From government and healthcare, energy and water networks, manufacturing and telecoms, transportation systems and financial networks, billions of people rely on critical infrastructure. Despite these industries differing in how they function, they are all increasingly relying on an internet connection to help them deliver their services.
Critical infrastructure are the physical and digital shared systems that help societies, businesses and service providers function. However, its increased reliance on connectivity is making it vulnerable to cyber attacks. Such attacks can be motivated both by cybercriminals looking to make an ‘easy profit’ or rival nation-states looking to cause disruption or acquire sensitive information.
In November last year, one of Australia’s largest port operators, DP World Australia, experienced a cyber attack which required the company to disconnect its network from the Internet after its technology team detected unauthorised access to the Australian corporate network. This resulted in operations at four ports, including in Sydney and Melbourne, grinding to a halt while the incident was contained. As DP World Australia manages around 40 per cent of the country’s container shipping, the incident was described by the media as ‘paralysing’.
Blurring The Lines Between Peace and War
In the pre-internet age, a physical attack on critical infrastructure may have been considered an act of terrorism or war, and justice would be sought against the perpetrators. Yet today, organisations in these sectors face thousands of potentially devastating cyber attacks every day and may not even be able to identify the attackers, including rogue nations lured by the chance to paralyse industries, terrorise the public or engage in clandestine surveillance.
An advanced persistent threat (APT) can lurk undetected within computer networks for extended periods, waiting to strike. Critical infrastructure’s societal importance also makes it a prime target for non-state gangs of cyber criminals using ransomware for extortion. During a period of political unrest, cyber attacks on state facilities or large organisations could also be a tactic of activist groups seeking publicity.
Prominent attacks have hit a diverse range of targets: the U.S.’s largest oil pipeline, a Saudi petrochemical plant, San Francisco’s light-rail system, Japan’s largest port, as well as hospitals around the world. Many other attacks have gone undisclosed by victims for fear of hurting stock prices and public trust.
It’s all too easy to imagine the devastation of a strike on a country’s water supply, pharmaceutical industry or healthcare networks, while research by Lloyd’s and the University of Cambridge estimates a cyber attack on the US power grid could result in damages exceeding $1 trillion.
Attacks on Ukraine’s critical infrastructure show how cyberwarfare is also used in combination with conventional warfare. As Russia commenced its full-scale invasion of Ukraine, power stations were targeted by missile and drone strikes, while cyber attacks on state energy companies also rose by over 3500%. In this new terrain of conflict, combatants may not always be state-sponsored—the growth of ‘hacktivist’ groups has led the International Committee of the Red Cross to suggest new rules of engagement for civilians conducting digital warfare.
That critical infrastructure is increasingly targeted by cyber attacks is not solely due to its crucial role in society but also that it is uniquely vulnerable. Modern critical infrastructure is highly complex, but also often relies on interconnected networks of devices that sense and supervise processes. These devices are part of Operational Technology (OT), distinct from broader IT networks. OT environments require additional protection because hackers can destroy or damage essential physical systems if they are somehow accessed.
As in all industries, cybercriminals seek to exploit vulnerabilities in supply chains—this is not just how goods are transported but all the products, services and code that an organisation sources externally. For instance, if one third-party software provider is compromised, a whole chain of larger organisations may be at risk. This happened in 2020 as part of the US government breach due to the exploitation of software developed by IT infrastructure company SolarWinds.
Stronger Controls for Critical Infrastructure
Governments are now beginning to understand that to prevent events like these, stronger controls are required not only on core organisations themselves but on the entire ecosystem that surrounds them. The 2021 US Executive Order on improving the Nation’s Cybersecurity, the EU’s NIS2 Directive and the UK National Cyber Security Centre’s ‘Cyber Essentials Requirements for IT Infrastructure’ are three of a growing list of regulations worldwide that highlight the many ways resilience can be improved, including the implementation of Zero Trust frameworks which rely on strong authentication.
In Australia, the Essential Eight mitigation strategies and the Security of Critical Infrastructure Act represent some elements of the Government’s response to the growing cyber threats faced by Australian critical infrastructure organisations. In passing the Security of Critical Infrastructure Act 2018 (SOCI Act) and more particularly the subsequent amendments in 2021 and 2022, Australia joins other leading global economies in implementing a regulatory regime to protect its core critical infrastructure assets from cyber attacks.
Legacy MFA methods are insufficient, as proved by high-profile breaches in which they have been bypassed. It’s crucial to adopt modern phishing-resistant MFA, like YubiKeys, which feature both the FIDO2 Passkey and more traditional Smart Card style of authentication to ensure the highest possible protection against account credentials being compromised by remote attackers. These hardware security keys are widely used in both IT and OT environments and require neither battery nor mobile reception, making them ideal for high-security areas.
Organisations worldwide in industries designated as critical infrastructure use YubiKeys to facilitate fast, secure login to online accounts. Strong phishing-resistant authentication is important for all employees because breaches to any business area can cause major disruption. As cyber-attacks on critical infrastructure increase, ensuring users are equipped with the best available tools becomes a matter of national security.
