Easy Fail – Australian critical infrastructure; The Easy Fail in critical infrastructure should have all of us worried right now, whether it is the water being turned off, the traffic lighting systems that we all rely on to get around the cities we live in or much worse, the Electricity that we used to power our homes and provide us warmth and comfort (who am I kidding here, internet access and powered on devices are the only thing I care about) – there is a huge problem waiting around the corner for all of us.
Attackers are targeting critical infrastructure
State base attackers are already on payroll to target different nations critical utilities at all times (8:30-5pm weekdays), Australia has had two in 2021 that were known about with Queensland Energy and a water utility being targeted by foreign governments.
The United States also had their own with the Colonial Pipeline shutdown, this had major ramifications across the nation for something that I certainly am not thinking about on a daily basis, how services get to be is outside of my interest “portal” until it affects me or my family and friends personally.
And this is the problem, few people are thinking about the criticality of our utilities except those people managing the respective supply, and the occasional enlightened one of us who wonders what our critical infrastructure companies are doing to protect supply of their “product”, for me that is extremely occasional.
Last week, two Dutch researchers showed just how easy it is to target our critical infrastructure systems, the hacking championship called Pwn2Own is an annual event first run in 2007 where researchers, hackers, industry professionals from around the globe get together and break stuff.
The winners of this years event had previously hacked “brand new” iPhones so they are not new to the business of hacks but their quotes below really made me sit up in terror recalling the outage I had of 7 days when the NBN accidentally cut off our internet could return!.
“In industrial control systems, there is still so much low-hanging fruit,”. “The security is lagging behind badly.”Keuper
“This is definitely an easier environment to operate in,”Alkemade
The cries of despair from my partner and children was even worse than the service outage, of course I joke about my situation but there is reality in there somewhere, being disconnected from services that we rely on can be very troubling.
The serious side of this is that there are people in our neighbourhoods who rely on electricity for life (medical equipment), it is not good enough that our nations critical systems are not secure.
It is no secret…
… that our utilities are managed on a shoe string budget and that the Industrial control system (ICS) that manage the switching and other critical systems are very old and not regularly updated on the software side, very likely they can not be updated on the software side due to aging hardware technology powering them.
It is time for the government to stand up and spend to improve the security of the assets that they provide to citizens and businesses as outages can go from mildly inconvenient to to business stopping to life ending (in the case of medical equipment or freezing).
What needs to be done
In the case where the industrial control systems are behind an air gap, there is a level of security already in place. This is a great first step and will prevent less persistent attackers, except for the Stuxnet style attack which is a serious risk still today.
I have always maintained that critical infrastructure and utilities that power/feed/water/supply our nations must be more secure than any other organisation, I believe this because attacks against critical infrastructure will be targeted and they will continue to be probed looking for a vulnerability until an attacker can get in and gain persistence with the ultimate goal of disrupting services to a large number of people, nothing turns us against our government like a major supply outage and state based actors know this, as do L33T hackers looking for notoriety.
Most cyber attacks are accidental in that 1000 phishing emails get sent out with the hope that 10 people will click on them, with critical Infrastructure systems – they are always being probed for weaknesses from many different angles.
Applying the ASD Essential 8
Utilities are a case where the full ACSC mitigations must be seriously considered for the safety of the entire nation.
The Australian Signals Directorate Essential 8 mitigations would protect critical infrastructure providers from a cyber breach, some aspects of the Essential 8 such as Multi-factor Authentication and patching applications and operating systems might be difficult but applying as many of the controls as possible would prevent most attacks from gain access to the network in the first instance.
I created this spreadsheet to help MSPs and partners with their cyber resilience programs please reach out if you would like any additional assistance with using it for your clients by contacting me here.