Is the Government being a tad overprotective of our critical infrastructure?

In our previous critical infrastructure blog, we discussed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 – aka the SLACIP Act, whether it applies to you, and if yes, what you need to know.

But backing up a bit – why exactly did this act come about? What’s changed in the last few years, and has our Government overreacted?

Worrying trends

Let’s look at the ASD (Australian Signals Directorate) Cyber Threat Report 2022-2023 to get some local perspective.

In its report, ASD says upfront: “…Australian governments, critical infrastructure, businesses and households continue to be the target of malicious cyber actors…This threat extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services.”

Key trends identified by ASD in FY 2022-23 (as relating to critical infrastructure) include:

  1. State actors focused on critical infrastructure – data theft and business disruption. Here, ASD reports that, as part of their ongoing information-gathering campaigns or disruption activities, state cyber actors have targeted government and critical infrastructure networks globally. (A state actor is a private actor or entity who contracts to a state government.) Cyber operations, says ASD, are “increasingly the preferred vector for state actors to conduct espionage and foreign interference.” In recognition of this, ASD joined international partners in 2022-23 to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage. It also highlighted the actions of a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ (LOTL) techniques to compromise critical infrastructure organisations. A LOTL attack uses legitimate and trusted system tools to launch its cyberattacks and to evade detection. State actors often possess advanced capabilities and, due to the nature of their backers, have significant resources at their disposal.
  2. Australian critical infrastructure was targeted via increasingly interconnected systems. ASD reports that ‘operational technology connected to the internet and into corporate networks provided opportunities for malicious cyber actors to attack these systems.’

Stats and facts

Over the 2020–21 financial year, ACSC (the Australian Cyber Security Centre) received over 67,500 cybercrime reports. This was an increase of nearly 13% over the previous year. The self-reported losses totalled $33 billion. Of these reported incidents, ACSC estimated that approximately 25% were associated with Australia’s critical infrastructure or essential services.

During the 2022-23 period, ASD notified seven critical infrastructure entities of suspicious cyber activity (it was five the previous year).

Over that time, ASD responded to 143 incidents that were directly reported by entities that self-identified as critical infrastructure (the previous year saw 95 incidents reported). Luckily, nearly all these incidents were low-level malicious attacks or isolated compromises.

57% of the incidents affecting critical infrastructure involved compromised accounts, credentials, assets, networks of infrastructure, or DoS attacks. Other ‘popular’ attacks included data breaches and malware infection.

So, why do bad actors attack?

There’s no one reason for attacking critical infrastructure.

The sensitive information they hold, the high levels of connectivity with other organisations and critical infrastructure sectors, and the essential services they provide are alluring targets for those keen to disrupt life as usual, profit from insider knowledge, or wreck revenge for perceived political slights.

From hospitals losing access to client records, as happened in France in 2022, where their health system reportedly sustained a number of cyber incidents resulting in cancelled operations and shut down hospital systems, to the widespread fallout from a 2023 attack on Denmark’s energy infrastructure – the impacts are significant.

The reality is that it only takes one successful attack to cripple regions, economies, and communities – and it takes a huge amount of work (and can involve significant human distress) to recover the status quo.

Why is critical infrastructure such a good target?

Critical infrastructure networks are known for their interconnected nature. This, along with the third parties in their ICT supply chain, broadens the attack surface for many entities. Weak points include remote access and management solutions, which are becoming prevalent in critical infrastructure networks.

Operational technology (OT) and connected systems are also a dangling carrot for bad actors. They can target OT to access corporate networks – and the other way around. This allows them to move laterally through systems to reach their target destination. Even if an offensive isn’t directly on an OT, attacking via connected corporate networks can disrupt operations.

And, of course, any internet-facing system where the hardware or software isn’t updated with the latest security patches is vulnerable to exploitation, as are ICT supply chains and managed service providers.

Is the Government overreacting?

We’d say not.

In justifying the need for further reforms to more tightly regulate Australia’s critical infrastructure, the Government stated in 2022 that ‘Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government’.

At the time, the Prime Minister warned that cyberattacks were a ‘present threat’ and acknowledged they were a ‘likely response from Russia’ following the Government’s decision to impose sanctions in response to Russia’s recent aggression against Ukraine.

In its overview of the 2022 SLACIP bill, the Government also noted that the Parliamentary Joint Committee on Intelligence and Security (PJCIS) had ‘received compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate’.

To be forewarned but not forearmed is a shortsighted strategy. We’re pleased to say that introducing SLACIP to protect our critical infrastructure shows that the Australian Government has paid close attention to ensuring we can protect what makes the world downunder go around.

You might also like
Beyond backup: The compelling case for data resilience
Why Data Governance Risk & Compliance is a risky business. And what you can do about it.
AI: 101 (part 2) – Making a business case for AI

Get in touch for a Free, No‑Obligation Consultation

Arrange a chat with our experienced team to discuss your data protection, disaster recovery, cloud or security requirements.

  • Arrange an introductory chat about your requirements
  • Gain a proposal and quote for our services
  • View an interactive demo of our service features

Prefer to call now?
Sales and Support
1300 88 38 25

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is hidden when viewing the form
This field is for validation purposes and should be left unchanged.

© 2021 Global Storage. All rights reserved. Privacy Policy Terms of Service

The Global Storage website is accessible.

Download
Best Practices For Backing Up Microsoft 365

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.

Download
5 Myths About Backing Up Microsoft 365 Debunked

By filling out this form you are consenting to our team reaching out to you. You may unsubscribe at any time. Learn more by visiting our Privacy Policy

This field is for validation purposes and should be left unchanged.