The Australian Department of Home Affairs (DHA) has continued its detailed consultation process discussing the main OT/IoT security collaboration initiatives between government and entities in relation to protecting Australian critical infrastructure.
The consultation paper outlines the need for stronger approaches to communication and clear roles and responsibilities for stakeholders. It also sets out a framework based on firm principles and requirements. The approach is a significant step in the right direction, however, there are still great security challenges ahead for critical infrastructure industries.
This article focuses specifically on Operational Technology (OT) and Industrial Control Systems (ICS) cybersecurity within the following sectors.
- Energy
- Food and grocery
- Health
- Transport
- Water
We have chosen to focus on these sectors based on our experience working as trusted advisors in offensive security. In general, there is a disproportionately low level of cybersecurity maturity in relation to existing OT and ICS networks and OT/ICS cybersecurity skills. Enormous pressure remains to find solutions to close these gaps.
At the core of the proposed initiatives are Positive Security Obligation (PSO), enhanced cybersecurity obligations and government assistance (intervention) in response to cyberattacks. While it sounds great on paper, there are a number of key challenges that will need careful attention during implementation:
- Addressing cybersecurity risk management in OT networks
- Threat intelligence sharing: a game of catch-up for OT/ICS
- Sector-based cybersecurity maturity frameworks
- Third-party risks: OT/ICS automation vendors and vulnerability management
- OT/ICS cybersecurity professionals: the true skill shortage
Addressing Cybersecurity Risk Management in OT Networks
Entities will have a responsibility to take an all-hazards approach when identifying and understanding risks.
Industrial organisations understand risk management. They have learned from a long history of industrial incidents and operate industrial processes with high levels of safety and efficiency on a daily basis. However, cybersecurity risk management is relatively new in this space and should be treated as such.
To date, OT/ICS cybersecurity capabilities and budgets have been scarce. Because it’s been considered a ‘proportionate investment’ used to effectively manage cybersecurity risks while being sustainable and profitable, it is often unclear and left to site managers or network administrators.
As an example, we’ve been tasked to conduct risk assessments or penetration testing on OT/ICS environments only to be restricted to conducting nothing more than a basic port scan or high-level qualitative assessment. While it’s understandable that an organization might not want to conduct a penetration test within a live OT environment due to safety and availability concerns, other alternatives can be considered, such as passive discovery and monitoring.
Not only this, but the aforementioned industries lack the appropriate methodologies for quantifying risk metrics such as ALE (Annual Loss Expectancy) or SLE (Single Loss Expectancy) for cybersecurity incidents. This means that, like many operating in OT/ICS, they don’t have existing or reliable data to assess cyber risk. These metrics are a valuable part of the cybersecurity framework. They ensure that reliable data is used to make risk-mitigation investment decisions and to apply effective strategies.
Threat Intelligence Sharing – A Game of Catch-up for OT/ICS
Government should use its unique position and resources to share aggregated threat information. This requires work with critical infrastructure entities at all maturity levels to build their capability, and empower entities to appropriately protect themselves when faced with a serious threat.
Currently, Australian OT/ICS cybersecurity professionals primarily rely on the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA provides actionable intelligence, such as advisories, vulnerabilities and reports on threat actors. Vendors who specialize in this space also contribute with their research.
Contributing to our reliance on U.S. intelligence is the fact that there are still limited OT/ICS resources in the Australian Cyber Security Centre (ACSC), unlike IT, which is supported by many resources. Another example of disproportionate intelligence support is the Malicious URL Feed within AusCERT, which provides community members intel to defend their assets from IT threats. A comparative feed is not available, or limited, when it comes to OT/ICS.
Looking forward, the Australian Government will continue mobilizing its agencies and alliances to monitor the global threat landscape, but more important is creating a collaborative threat-sharing community between operators, vendors, researchers and themselves. There are no guarantees and a range of priorities being considered in the government’s wider cyber policies and strategy. Thus, our recommendation for entities operating in these verticals is to take ownership of their cybersecurity threat landscape. Don’t fall into a false sense of security and rely purely on government support.
Consider this unlikely scenario: the Australian Government, OT/ICS cybersecurity and/or the intelligence sharing community is aware of an attack campaign targeting water plants. There is strong intelligence, such as indicators of compromise, that exposes threat actors’ specific intentions to exploit an OT automation vendor vulnerability. One of the biggest challenges here is the lack of simple visibility of devices running within OT networks, not to mention cybersecurity detection and response capabilities. Realistically, how many of these entities would be able to effectively use this intelligence?
Sector-based Cybersecurity Maturity Frameworks
A few entities will have a mature capability allowing them to voluntarily provide the government with the data required and receive actionable, aggregated information in return. Some entities will be at the other end of the maturity spectrum and may need to build their own capability first.
The one-size-does-not-fit-all theme is emphasized throughout the paper, which is hugely important because the industries that sit within critical infrastructure are substantially different to each other.
With exception to power, there aren’t many industry-specific cybersecurity frameworks in place in Australia. The Australian Energy Market Operator (AEMO) has been educating and promoting self-assessments for operators and enabling collaboration and intelligence sharing. We recommend looking at the Australian Energy Sector Cyber Security Framework (AESCSF), which aligns with NIST CSF, and encourages the development of a similar approach. This should include a cyber-maturity scale which allows entities operating in food and grocery, transport and water to better understand their current state.
It’s worth noting that the OT/ICS community has recently embraced the published MITRE ATT&CK framework for ICS. Let’s continue the trend!
Third-party Risks: OT/ICS Automation Vendors and Vulnerability Management
Government heard that Australia’s critical systems are facing a worsening threat environment and the nation needs to address vulnerabilities in supply chain security, control systems and operational technology.
It’s common in initial conversations with operators to discuss vulnerability discovery and patching for OT networks as a key business requirement. This reflects a traditional IT approach, and suggests a lack of understanding of OT environments.
Organizations operating in these industries can achieve better initial risk reduction with other approaches that are more suitable and viable for their environments such as network and operational visibility. It has less impact on operations while being cost-effective.
Creating an OT patch management program has its own challenges. These include slower patch evolution, deployment in segregated remote environments, abandoned and unmaintained software and hardware, and a lack of vulnerability disclosures, patch reliability and uptime requirements.1
IT’s vulnerability identification and disclosure programs, which have been crowdsourced through bug bounty programs, have iteratively improved the security posture of their key products. This process has matured over time. From notifying the vendor to a patch release, it can take a matter of weeks or a few months, but the same can’t be said for the OT vendor landscape that currently has longer timeframes.
OT/ICS Cybersecurity Professionals: The True Skill Shortage
A key element missing from the paper is skills shortages – this is already an issue in IT cybersecurity, but it’s particularly prevalent in the area of OT.
CISOs and security operation centers (SOCs) are commonly found for IT, but not in OT/ICS networks. Leveraging this paper and its wider cyber initiatives, the government can provide education on the importance of training employees, creating roles, and suggesting priority actions.
OT-specific cybersecurity training courses are available from $5,000-to-$10,000, which the government can easily facilitate or subsidize to enable greater access to professionals.
The ACSC2 currently has limited resources to help uplift cybersecurity maturity within critical infrastructure industries. An investment creating new resources for these industries will help compliance, build awareness and serve as a starting point to bridge the skills gap. It will also drive private sector industries to invest in developing adequately skilled people for these unique roles.
In the last 2.5 years we have worked exclusively with industrial organisations in Australia. Hundreds of deployments and proof of concepts later, we have seen many OT/ICS networks in which assets, communications and network topology are unknown, as well as a lack of business ownership. We’ve also seen many instances in which OT/ICS professionals know the network and its behaviour in detail. These professionals are great candidates for increasing their cybersecurity skillsets.
Collaboration is Key to OT/IoT Cybersecurity
It’s more important than ever for both public and private sectors to work together towards a common goal to should ensure that we not only bridge the gap in protecting critical infrastructure and our sovereignty, but that we continue to innovate, achieve greater operational reliability and evolve cybersecurity capabilities.
We believe the Australian Government is taking the right direction by creating regulation and investing in cybersecurity capabilities. However, we’ve outlined key considerations and challenges around the current state of critical infrastructure, which should not be taken lightly.
This is simply a starting point. Now, we invite the government to dive deeper into understanding the different critical infrastructure sectors and ensuring they understand the challenges we need to overcome. If you’d like to know more about how we’re collaborating to create innovative cybersecurity solutions, please contact us.
A version of this blog originally appeared in Intelligent CIO APAC. It references a report titled ‘Protecting Critical Infrastructure and Systems of National Significance’ and we recommend you read the full report. However, if you don’t wish to read it in full, you can find a three-slide summary here.
References
- “Recommended Practice for Patch Management of Control Systems,” U.S. Department of Homeland Security, December, 2008.
- “Critical Infrastructure,” Australian Cyber Security Center.