Experts in Australia and New Zealand predict critical infrastructure owners will enhance operational technology security as legislative changes take shape, but skills shortages and visibility over networks remain key issues

Nozomi Networks Inc. says Australia and New Zealand critical infrastructure owners/operators will see a major uplift in cybersecurity – particularly in their operational technology (OT) and IoT environments – next year.

The company’s A/NZ OT and IoT security experts called out the importance of improving visibility over networks and devices, ‘secure-by-design’ frameworks, avoiding victim blaming when organisations are attacked, and tackling the skills shortages impacting the industry.

In Australia, the predictions come on the heels of the launch of the 2023-2030 Australian Cyber Security Strategy by the Federal Government, and as Security of Critical Infrastructure (SOCI) Act measures make an impact across critical infrastructure providers.

Anthony Stitt, Regional Senior Director, Nozomi Networks:

• “As the official and unofficial grace periods come to a close on the SOCI requirements, we’ll see regulated critical infrastructure providers continue to uplift their OT and IoT security posture. Interest from non-regulated adjacent industries is high and more organisations will begin the journey.

• “The inaugural Critical Infrastructure Annual Risk Review highlighted some important risks, including vulnerabilities in the connections between IT, OT and IoT environments, cyber literacy and security practices are not keeping pace with digitalisation, and next-generation technologies are needed to change the way to assess risk.

• “One of the key issues to address is visibility over deep, widely connected networks with so many devices potentially talking to each other. All too often, IT and OT networks run together on the same flat network. For these organisations, many are planning segmentation projects, but they are complex and disruptive to implement, so in the meantime organisations want to understand what’s going on in these environments.

• “What’s really positive to see is that organisations are more willing than ever to get their foot in the door. They understand there’s a lot of work to do, but starting with some basic tools and monitoring capabilities can still make a huge difference, and it starts the process of maturation.

• “In Australia, the Government has performed very well by developing and executing the SOCI legislation reforms, and other regions are engaged in or considering similar initiatives. But across the region, we need a generational change to move away from victim blaming when cyber-attacks occur.

• “There’s always something an attacked organisation could have done to remain protected, but we can’t forget that cybercrime is crime. Greater involvement and offensive capabilities from law enforcement will help to change that mindset, and it’s great that is a priority from Government through the 2023-2030 Cyber Security Strategy.”

Marty Rickard, Director of Customer Success and Technical Support – Asia Pacific

• “The industry in Australia and New Zealand is still embattled with a major skills shortage. The limited talent we have is spread primarily among vendors, leaving gaps in internal OT teams and partners, which provide a broader range of security-focused services.

• “People talk a lot about the skills shortage in IT regularly, but at least there’s a fundamental understanding of the fundamental importance of security in IT. That can’t be said of OT yet, but it’s improving – we’re going through the same pain IT did a decade ago of building these skills and understanding, often from scratch, which is positive.

• “As it matures, we need to see OT and IoT security become ingrained into governance, risk and compliance (GRC) teams and we’ll be working closely with a range of critical infrastructure providers to take or at least build towards that journey in the year ahead, but the inaugural Critical Infrastructure Annual Risk Review reminded us these skills shortages aren’t going away.

• “In New Zealand, we’re seeing some much-needed maturity in the market which is positive, and we expect that to continue in 2024. The ‘sky is falling in’ fear mongering is being replaced by practical engagement, technology discussions, and compensating controls to recognise and address risks for what they are.”

Dean Frye, Solutions Architect – Australia and New Zealand

• “Networks and devices need to be secure by design, a methodology we expect will ramp up significantly in 2024. But even then, there are still too many projects taking place where secure by design isn’t considered, isn’t known or understood as a concept. It comes down to fundamental controls normalising and recording the privileges granted to each device and network, holding that in a database and reviewing it regularly, assisted with automation tools.

• “We need a major education and upskilling journey to change this, and the advent of SOCI, greater knowledge sharing between facilities managers, OT professionals and others are making a difference.

• “The greater challenge is tackling environments built before cyber security even existed. One example we encountered involved a council environment where a sewerage system network had an open line to the council chambers, the library, the dog pound, and more. This creates unnecessary risk, but segmenting and securing these networks in a legacy environment takes time. We’ll see strong improvement in this space in 2024, but ultimately it will take a long time to fully rectify.”