How to approach critical infrastructure cybersecurity

An Australian expert discusses security strategy.

Australia’s critical infrastructure providers should approach cybersecurity as more than a technology issue, says Malcolm Bailie, Manager Solution Delivery and Projects (APAC) at Nozomi Networks.

Under security reforms proposed by the Australian Government, an expanded list of industries would be required to meet critical infrastructure security obligations.

To do that, they will need security roadmaps that address a broad range of issues, Bailie said. “It’s not just about technology, it’s about people and process as well,” he says.

Bailie discussed such a roadmap during a recent online discussion with IoT Hub and the Australian Energy Market Operator (AEMO) for the 2020 IoT Festival (watch the discussion here).

He pointed out the need to improve visibility of networks and vulnerabilities. “Understand what’s in your network first. Once you have visibility of your network, it will enable you to say ‘where are my vulnerabilities’. Then you apply a risk factor to those vulnerabilities to allow you to prioritise resources and capital funding,” he says.

Bailie also flagged risks created by third party technology providers. For example, in the energy sector “we’ve got other providers now bringing in solar power and other devices connecting back into the mainstream distribution networks and their SCADA systems. How do we ensure that cybersecurity has been applied appropriately to those third party vendors?” Bailie comments.

For instance, third parties might store data offshore or use insecure remote access methods to provide support.

Bailie’s advice also extended to having clear operational technology (OT) and IoT policies, appointing someone to drive a cybersecurity program and sharing knowledge with other organisations, among other steps.

He encouraged infrastructure providers to look at work done overseas to address these issues. “The NIST cybersecurity framework is quite an easy approach to go through. Overlay that with specific control system standards, which is the IEC 62443 set,” he says. “Don’t reinvent the wheel.”

He complimented AEMO for its work with the Australian Energy Sector Cyber Security Framework (AESCSF).

“What AEMO’s done is to highlight the maturity level of organisations. This is going to help critical infrastructure organisations to step change in that incremental approach around their maturity level. Without the AESCSF, the board did not have that full metric around ‘where are we, what’s our status?’” Bailie says.

There is “some way to go” in the use of standards to address these issues in Australia, in the view of AEMO Enterprise Security Architect Dave Bradshaw.

“From a standards perspective, we do need better consultation and that was called out in Australia’s Cybersecurity Strategy 2020 recently – the need for more standards and more discussion and leveraging international work in the area,” Bradshaw says.

Australia needs “a decent baseline of security, and support from all the players in the market to comply to those baseline security requirements. That’s really what a standard is about, that there’s something customers can rely on, that the power system can rely on,” Bradshaw comments.

Bradshaw would like to see the discussion around critical infrastructure security extend to more industries.

“Look at ransomware as a particular threat to our technology system – it takes no prisoners. It doesn’t matter if you are hospital or bank, you are still potentially a target for ransomware. The realisation that critical infrastructure is more than some of the industries that we traditionally think are critical. We are all interconnected, all of our systems are interconnected…. we are only as strong as our weakest link,” he points out.

That point was recognised in the Federal Government’s 2020 consultation paper, Protecting Critical Infrastructure and Systems of National Significance. The paper discusses proposed reforms to security obligations across the banking and finance, communications, data and cloud, defence, education, research and innovation, energy, food and grocery, health, space, transport and water industries and sectors.

Watch this full 2020 IoT Festival discussion here (free registration required).

Article source: https://www.iothub.com.au/news/how-to-approach-critical-infrastructure-cybersecurity-558557