Australia’s critical infrastructure remains open to cyber attacks, says a new report.
Released this week by the Australian Signals Directorate – the Australian Government’s technical authority on cybersecurity – the Annual Cyber Threat Report says “critical infrastructure networks are an attractive target due to the sensitive data they hold and the widespread disruption that a cybersecurity incident can cause on those networks”.
In the report’s foreword, defence minister Richard Marles – whose portfolio has responsibility over ASD – says: “Malign actors – both state and non-state – are improving their cyber capabilities, increasing the risk of disruptions to Australia’s critical systems, infrastructure and networks.”
During 2023-24, 11% of cybersecurity incidents ASD responded to related to critical infrastructure – services that are essential for everyday life such as energy, food, water, transport, communications, health, banking and finance.
As the report’s authors note: “Operational disruptions to critical infrastructure can be severe and can directly affect the lives of many Australians.”
During the period, ASD responded to 128 incidents reported by critical infrastructure organisations. The most frequently reported sectors were electricity, gas, water and waste services (30%), education and training (17%), and transport, postal and warehousing (15%).
The three most common activity types leading to critical infrastructure-related incidents were:
- phishing (23%)
- exploitation of a customer-facing application (21%)
- brute-force activity (15%).
Brute-force activity is the hacking of passwords, login credentials, or encryption keys to gain unauthorised access to a system.
The three most common cybersecurity incident types affecting Australian critical infrastructure organisations were:
- compromised account or credentials (32%)
- malware infection (other than ransomware) (17%)
- compromised asset, network or infrastructure (12%).
Highlighting recently reported incidents, the report points to cyber attacks against Australia’s water sector – including ransomware for extortion, unauthorised access to ICT systems, manipulation of water treatment facilities, and data theft.
Malicious cyber actors target critical infrastructure systems for spying purposes, to lie in wait for future attacks, and/or for financial gain. “Operational technology systems are increasingly interconnected and can have vulnerabilities that make them an easier cyber target,” say the report’s authors.
They recommend that critical infrastructure organisations adopt an attitude of “when not if” a cyber security incident will occur, adding “designing robust information security measures is vital to protect the confidentiality, integrity and availability of systems”.
Governments and organisations should have an incident response plan in place and test it regularly. Good cybersecurity, say the authors, “is not set and forget”.
In all, during the 2023-24 period, ASD received over 36,700 calls to its cybersecurity hotline – an increase of 12% from the previous financial year – and responded to over 1,100 cybersecurity incidents.
“This report highlights the importance of strong partnerships between the public and private sectors in defending Australians from cyber threats and making our country a harder target,” Marles said.
Leave a Reply