6 minute read
Critical Infrastructure in this New Epoch?
Anjali Nadaradjane
Central to the survival of Australia’s economy is a robust system of critical infrastructure. Critical infrastructure shapes Australia’s economy, prosperity and quality of life, and may encompass supply chains, information technologies and communication networks. If destroyed, degraded or rendered unavailable for an extended period, it would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.
Advertisement
Critical infrastructure can be government-owned such as dams, privately owned such as airports, community-owned like irrigation systems or involve public-private partnerships such as electricity distribution networks. Critical infrastructure networks are key to our functioning economy. For example, bringing food from the paddock to the plate demands the coordination of a complex web of producers, processors, manufacturers, distributors and retailers with the infrastructure supporting them.
The significance of critical infrastructure is evidently vital for a vibrant, prosperous country. Unfortunately, critical infrastructure needs can be weakened or destroyed by unprecedented or large-scale events including natural disasters, equipment failure, crime and more recently the effects of Covid-19, a global health pandemic. These events have the capacity to disrupt our most essential services which are provided by assets, networks and supply chains. This has major flow-on effects to our businesses, governments and communities. Furthermore, the proliferation of cyberattacks compromise Australia’s national security and debilitate key critical infrastructure sectors. The interdependence of many of sectors such as telecommunications and electricity
means that a blow to one critical infrastructure sector could cause cascading second-order effects on other sectors, leading to a large-scale catastrophe that spirals out of control.
The disastrous impacts of Covid-19 on our economy demonstrates that Australia needs a resilience-based approach to critical infrastructure. Australia needs to be able to effectively adapt to change, lessen our exposures to risk and learn from situations when they arise. Resilience can take many forms. It can involve coordinated planning across sectors and networks, responsive, flexible and timely recovery measures, and the development of an organisational culture that has the ability to provide a minimum level of service during interruptions, emergencies and disasters, and return to full operations quickly.
The interdependency of critical infrastructure networks and the Australian economy’s reliance on countries such as China is perilous. Covid-19 has shown that substantial economic pain can be inflicted as a result of a critical infrastructure interdependency. From Australia’s fisheries, iron ore and Liquified Natural Gas (‘LNG’) markets to the higher education and tourism sector, Covid-19 has caused these areas to crumble. It clearly indicates that failure or disruption in one sector can lead to disruptions in other sectors. For instance, owners and operators of water infrastructure rely on electricity for pumping and telecommunications for monitoring operations. Similarly, the communications industry needs electricity to run their networks, and the electricity industry needs telemetry services to run their operations and participate in the electricity market. The transportation sector depends on the provision of electricity by the energy sector to power trains and traffic control systems, just as the energy sector relies on the timely delivery of fuel and other inputs through the transportation sector. The lack of understanding about the interdependencies between the electricity sector and others means that the risk of ‘catastrophic macroeconomic failure’ in the event of a cyber-attack is not adequately known.
The cyberspace is another key area where critical infrastructure has become interdependent. The advent of the internet has made critical infrastructure far more complex, interdependent and as a consequence fragile. Previous cyberattacks have shown that Australia has become complacent in our reliance on critical infrastructure. Cyberwarfare has severely impacted the physical world and Australia still appears to be only dimly cognisant of the grave risks posed by the interdependencies between critical infrastructure sectors in this regard.
Cyberattacks on critical infrastructure have become a pre-eminent concern for national security. Cyberattacks on critical infrastructure are capable of inflicting real-world damage. The frequency and severity of such incidents will likely only increase. In Australia, massive malware attacks have debilitated some of Australia’s major companies and services. Cyber incidents have affected government agency ServiceNSW, steel maker BlueScope, the financial services company, MyBudget. Cyber criminals have exploited the pandemic and there has been a noticeable rise in COVID-19-related phishing scams. For example, in 2015, Ukraine was the subject of a shocking cyberattack that managed to disable a portion of the nation’s electrical grid. The attack, widely believed to have been carried out by Russia,
intentionally caused widespread blackouts for hundreds of thousands of people. Similarly, in Denmark, the headquarters of Maersk, responsible for around one-fifth of the world’s shipping, was brought to a standstill by the NotPetya malware, causing transportation disruptions at port facilities worldwide.
Sophisticated actors can insinuate themselves into vital control systems and remain dormant and undetected for long periods of time before the right moment to strike presents itself.
Some countries have been taking swifter action than others. For example, the United States has moved toward a more aggressive posture to defend its critical infrastructure systems against cyberattacks. The US government’s most recent cyber strategy details a growing emphasis on offensive cyber operations by certain branches of the US government. The US has also not ruled out responding to major cyberattacks on critical infrastructure through conventional forces. Australia should be following the US example.
There’s a shortage of people with Operational Technology security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience. Many organisations across key sectors like telecommunications, energy, water and transport continue to feel only partially prepared or underprepared to respond to a cyber incident. Part of this is better understanding the convergence of operational technology (‘OT’) systems that were traditionally kept separate with organisations’ information technology (‘IT’) systems.
Boards of critical infrastructure providers need to explicitly set their Operational Technology cyber risk tolerance and monitor their organisation’s performance against it. The Critical Infrastructure Centre within Australia is best placed to coordinate and drive this across Australia to ensure a common best-practice approach. Furthermore, better education and information are needed at all levels. This includes general awareness and training, specialist courses at TAFE and other institutions, improved threat information sharing, and technical information sharing. The Australian Cyber Security Centre could lead this activity, aligned with its existing programs of work. Moreover, resources need to be prioritised. The longer that action is delayed, the more of a head start malicious actors will have, the more convergence will have taken place without security being at the core, and the greater will be the threat.
Evidently, there are deep concerns that critical infrastructure is more vulnerable than ever. Beyond espionage, sabotage and coercion, concerns about critical infrastructure include exposure to terrorist attack, disruption by disasters, rising awareness of the interdependent nature of urban infrastructure, and changes in ownership and responsibility for infrastructure assets. If Australian fails to strengthen its currently deficient cyber security system, Australia’s national security and economy is significantly at risk. Strong action is therefore needed to secure Australia’s critical infrastructure.
