Cybersecurity is important because it safeguards all types of data against theft and damage. Sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, intellectual property, data, and government and industry information systems are all included.
Critical infrastructure can be brought down by cyber attacks. It is no longer an option to sit back and watch as security deteriorates. A major cyber attack crippled a pipeline system carrying nearly half of the fuel used on the east coast of the United States on May 7. The Colonial Pipeline’s five-day shutdown resulted in widespread fuel shortages and panic buying as Virginia, North Carolina, and Florida declared states of emergency.
The attack demonstrates how vulnerable critical infrastructure, such as fuel pipelines, is in an era of increasing cyber security threats. In Australia, we believe the time has come to make serious cyber security measures mandatory for critical infrastructure companies.
It’s time to make cyber security compulsory. Cyber attacks can shut down critical infrastructure. Standing idly by with weak security is no longer an option.
Cyber attacks on critical infrastructure are not a new threat. Following the events of September 11, 2001, research revealed the need to address global security risks by examining issues of vulnerability and critical infrastructure protection. We also proposed systems to ensure the security of critical supply chain infrastructure, such as seaports, as well as practices such as container shipping management.
The rise of “ransomware” attacks, in which attackers seize critical data from an organization’s systems and demand a ransom in exchange for its return, has increased the risk. These attacks have the potential to have unintended consequences.
Evidence suggests that the Colonial shutdown was the result of a data-targeted attack. To prevent the malicious software from spreading, the company appears to have shut down the pipeline network and some other operations. This resulted in a chain reaction of unintended societal consequences and collateral damage. Indeed, the attackers may have been taken aback by the extent of the damage they inflicted, and they now appear to have ceased operations.
As collateral damage, we’ve seen how critical supply chain infrastructure can be severely disrupted. We must consider the potential consequences of a direct attack. The events in the United States also raise an important question: how vulnerable is Australia’s critical supply chain infrastructure?
Critical infrastructure is an attractive target
Many international and domestic supply chains rely on Australian society. These are supported by critical supply chain infrastructure, which is frequently managed by sophisticated and interconnected information and communication systems. As a result, they are appealing targets for cyber attackers.
Cyber risk frameworks are frequently derived from traditional risk management approaches, treating potential cyber attacks as routine conventional risk. These risk management strategies balance the costs of preventing a cyber attack against the costs and likelihood of a breach.
In some industries, the cost of a lost customer base that may never return will be considered. However, critical service providers such as transportation, medical care, electricity, water, and food see little risk of customer loss.
Customers returned to petrol stations as soon as they could after the Colonial incident and continued to purchase fuel. As a result, critical industries may perceive a lower cost from a breach than other industries because their customers will return.
Time for compliance
Under the auspices of the Australian Signals Directorate, the Australian Cyber Security Center (ACSC) coordinates Australia’s national cyber security efforts. The ACSC collaborates with public and private sector organizations to share threat information and best practices for security.
ACSC documents, such as the Essential Eight, provide organizations with guidance on basic security measures. More comprehensive resources, such as the Australian Government Information Security Manual, supplement these. Our research, however, has revealed that best practices are not universally followed, even by the Australian government’s own websites.
The issue is not a lack of knowledge. The ACSC understands and documents security best practices in general. The ACSC also provides specific guidance for critical sectors and industries, such as an energy security framework. The difficulty here is that these are only guidelines. Companies can choose whether or not to follow them.
A cyber security compliance program is what Australia requires. This would imply requiring companies that manage critical infrastructure, such as ports or pipelines, to follow certain rules. A first step might be to demand these companies comply with the existing guidelines, and require certification of a baseline of cyber security.
Lessons from the United States
In response to the Colonial cyber attack, the US government issued an executive order to improve cyber security and federal government networks. The order includes a slew of measures aimed at modernizing standards and improving information sharing and reporting requirements. These are valuable measures, many of which are already within the scope of the ACSC’s existing responsibilities in Australia.
The establishment of an independent Cyber Safety Review Board is another measure included in the US order. Australia could also form a collaboration between government and industry to oversee cyber security. The Civil Aviation Safety Authority already regulates aviation in a similar manner.
This type of organization would conduct thorough analysis and reporting on cyber incidents. It would also share data with IT managers, software and hardware developers, public administrators, crisis managers, and others. Cyber security threats cause a great deal of uncertainty in both the public and private sectors. Attacks that disrupt critical supply chain infrastructure have far-reaching consequences for society and commerce.
A cyber security compliance program may be costly financially, but the societal impact of a successful cyber attack makes it a worthwhile investment.