A majority of critical infrastructure operators in Australia don't have adequate visibility and management of their assets and would struggle to meet the requirements of the second critical infrastructure protection bill, estimates Lani Refiti, Regional Director of cyber-physical systems firm Claroty.
The second bill, which entered parliament in February and builds on the Security of Critical Infrastructure Act (SOCI Act), would require a wider range of organisations that own or operate critical infrastructure to develop and submit an asset ownership list to the Department of Home Affairs as part of the risk management program.
Crucial to this requirement is visibility of an organisation’s existing assets. The proposed amendments focus on this through a risk management program and other enhanced cyber security obligations – including vulnerability reporting and cyber incident response planning and exercises for entities responsible for assets most critical to the nation (known as systems of national significance).
This will include organisations in transport, food and grocery, health care and other sectors with industrial environments dependant on cyber physical systems. While utilities, for instance, have well established asset registers, in Refiti’s experience, various other sectors covered by the amendments don’t maintain asset registers in central databases which could be easily provided to the government. Instead, they use static Excel spreadsheets that are often out of date or inaccurate.
“I was doing some work for a client in the building space, looking at their building management system. I asked the organisation to show me their asset management database and they pulled out a spreadsheet that was five years old,” Refiti says.
He says organisations often lack the people, processes and tools to address this.
For companies to comply with proposed regulations, they will need to extend their cyber governance model to include cyber physical systems as a baseline – including every device and system across manufacturing processes and building automation systems. For healthcare providers, this might include medical imaging equipment such as MRI machines and CT scanners as well as internet of medical things devices.
“You can’t secure what you can’t see,” Refiti says. “Organisations need to have comprehensive visibility of their assets before they can even think about managing and patching them.”
Refiti notes that some assets, such as manufacturing plants, might be air gapped which would require engineers to be sent out with a USB stick to update the software. Although these air gapped systems might be considered by some as less of an attack vector, they can still provide backdoor access to a company’s other systems.
“All you need to do is disrupt the corporate network enough that out of due diligence and care the company shuts down access to some part of their OT (operational technology) system,”
Refiti points out that only when an organisation has comprehensive visibility of their assets can they start to understand their level of exposure. This should help them decide where to focus their resources and budget.
The expansion of the sectors covered by the SOCI Act has left many operators scrambling as they look to meet mandatory reporting obligations.
He urges them to avoid another scramble by preparing now for the second bill to become law.
This includes ensuring that their monitoring technology stack provides visibility of all types of connected assets, whether they are in industrial, healthcare or enterprise environments.
The tools exist – these capabilities are provided by Claroty solutions. "We give organisations really deep visibility into their operational technology assets and, from that baseline, we help them secure and manage their assets by detecting anomalous activity on the network. We also ensure that engineers, manufacturers and other remote workers can connect to their systems more securely than a traditional VPN," Refiti.
When organisations act to improve visibility of their assets is another matter.
Request a demonstration of the Claroty platform.