Last year, the New Zealand Stock Exchange came to a standstill as cyber-attackers carried out a series of distributed denial of service (DDoS) attacks.
Overwhelming servers with a flood of traffic, the attackers halted the site’s main board, debt and Fonterra shareholder markets. Aftershocks were felt around the country, with trading effectively frozen for four days straight.
It is believed the perpetrator targeted a platform that it had deemed “ill-prepared” for cyber invasion.
Trading platforms, utilities, and logistics, are still not widely recognised as being ‘critical infrastructure’ – a status that is often linked to greater levels of cyber security investment and funding.
This is despite the operational sustainment of such platforms being vital for the national economy.
“Cyber investment at both the private and public sector level has historically been skewed towards more traditional definitions of ‘critical infrastructure’, like military and Financial Services,”
said Deloitte Financial Advisory Partner, Theo Psychogios.
“These days, thankfully, governments are taking a larger-scale view of what a critical infrastructure asset is, with datacentres, food suppliers, ATMs and power stations now all falling under the definition.“
However, the same cannot be said for the private sector, in which many organisations are still unaware of the knock-on effects that will be felt, nationwide, in the event their own enterprise operations are disrupted by a malicious attack.”
According to Deloitte Risk Advisory Partner, Ian Blatchford, cybercriminals worldwide are exploiting this ‘perception gap’ by targeting industries that have lagged in their cyber investment.
“A utilities firm may not recognise its company is a critical infrastructure asset, but cybercriminals do. As a result, the company will under-invest in cyber defence and the cybercriminal will go after it as an ‘easy picking’,” he warned.
On the surface, cyberattacks might seem targeted at a specific organisation, but there is often a greater game of chess taking place behind the scenes, whether that be cyber criminals or nation states.
“Attacks aren’t just a random grab for data, they are often a strategic form of market and economic manipulation,” Blatchford continued.
“As an example, if multiple wind farms are taken off the grid by a malicious actor, we could see fluctuations in electricity prices and potentially a significant domino effect, economy wide. Likewise, if hyper-scale datacentres are taken out (beyond the capacity of their backup generators), then enterprises could land in hot deep water, with flow-on effects for their ecosystem.”
To directly counter this growing threat, the Department of Home Affairs recently released draft legislation that aims to increase the resiliency of critical infrastructure and systems of national significance, as well as the long awaited Australian Cyber Security Strategy 2020. This renewed attention comes at a good time. These documents set out fundamental cyber security improvement areas for the services that make up our national critical infrastructure, as well as other supporting industries.
Additionally, the experts say it is up to industry to take initiative: waking up to their own critical infrastructure status, understanding the associated obligations, and being ready to act quickly in the event of a malicious attack.
“It’s really important that companies take responsibility here. To give an analogy, it’s like wearing a mask during COVID-19. It’s not just our own health at stake, it’s the health of everybody around us. If we don’t take action to protect ourselves, then we risk contaminating a much larger eco system,”
While many firms do have passable cyber security policies in place, Psychogios believes most of these strategies are not “critical infrastructure-grade”.
“I say this as an observation, not a criticism, but many critical infrastructure organisations may not have the internal skills to take this on and truly comprehend what it means. Many will need to upskill their workforces and dial up their risk intelligence,”
Equally, Blatchford added, it’s important that companies don’t treat cyber defence as a compliance-based exercise but focus on delivering business benefits through the investment.
“It should become the bread and butter of business operations. As soon as it becomes a compliance-based exercise, companies will just see the cost, and none of the benefits. It will then become a least-cost approach and won’t be resilient enough,”
Aside from the high cost of inaction, proactive efforts by companies to better protect themselves as critical infrastructure asset, will also create commercial opportunities, said Psychogios.
“This is particularly relevant for industries like energy who have been limited, due to regulated pricing rules, from investing in digital and new technologies beyond the meter,” he said.
“The pending extension of distribution network obligations beyond the meter presents opportunities for investments in new technologies that enable real time monitoring and control and infrastructure that support distributed storage and charging solutions.”
Deloitte APAC Lead Partner Infrastructure and Capital Projects, Luke Houghton, said getting a grip on this issue is more important now than ever before.
“In a COVID and post-COVID world, we are quite fragile as a society, and sensitive to any form of disruption to our critical infrastructure,” he said.
“Moreover, infrastructure is to play a pivotal role in the pandemic recovery, acting as a major stimulus for the economy. It’s important we get this right.
“To this end, companies should be asking themselves, ‘are our infrastructure systems, networks and assets set-up to ensure the ongoing security of our nation, economy, and public health and safety’?
“Additionally, ‘how do we reduce the costs and impact of natural disasters and lead to a safer and more resilient Australia?’” he concluded.
Learn more about our perspective on Infrastructure.
This article is originally published by Informa for the AFR Infrastructure Summit.