Bronte Munro | Cyber & Technology Fellow
Critical National Infrastructure (CNI) can be understood as any facility, network, or capability that, if it stopped operating, would seriously impact Australia’s security wellbeing — essentially, we would be in serious trouble. Protecting CNI is therefore of paramount concern for national security. However, with the heightened integration of the physical and digital worlds, traditional security practices have fast become outdated.
The solution to this issue is security convergence. It involves the logical integration of security functions, processes, and objectives across traditionally separate security domains. Security convergence is the recognition that security related risks and threats are typically blended across all security domains.
In the case of CNI, convergent security practices are necessary to address the security related risks that come from the increased convergence of Information Technology (IT) and Operational Technology (OT) systems, which are responsible for controlling and monitoring physical devices, processes and events.
CNI traditionally relies on OT systems to function. Until recently, OT systems were not integrated with IT capabilities, which refers to the broad spectrum of technologies required for information processing that are connected to the internet. The integration of these systems means that OT is no longer protected by an air-gap, and is therefore exposed to greater risks through IT that they are not designed to withstand. This is often due to OT being an older, less technically dynamic, and more vulnerable system that cannot be easily patched. Subsequently, as IT and OT systems converge, so does the nature of risk and type of protective security measures required to address it.
One of the risks associated with the increased convergence of IT and OT systems is that the physical consequences of a cyber-attack on an OT system is substantially greater than that on a typical network. This first became a reality in Australia in 2000, when a disgruntled former employee of Maroochy Water Services in Queensland hacked into the OT system and caused 800,000 litres of raw sewage to spill into waterways and parks. The incident put the community’s health and safety at risk and caused significant damage to wildlife.
The Maroochy cyber-attack is significant, not only for being among the first of its kind on OT systems, but as it demonstrates the importance of people within an organisation’s security infrastructure. Ultimately, individuals are responsible for upholding the integrity of an organisation’s security measures.
The incident also affirms how a convergent security approach is essential in managing the diversity of risks across all security domains. For the attack to have been prevented, the physical security vulnerability that enabled the employee to remove company property (a laptop and radio), needed to be addressed. Additional information security measures could have also ensured access controls to sensitive information, such as passwords and waste disposal schedules, were in place.
Underpinning the entire incident was the failure for personnel security to recognise the disgruntled behaviour of the employee and the insider threat they posed. Regardless of whether Maroochy Water Services identified some or all of these security breaches, there was a clear communication failure between security domains, which a convergent security approach is designed to overcome.
Since then, there has been an exponential increase in the number of global OT systems reported to have suffered a cyber-attack from vulnerabilities created through integration with IT capabilities. In March 2021, the significant United States CNI provider Colonial Pipeline was attacked, a company responsible for distributing one third of the nation’s petroleum supply. The attack forced the closure of the pipe for six days and created nation-wide panic buying and price increases.
Security convergence is the logical response to changes in the nature of security-related risk CNI is facing, but uptake is still lagging. A 2019 study by ASIS International revealed that only 19 per cent of surveyed organisations could claim to be fully converged. The global resistance to convergence security stems in part from siloed attitudes within organisational security domains, and scepticism towards the benefits of convergence. This reluctance is not unique to the private sector and is evident within Australia’s CNI policy. This, despite Australian industry security professionals urging for a more diversified approach to national security.
The Department of Home Affairs has overseen the operation of the Critical Infrastructure Centre since its creation in 2017. The establishment of these bodies at least indicates a recognition of the unique threats currently facing Australia’s CNI. But recent legislative efforts by the federal government to manage the evolving security landscape have been met with significant concern from the private sector and security professionals. Policymakers are still grappling with understanding the risks facing CNI, and how to develop and implement converged security solutions in collaboration with the private sector organisation’s that own and operate CNI.
CNI is crucial to Australia’s national security, but the policy related to its protection still remains a few steps behind where it ought to be. Security convergence is necessary to ensure CNI policy is, at least, on the same playing field as the vast range of blended threats it is designed to protect against.
Bronte Munro is the Cyber & Technology Fellow for Young Australians in International Affairs.