Rethinking the security of our critical infrastructure
24 Jan 2018|

Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and healthcare. In short, the ‘vast majority of IoT devices today are used by businesses, not consumers’.

The introduction of industrial internet of things technology offers businesses many benefits, like production-line tracking and remote worksite management. But it also increases the attack surface for malicious actors. I wrote last year in The Strategist about the scary nature of the IoT and the difficulty in developing IoT security standards. Those issues pale in comparison to the havoc that could be caused by industry-level security breaches.

Major attacks on critical infrastructure have already occurred in Ukraine and Germany. In 2010, information about the now infamous Stuxnet virus came to light, detailing how it had been designed to ruin hundreds of centrifuges used in Iran’s uranium enrichment program. It was the first time a digital weapon was intentionally used by a nation-state to physically damage an adversary’s industrial control system.

The US Department of Homeland Security has identified 16 sectors that it considers to be vital components of critical infrastructure, including such things as ‘commercial facilities’—shopping and convention centres, office and apartment buildings, and other sites where large numbers of people gather—emergency and financial services, and information technology. In May 2017, President Donald Trump issued an executive order to further strengthen the cyber security of the nation’s critical infrastructure.

In Australia, our view of critical infrastructure is generally confined to physical systems that enable telecommunication, water and energy services to operate unimpeded. We need to rethink our approach. Our outdated, horizontal understanding of critical infrastructure downplays the co-dependent relationships between sectors. American cybersecurity expert Melissa Hathaway proposes switching the focus to critical services. Using that approach, energy and the internet (or telecommunications as a whole) would sit atop a hierarchy of other services that rely on the first two to operate.

In both the US and Australia, a majority of critical infrastructure is privately owned, making common standards difficult to enforce. In addition, many industrial control systems were constructed in the mid- to late 20th century, when the internet was fresh and cybersecurity wasn’t a major concern. Adapting or replacing legacy systems and protocols presents a serious challenge, which has often been used as an excuse to continue to use outdated and unsafe technology.

A campaign against the use of smart meters was launched in Australia in 2013 after a study from the University of Canberra revealed privacy and safety vulnerabilities in similar devices used overseas. Some smart meters collect personal information that could reveal when users are away from home, and even disclose how often appliances are used. Such devices could also prove dangerous for utility providers. Several years ago, hackers cost the Puerto Rican power company as much as $400 million by compromising smart meters.

So what damage could a cyberattack on Australia’s critical infrastructure inflict? Well, we already know. South Australia’s 2016 statewide blackout had effects similar to a cyberattack. A once-in-50-year storm disrupted crucial services such as energy, telecommunications, finance, transport and the internet. Nearly two million people lost power. Trains and trams stopped working, as did many traffic lights, creating gridlocks on flooded roads. An unknown number of embryos died at a fertility clinic in Flinders Hospital when a backup generator failed. The average financial loss to businesses was $5,000, with total losses of $367 million. The incident highlighted the danger of cascading failures in interconnected critical infrastructure.

Disrupting utilities that power an entire city could cause more damage than traditional terror tactics such as bombings, and can be performed externally with more anonymity. Again, severe storms provide an example: a loss of power can cause more deaths than the physical destruction itself. When Hurricane Irma damaged a transformer, for example, and the air conditioning failed, 12 residents at a Florida nursing home died of suspected heat-related causes.

The risks associated with industrial control systems don’t only affect human safety; they threaten the environment as well. In Australia’s first case of industrial hacking in 2000, Vitek Boden compromised the Maroochy Shire Council water system, sending a million litres of sewage into parks and waterways.

Our heavy reliance on connected devices means that exploitation of internet-dependent platforms can cause not only physical disruption, but also financial chaos. Last week the World Economic Forum revealed that the financial damage caused by an attack against a cloud-computing firm could equal or surpass that caused by Hurricane Katrina. That fact further supports the notion of switching the focus from physical infrastructure to critical services. The Australian government’s creation of the Critical Infrastructure Centre, which includes information technologies and communication networks in its definition of critical infrastructure, is a step in the right direction. And in March, ASPI will publish a report detailing IoT vulnerabilities and critical service protection, along with recommendations to address them.

But it’s clear that to safeguard Australia’s critical services from cyberattack, we need to improve communication and coordination between service providers, and to clarify the roles and responsibilities of cyber agencies. We must also prioritise the introduction and adoption of safety guidelines for IoT devices and strengthen international collaboration in this area.

The threats to energy grids, commercial facilities and online platforms vary significantly, yet all share a similar, frightening susceptibility to cyberattack. It’s a worry that’s not going to go away.