The Australian Cyber Security Centre has stressed the importance of decommissioning legacy systems after a ransomware attack on a NSW council affected its water quality monitoring systems.
Council minutes and employee financial data were also impacted by the April 2022 attack, the ACSC’s latests Annual Cyber Threat Report reveals.
The incident had a huge impact on council technology staff, who worked up to 80 hours overtime a week during their initial response, the ACSC added.
Critical infrastructure attacks increase
The report says that globally critical infrastructure has been increasingly targeted by malicious actors and the threat to Australia’ s critical infrastructure is “an enduring concern”.
“The ACSC observed an increasing trend of state actors and cybercriminals rapidly exploiting publicly reported critical security vulnerabilities,” it says.
In the 2021-22 financial year, 95 cyber incidents – about eight per cent of all cyber incidents the ACSC responded to – affected critical infrastructure. It’s been notified of five critical infrastructure breaches since April 22.
During that time, one of the groups, the BlackCat ransomware group, targeted government and ctitical infrastructure organisations.
Councils an attractive target
The report warns that the threat to critical infrastructure isn’t limited to big utilities.
Local governments can be an attractive target, as some councils have responsibility for essential services such as water and sewage, it notes.
The report cites a number of case studies, including the unnamed NSW council, where the attack was apparently strategically timed to occur over the Easter Long weekend.
The ACSC says a quick response by the council, its managed service provider and the ACSC prevented water and sewage systems being compromised.
However, the incident demonstrated the interplay between IT, operational technology and the physical environment, the report says.
“The initial access through a legacy entry point impacted multiple systems, including operational technology systems, which meant that council workers had to manually test water quality and levels following overnight rain.
“The case study demonstrates the importance of decommissioning legacy systems and erecting firewalls between IT and operational technology systems.”
The report also cites the case of Queensland’s government-owned electricity generator CS Energy.
On November 27 2021, CS energy, which generates 10 per cent of electricity for the national market, became aware it had been targeted by the Russia-aligned Conti ransomware group.
Once again, emergency action had to be taken to ensure energy supplies weren’t affected.
Focus on resilience
Dale Heath, CTO at Rubrik A/NZ said the ACSC report made it clear that while ransomware remained the most destructive cybercrime threat, most compromises used relatively simple tools and techniques.
Mr Heath said the report highlighted the need to shift from a ‘fortress mentality’ approach to cybersecurity, to one built on data security and zero trust.
He says not even the biggest digital wall can keep 100 per cent of attacks out, and the focus should instead be on data resilience.
“By realigning organisational focus to ‘can I recover?’ and ‘what is the impact?’ the shift towards this mindset can dispel the operational paralysis that comes from living in fear of a data breach as otherwise catastrophic cyberattacks instead become minor inconveniences,” he said.
The report was produced by the ACSC in collaboration with its partner agencies, the Defence Intelligence Organisation, Australian Federal Police, Australian Criminal Intelligence Commission, Australian Security Intelligence Organisation, and the Department of Home Affairs.
The ACSC advises against paying ransom demands.
Cyber security incidents that impact critical infrastructure assets can be reported to the ACSC via this dedicated portal, which includes a list of critical infrastructure sectors and asset classes.
Leave a Reply