recommenced the reforms be implemented in a two-step approach. The first bill focuses on cyber incident reporting requirements, while the second bill prioritises additional protective measures being introduced in the reforms to uplift the security and resilience of Australia’s critical infrastructure assets. The second bill, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 is out for consultation until 1 February 2022.

“These reforms are designed to better secure the essential services that underpin the functioning of Australia, putting in place the preventative and responsive measures to protect our critical infrastructure.” Hamish Hansford, Head of the Cyber and Infrastructure Security Centre in Home Affairs said.

“Through Town Halls, roundtables, bilateral meetings, exercises, discussion papers, exposure drafts, co-design of rules and our website, we have tried to involve as many people as possible in the design of these reforms.” Hansford reiterated.

“These sectors are those most important to Australia’s national security as well as economic and social prosperity,” clarified Alex Nehmy, Director of Industry 4.0 at Palo Alto Networks.

At a high-level, the reforms seek to expand the number of regulated critical infrastructure sectors from 4 to 11, alongside increasing the security obligations imposed on such sectors across cyber security, personnel security, supply chain security as well as physical security and natural hazards.

To best prepare for these new reforms, Nehmy advised security executives to consider four key elements, starting with maximising the opportunity to educate the board and executive stakeholders on the proposed legislation.

“Highlight areas where further investment and focus may be required to meet the regulatory requirements,” he advised. “These stakeholders will ultimately have to approve the additional spend and the CISO will be accountable for achieving compliance.

“Secondly, get involved with the Government to provide input and help shape the reforms. Industry has a very important role to play in helping the Government come to effective regulations that achieve the required security outcomes while also minimising the compliance and regulatory burden.”

Nehmy said CISOs can achieve this by encouraging the Government to mirror internationally recognised standards that are already being used within the industry.

“Thirdly, adopt an all-hazards approach to risk management in your business,” Nehmy said. “CISOs should bolster their risk management programs with specific focus on the supply as this will be a challenging aspect of the new reforms given its broad scope.”

Finally, Nehmy outlined the value of businesses both understanding and updating incident response plans in response to a rise in threats targeting the sector.

“One of the first parts of the reforms that has now passed the Australian Parliament is the requirement to report certain cyber incidents to the Government,” he added. “Responding to an incident is stressful enough for CISOs and their incident response teams, however those who are well prepared will be ready to meet their incident reporting obligations.”

Although some Australian businesses may not be directly impacted by the critical infrastructure reforms, Nehmy advised caution in the context of regulated companies seeking to manage wider supply chain risks.

“Many organisations will be part of the supply chain to critical infrastructure companies covered by the reforms, who may in turn put obligations on their suppliers, requiring them to improve their cyber posture as a minimum requirement for doing business,” he stated.

Convergence of OT and IT

According to Gartner findings, 38 per cent of businesses operating within the critical infrastructure sector increased spending on operational technology (OT) security by between 5% and 10% in 2021, emphasising a significant shift in CISO go-to-market approach.

“The past five years has seen the increasing digitisation of OT, whereby businesses are reliant on critical operational data from OT in order to run their business,” Nehmy outlined. “The increase in OT specific threats combined with the global shortage of cyber professionals – especially those with OT experience – is causing organisations to significantly adapt their cyber strategies.”

For Nehmy, the approaches and technologies that have worked in the past will fail to counter the new wave of cyber threats now cascading down on OT.

“Firstly, air-gapping an OT environment is rarely effective in modern OT environments due to the increased connectivity with IT,” he said. “To counter this, we’re seeing organisations adopt a zero-trust approach to ensure the implicit trust that is often built into cyber security controls cannot be exploited by an attacker.”

Secondly, the explosion of the Internet of Things (IoT) has significantly increased an organisation’s attack surface prompting the need for continuous visibility of IoT devices specific to IT environments and Industrial IoT (IIoT) devices in OT environments.

“Organisations must leverage network-level security at scale, centred around the ability to detect and stop anomalous behaviour by IoT devices once they are deployed in real time using automation and machine learning,” Nehmy advised.

“Finally, we need to support and nurture the next generation of cyber talent. This is especially important in OT cyber security because of the highly specific skills required. We need to encourage diversity, which can be achieved by supporting professionals from outside of cyber security to re-skill and join the industry, especially in OT.”