• Skip to primary navigation
  • Skip to main content
  • Skip to footer
Logo of Agilient Security Consultants, Australia

Agilient Security Consultants Australia

Cybersecurity & Risk Management Specialists

Menu
  • Home
  • Industries
      • Aviation
      • Defence & Defence Industry
      • Government
      • Health & Hospitals
      • Corrections and Detention
      • Maritime
      • Aged Care Facilities
      • Mining, Oil & Gas
      • Public Venues & Events
      • Rail
      • Research and Education Industry
      • Telecommunications
      • Utilities
    • advice-colleagues-communication-newIndustries
  • Services
      • Cybersecurity
      • Protective Security
      • Business Resilience
      • Building Security Consultants
      • Security Audits
      • Pandemic Planning
      • Electronic Security
      • IT Disaster Recovery Plan
      • Security Consultants
      • CCTV and Security Cameras
      • Duress Alarms
      • Security Risk Assessment Consultants
      • Managed Security Service Provider
      • Protection against Vehicles as a Weapon
    • training-1Services
  • Solutions
    • banner-menuUnisys Solutions
    • CTO-Blog-110619-Header-GraphicLookingGlass Solutions
    • menu-bg-2Dell Technologies (RSA) Solutions
    • Sightline-Visualization-menuSightline Solutions
  • Resources
    • menumanagers-dealing-customer-agreTraining
    • working-together-newJoin The Tribe
    • Webinars_3-1.jpgUpcoming and Past Events
    • hacking-detected-shutterstock_newResources
  • Articles
  • About
    • About Us
      We are an Australian owned and operated security company specialising in risk, cybersecurity, protective security, crisis and business continuity management services.
    • frequently-asked-questions-smallFAQ’s
    • bg-menu-government-institutionsConsultant Registration
  • Contact Us
Contact Us

Protecting Critical Infrastructure From Cyber Threats

You are here: Home / Security News / Protecting Critical Infrastructure From Cyber Threats

Last Friday, Prime Minister Morrison announced that a sophisticated state-based cyber actor is targeting Australian critical infrastructure providers, government agencies, the health and education sector, and industry organisations, resulting in an increase in cyber threats.

Against this backdrop, it is worth highlighting the 2019 policy brief, “Protecting critical national infrastructure in an era of IT and OT convergence” by Rajiv Shah for the Australian Strategic Policy Institute (ASPI) International Cyber Policy Centre. IoT

The Problem

Shah comments that the increasing convergence between the digital (IT) and physical worlds (OT) has created the “internet of things” (IoT), resulting in many benefits, but also new cyber risks.

A cyber-attack on OT systems may have a significant impact on entire communities, and insecure OT systems may provide hackers with easy access to otherwise well-secured IT systems.

In addition, the level of maturity and understanding of the specific risks to OT systems lags behind that of IT systems, which is exacerbated by an OT security skills shortage. There are relatively fewer available commercial solutions, and boards lack specialist knowledge and experience in relation to asking pertinent questions of their CEOs and/or CISOs.

The Study

Shah examined the understanding and management of the risks of IT–OT convergence in critical national infrastructure, particularly the telecommunications, energy, water and transport sectors, which are all critical to Australian security and the focus of government legislation.

The study explored approaches to IT–OT convergence, the level of understanding of the risks and approaches to managing the risks.

Challenges of OT Cybersecurity

Historically, OT systems were physically isolated, and cybersecurity was not prioritised until the recent convergence trend propelled it up the agenda.

There are different risk metrics with OT systems (e.g. unlike an IT security attack, a successful OT attack can cause major physical damage and/or loss of life), which is likely to affect an organisation’s risk appetite.

In contrast to IT security, OT systems availability of service is often more important than confidentiality e.g. shutting down a system to stop an attack might not be an option for an OT system, or applying updates to fix known vulnerabilities may not always be feasible.

Integrity may also be more important, in light of the potential safety‑critical impact of changes to data in OT systems. Examples include:

  • The operational lifetime of OT systems is typically much longer than that of IT systems;
  • Systems may not be built to withstand modern threats, and support and security patches might not be available;
  • Firewall design and security monitoring tools are based on characteristic indicators of IT attacks, thereby potentially allowing undetected OT attacks to pass through.

Conclusions and Recommendations

Shah’s three key recommendations are:

  • Boards of critical infrastructure providers should explicitly set their tolerance to OT cyber threats and monitor their organisation’s performance against it. This may require a combination of regulatory mandate and enforcement through recommended standards and approaches tailored to each sector.
  • Prioritisation of resources to ensure that the relevant organisations are able to implement all of the required actions at the required pace;
  • Better education and information are needed to improve the understanding and management of risks, from both business and technical perspectives. Key areas for action include:
  • Awareness and training- although the supply of specialist skills is low, boards can be enabled to be curious to ask the right questions, understand and measure the risks, and build an appropriate risk culture;
  • Increase the availability of specialist courses;
  • Improve threat information sharing by various government agencies, and provide leadership and ownership of this responsibility for the critical infrastructure sector;
  • Technical information sharing – the maturity of commercial solutions, specifically to address OT security requirements, should be reviewed and gaps identified to assist in accelerating development of the required capabilities.

Without security being at the core of IT and OT convergence, malicious cyber threats will remain a constant risk. Agilient’s expert security consultants are readily available to assist executive teams and boards of critical infrastructure providers in ensuring that appropriate enterprise-wide risk management programs are in place.

Author: Phillipa Lee, Agilient Consultant

Tweet
Share

General,  Security News ASPI,  cyber attack,  cyber threat,  cyber-risk,  cybersecurity,  government,  industry security,  IoT,  IT,  IT systems,  OT

Looking for a security partner? Get in touch with Agilient.

Looking for practical and cost-effective security and risk solutions for your government department, agency or company? Speak with Australia’s leading senior security, risk and resilience experts.


Looking for a pandemic planning partner? Get in touch with Agilient.

Looking for practical and cost-effective risk management solutions for your government department, agency or company? Speak with Australia’s leading senior risk and emergency management experts.



Footer

Agilient is a proud member of

Ai Group Defence Council
Australian Industry & Defence Network
Australian Security Industry Association
Sydney Aerospace & Defence Interest Group

Company and Licensing Details:

ABN: 37 157 911 441
NSW Security Master Licence # 410783087
ACT Security Master Licence # 17502184
Vic Security Registration # 878-460-40S
Qld Security Firm Licence # 3834422

Join The Tribe

Sign up to receive our regular Agilient newsletter including the latest security, risk and resilience updates

Sign up now

Copyright © 2022 Agilient – Level 14, 275 Alfred St, North Sydney NSW 2060 Australia – 1300 341 692