No organisation or infrastructure is immune to cyber threats. Here’s how to get your digital ducks in a row.
Cyber security attacks are growing increasingly common, sophisticated and complex. During the 2020–21 financial year, the Australian Cyber Security Center (ACSC) received more than 67,500 cybercrime reports, with losses estimated at over $33 billion.
Last year, some of Australia’s most prominent organisations such as Medibank and Optus fell prey to cyber crime – demonstrating the vulnerability of our systems.
Recognising the growing scale and urgency of the challenges presented by cyber threats, Engineers Australia has identified Cyber Engineering as a new Area of Practice, urging all engineers to be aware of cyber issues when incorporating digital technologies into solutions.
Create sat down with Shireane McKinnie PSM HonFIEAust, Chair of EA’s Cyber Engineering Working Group, who outlined the nature of emerging threats, and the practical steps organisations should take to prevent and recover from them.
Why are we seeing more cyber attacks?
There are several reasons for the upswing in attacks, says McKinnie, including the war in Ukraine, the COVID-19 pandemic, Australia’s growing prosperity, and the increased adoption of digital technologies to automate industrial control systems and facilitate electronic commerce.
“During the pandemic when restrictions were imposed, people became more heavily reliant on digital technologies connected to the internet for business, telehealth, education and commerce” she says.
“The more systems connected to the internet that are sharing valuable data, the more opportunities there are to exploit those systems.”
Ransomware is one of the most prominent forms of attack, where system intrusion leads to information extraction, system disablement or data encryption.
E-commerce is another area prone to attack. With the increased reliance on digital technology by individuals and businesses to buy and sell products and services, and conduct online banking or business-to-business transactions, there has been a growth in business email compromise.
“Weaknesses in systems are often put on the dark web, providing information for other malicious actors on how to penetrate them, or change and steal identification data for use in future scams,” says McKinnie.
Engineers’ role in cyber security
To protect systems from these growing threats, new obligations have been incorporated into the Security of Critical Infrastructure Act that spans most sectors in Australia. These obligations primarily revolve around reporting of operational and ownership information, cyber incidents, and complying with risk management programs for securing data and systems.
“Enterprises involved in critical infrastructure, along with the engineers who design, operate and maintain the systems that power this infrastructure, must do what they can to protect data and systems,” says McKinnie.
This means incorporating secure-by-design approaches for new systems, or finding ways to retrofit security measures to older systems and critical infrastructure.
When it comes to operations, ongoing system monitoring is a necessity. Maintenance action must be carried out without introducing or exposing system weaknesses, and patches should be quickly applied to mitigate identified vulnerabilities.
ACSC has established a system for sharing information in the aftermath of cyber attacks, with the organisation also revealing intelligence insights gained through working with Australian companies and overseas partners, says McKinnie.
“The more people understand the types of attacks and nature of vulnerabilities, the better they are equipped to ensure their systems don’t have the same weaknesses,” she says.
Identifying system vulnerabilities
When it comes to identifying the vulnerabilities in your own systems, regular threat and vulnerability modelling will help you understand the evolving cyber threat landscape.
“No system is perfect, and you should assume that [yours] could come under attack,” says McKinnie. “Backup systems should be in place to enable a quick recovery, along with constant monitoring for changes and irregularities.”
To protect against data extraction, for example, recovery system backups should be disconnected from online systems.
“In the event you are attacked, you then have backup data you can reload into the system,” adds McKinnie.
But constant monitoring and analysis of inputs into this backup system is vital to discern the difference between clean data and corrupted data, she warns.
“If you take information from an operational environment and put it into a backup environment, you risk copying something across which has been embedded into the system by actors snooping around for vulnerabilities,” she says.
“You want to ensure you’re not putting malware into the backup, which could be activated when you attempt to do the recovery.”
Keeping up with digitisation
Engineers should take a whole-of-system approach when it comes to cyber security, including factoring in connected systems which may not have the same security.
For example, it is understood the Optus attack occurred when malicious actors exploited an Application Programming Interface that didn’t require authentication and was exposed to the internet. The exposed interface facilitated access to sensitive customer information.
“If the system you’re connected to has no protections, your system becomes vulnerable,” she says. “You’re only as secure as the weakest link.”
Having a good understanding of system requirements is also key, including the functions it needs to perform, and other requirements such as confidentiality, integrity, availability, safety, and human factors. These need to be analysed to understand priorities and trade-offs of stakeholder needs.
“One of the key parts engineers need to look at, particularly with safety critical systems, is to ensure that trade-offs between safety and security are conducted in a coordinated fashion,” says McKinnie.
“For example, you can make a ventilator very secure. But if you can’t access the system to use it on people, it’s not going to meet its purpose.”
Cyber skills, accreditation and standards
With cyber threats continuously growing, organisations need employees with cyber engineering capabilities to reduce the risk of system attacks.
Work is underway on a career development road map and competency framework to identify the key attributes that apply to the cyber engineering workforce. These are intended to provide a consistent basis for recognition of cyber engineers, a foundation for cyber engineers to maintain their accreditation, and an authoritative accreditation framework for organisations to rely on.
“If you’re hiring people who are certified, you can be confident that they have the knowledge, training and experience to do the work you’re employing them to do,” adds McKinnie.
Thanks for your article. In the last section of this article I feel it would have been useful to have mentioned some of the currently recognised certifications in industrial cyber security. I recently looked into this, and there appear to be a number of certifications related to IT security, but it was not clear to me what certifications were relevant (or respected) in Industrial or OT cybersecurity.
I look forward to hearing more on this in the future.