Emily Grant: First of all, just before we kick off, I just wanted to let everybody know that this session is being recorded and will be placed on the CISC website at a later date.
Cameras and mics are muted, but questions are welcome throughout the chat function.
I'd like to welcome everyone her today, my name's Emily Grant and I'm the Assistant Secretary of the Industry Partnerships Branch here in the Department of Home Affairs.
I'd first like to commence by acknowledging the Ngunnawal people as the traditional custodians of the land in which I'm meeting you from today and recognise any other people or families with connections to the lands on which you may be joining us from. I wish to acknowledge and respect their continuing culture and the contribution they make to Australia. I would like to also acknowledge and welcome any Aboriginal or Torres Strait Islander people who are present here today.
So thank you again for joining us. We are here as part of the inaugural Critical Infrastructure Security Month and I'd like to thank you all for being here, as well as our panel members for attending this town hall.
We have three panel members with us today. I'll start with Robert. So Robert Lee began his work in cyber security as a US Air Force cyber warfare operations officer tasked to the National Security Agency. With his team at Dragos, he has been involved in the most significant cyber attacks on industrial infrastructure, including investigation and analysis of the 2016 attack on Ukraine's electric system. In 2017, Trisis, I don't know whether we say it like that, but I'm sure Rob can correct me later. Attack on the Saudi Arabian petrochemical facility and the 2021 Colonial Pipeline Ransomware attack.
Thank you for joining us today, Rob. Also like to introduce Philippa Cogswell or Pip? Philippa joins us from Palo Alto, where she's the managing partner of Japan and Asia Pacific. Pip was a partner in PWC, Cyber Security and Digital Trust Practice and worked for both lead Australian and British cyber security agencies. She was an advisor for the UK Centre for Protection of Critical National Infrastructure, or the CPI, and I think it's now changed its name and has extensive global and cross-sector experience.
So thank you for joining us, Pip.
And finally, for most of you on the line, you're very familiar with our leader, Hamish Hansford. Hamish is the Deputy Secretary of the Cyber and Infrastructure Security Group and he leads the group responsible for bringing together cyber security and critical infrastructure policy. He also looks after cyber response and coordination functions, as well as looking after the background checking Scheme, AusCheck. The CIS Group also provides support and search activities to the National Cyber Security Coordinator, in which Hamish is currently acting in that role following the departure of Darren Goldie.
We will commence by going to each panel member to ask them for some overviews of, the today's meeting discussion, which is the evolution of cyber security for critical infrastructure. But before we hand to those members, I thought it might be useful for those on the line today to hear quickly from Hamish about the release of the 2023 to 2030 cyber security strategy that was released by the Minister for Home Affairs. Hamish, are you happy to give the group an overview of that?
Hamish Hansford: Yes, certainly am. So I know the first thing to say is we've worked over the last 12 months with so many people. I assume some of you are online today and over 330 submissions, lots of great ideas provided into the process, lots of roundtables. I think we met with over 700 different people and different groups. And what the government announced yesterday is a package for seven years for the country for us to be a leading cyber security economy. And so the strategy is, is one that's really practically minded. So it's not kind of esoteric in its nature. It really does try and chart that path. And if you look at all of the initiatives in the strategy, the hypothesis is that if we did all of those things, we think that we'd be a leading cyber economy by 2030.
And the really big challenge now is for us to implement it. But the strategy is built around six cyber shields, which effectively are in a metaphoric sense, a shield to protect the country from some of those cyber threats that I'm sure we're going to talk about today, but just at a high level.
So that the first shields all around, how do we create strong businesses and citizens? The last strategy in 2020 was very heavy on critical infrastructure protection and defence. This is about now moving on to, how do we protect small and medium business, big package in there to try and help those companies from cyber security issues, both preventative and responsive. Big kind of awareness raising package in there, trying to build awareness of cyber threats, particularly focused on vulnerable communities. There’s a big package in there for the Federal police to try to really look at their cyber crime capabilities and use their powers to break the ransomware business model. Now everything from guidance to where to go to for advice in a cyber incident to more support for victims of identity theft. That's all in that shield.
And shield two is about safe technology. Australians should rely on technology that's developed, secure by design and the digital products and software that we rely on on a day to day basis. That's really what that shield is about, including emerging technology like AI, not so emerging AI and other, post quantum encryption related issues.
Then third shields about how do we inspire both within industry and between government and industry, world class threat sharing and for telecommunications carriers, world class threat blocking. And so that's a big area of focus, particularly for telecommunication companies and providers. Can we block threats at scale so that we can reduce, particularly the volume in cyber security threats coming our way.
Shield four, both about critical infrastructure, including government, and that really builds on the regime that we've got in place on the Security of Critical Infrastructure Act. I'll make some comments about that later, but also asks government to really step up its role and to try and think about how we build up a zero trust culture, how do we try and get there and how do we start to be more of an exemplar within Australia.
The fifth shield is around sovereign capabilities, really looking at our workforce and our local cyber industry research innovation. And yesterday the Prime Minister and the Minister chaired the first Executive Cyber Council trying to bring industry leaders together to think about how do we protect Australia together. And that's really the start of that capability.
And then finally, Shield six, it's really about resilient region and global leadership. So how does Australia support the norms that the world relies on? And then it practically, how do we do things like have a flying squad in the Pacific so that we can help others respond to cyber incidents? So both are kind of aspirational set of goals, but really practical and tangible areas for us to get there.
So that's Australia's 2023 - 2030 cyber strategy now launched yesterday and we're on track for implementation on day one.
Emily Grant: Brilliant. Thank you Hamish. Well done to you and the team that developed and are now implementing that strategy. There's a lot of work that still needs to be done. So well done.
I’d now like to hand over to Robert for some opening remarks. I've already introduced Robert, as you know. So, Robert, you've got a lot of experience in OT, but can you give us your views on the evolution of cybersecurity and for critical infrastructure?
Rob Lee: Yeah, absolutely. And thanks for having me there.
I think the first and most important thing, though, is to acknowledge that I do believe it's Pip's birthday, so we do need to call that out as we get going that she is, you know, delighted to join us on a webinar on her special day.
But look, when we talk to critical infrastructure, obviously it's an IT and OT story, right? And I definitely respect all the work that's happening in IT. But I'd be remiss to not mention that we just generally haven't done as much in OT as we need to. And I think when we look globally, it's not just Australia, but I do think Australia has paid attention to it, especially with the SOCI Act.
But, when we look globally, most world leaders, most board members, most CEOs, most CFOs, most COOs understand and recognise where impact to environment, where impact a life or impact or revenue exists. And it's not your website. And there's a lot of amazing things that IT does to enable the business. But if you want to impact your local communities in a negative way, attacks on the OT portion of infrastructure or that it's the critical part of critical infrastructure.
And I think there's then a trend where for a long, long time at the executive level there's been a view that enterprise IT is encompassing of the enterprise and a lot of board meetings. I go to a lot of government discussions I go to, there's this view that this OT work has been getting done under that umbrella of enterprise OT or enterprise IT or a lot of CSOs or CIOs come back and go, Hold on. What are you talking about?
You've resourced me, you've given me the authorities to do the interise idea. That truly means IT not what's happening at substations, not what's happening in ports, not what's happening at the manufacturing sites.
And so the number one trend I would see is that governments, boards and kind of the executive layer are opening up to the idea that maybe we've not been investing in the portion of business that really keeps the business running as much as we necessarily should have. And as we see trends across digitisation, as we see trends across moving from homogenous, from heterogeneous environments to homogenous, I'll come back to that taking place.
We also see the trends or threats and the actors that, you know, sort of operate as threats to our infrastructure have paid attention that it is not only viable, but I'm sort of resource able to attack infrastructure and impact communities. So let's take that as an example of what we're saying. So when I started out my career on the sort of National Security Agency side, generally speaking, a lot of what I did was defence. But as a portion of my career and going work on the cyber command side, there was an offensive portion or what I would politely respond to is free up testing and very instant response of other people's infrastructure. And when we would do those types of engagements, what I would say is if you wanted to create 10, 15 years ago a malicious software framework, malware exploits what everyone and put in that bucket to go after somebody's infrastructure, the more damaging you wanted it to be, you wanted to move past espionage into disruption.
And really, if you want to move into destruction, the more specific that capability had to be, if you wanted to go after a site to disrupt, it had to be pretty specific. If you want to go after a site cause physical damage, it better be very specific to that site because it's not about exploits and vulnerabilities at that point. It's really about the knowledge of the physical environment and the ways that impact it.
And so in a heterogeneous environment that was the case. You had a lot of integrators, original equipment manufacturers, Bob's protocol, you know, would pop up just a wide range of things where a port in Australia was not anything close to a port in Dubai, a petrochemical facility was not anything close to a petrochemical facility from Dammam to Houston, a transmission electric substation had nothing in common to an insulin manufacturing provider and the shop floor.
But that also made it very difficult for companies to operate, made it difficult to train the workforce so that you could go from a facility in Houston to a facility in Dammam in the same company. It made it difficult if you wanted to move industries and that added cost and complexity to businesses to operate in products and goods were more expensive and workforce development was more difficult. It meant that you were really reliant on knowledge in the company where that engineer worked at that facility for 20 years, or Daddy worked at the facility for 20 years, or Granddaddy worked at the site for 20 years, that that knowledge maintained, but in people. It was very difficult to actually scale businesses under that sort of regime.
So for all the right reasons and in a way, I don't think we can put the horse back in the barn, if you will. We move towards homogenous environments where we have common operating systems, common operating protocols, common operating implementations, a solar concentration farm with the Emerson Innovation system is the same system that you're putting in for a hydroelectric facility is the same protocol stack and communications network that you're putting in for a distributor control system that's operating in a pharmaceutical environment. And that meant that we got more reliable infrastructure and safer infrastructure. We should downplay that. And it meant that we got better cost of goods so that margins increase for companies and price is also come down. It meant that we had workforce development such a great way.
The problem though, from a cybersecurity angle is it also means that those handcrafted farm to table boutique one off malware capabilities to do attack can now scale beyond one company to multi companies in an industry, let alone now looking to cross industry. And when we looked at the OT portion of our infrastructure, we for a while benefited as lower frequency but higher impact attacks. IT gets hit with DDOS and emails and phishing emails and everything 10,000 times a day, but it's not going to bring down the company, let alone the economy.
So high frequency, lower impact. On OT, it was lower frequency, high impact, but in my view, we've sort of started crossing that divide. And the first indication about this was about two years ago where the Dragos got to work with the US government and our partners very closely, which I do really, really championed that when public private partnership actually works out, it's not a slogan, but actually gets down to the operational value like it it's meaningful. And we were able to work with our partners to identify a state actor that developed a capability that we've since called Pipe Dream and was able to analyse it and release information out of the community before it was employed.
So before the adversary actually got to take a shot at their targets. And that capability is the first time that we've seen across industry reusable, scalable malware in such a way that can cause disruption and destruction to the environment. That's never happened before. We never lived in that world. We've never had to deal with somebody being able to pick up a capability in replay at another facility the next day. This capability is effective on hydroelectric facilities. It's effective on a gas turbine system. It's effective on a servo motor for an unmanned aerial vehicle. And it just plays into that homogenous curve that we've sort of gotten into.
Why does this all matter and what do we do about it? Why it matters is, again, you're going to start seeing those lower frequency, higher impact attacks start to become higher frequency. And as much as we have some just darn good people around the community and I've gotten the privilege of working in Australia for years, both in my SANS Institute hat and training people, as well as our wonderful team at Dragos and working very close with ACSC and other partners around the community.
Though you have darn good people, anybody sort of popping bottles of champagne, calling mission accomplished and thinking that we are in a good place with our infrastructure is ridiculous. We are at the very beginning stages of doing things past prevention. And if you look at most of the standards, whether its 64.3 or NIST cyber security framework or whatever, we have overly indexed on passwords patching, access controls, endpoint protection systems, encryption. We've overindexed on prevention. And when you don't turn the lights on inside the house and get the right visibility, you have no chance of doing detection response and you have no chance of actually adapting prevention over time.
And so while there are very good teams out there across national infrastructure across Australia, we need to recognise that nobody's just sitting by the sidelines. There's a lot of work to be done and to be ready for the type of attacks we're talking about. And I'm never the hyped up person. I'm not the, my God, the boogeyman is coming for ten plus years in this business. You've seen me in front of various parliament and congressional discussions around the world going, Calm down, folks, phishing emails, not taking down the grid or calm down folks.
That's not how physics works. But for the first time in my career, I'm standing here going, hey, time's up, we’ve crossed that line. Things have changed. When you look at the ransomware sort of endemic that we've all faced, two big drivers of that one, I would say just now, cryptocurrencies in general and sort of the explosion of those sort of offensive security tools and that is a dogmatic debate for the information security community. But anybody that's worked as many inside response cases that we have will tell you that cobalt strike as an example, is absolutely fuelling ransomware operator’s ability to operate where they don't have to build capabilities anymore. They just get to operate them. We have not been in a place in the community where you have ICS attack frameworks ready to go. So everybody that's doing offense has to build their capabilities, learn to do it, learn to operate, learn every component of their supply chain to be effective.
Pipe Dream represents attack frameworks now in a way that IT has been dealing with for a while. My biggest concern is a pipe dream like capability going from a state actor where there is some level of states holding each other accountable to criminal operators. The moment you're having ransomware operators being able to leverage pipe dream like capabilities, like it is a very different world in terms of what we're dealing with.
So by and large, and as I wrap up for my component of it, I would say that defence is still doable where we can absolutely invest in this and do it correctly. We've got to stop some of the sugar-coating it as we talk to executive teams. I see a lot of CISOs, well-intentioned, give a very rosy view to the CEOs and executives about what actually is happening at their company because they don't think they're going to get resources or budget as, hey, sorry, that's not your that's not your job. Highlight the risks that you see and let the board take accountability for it. And we've got to be a lot more candid in that view. And we have to appreciate that.
Again, the OT portion is the critical part of critical infrastructure and if we don't address that effectively, we are impacting our local communities. And I think I hope that's the one thing we can all agree on, is that we want our kids to grow up in a safe world. We want our families to grow up in a safe world. And we're talking water, insulin, manufacturing, electricity, oil and gas, mining, infrastructure like that. That's what it is.
Now that the one plug I'll put in there is on the SANS Institute side. Tim Conway and I looked at every single industrial attack that's taking place and figured out sort of what are the effective controls. We modelled it quite, quite openly after the ASD critical four when they came out and we said what are the critical controls that actually make sense for OT not based on opinions now, based on what IT want to copy and paste into OT, but based on what is actually effective against the attacks we've seen and we came up with five critical controls.
So for those of you that are interested in kind of just what actually works against these attacks and then want to go map it to the standards and frameworks and regulation they're looking for, I would just put a plug in for the paper that we wrote. It's open and available on the critical controls. Its five critical controls for ICS security and hopefully that will be a useful tool to you to think about how to approach this problem, because I will tell you it's doable. Your adversaries are not as impressive as you think. It's just they look great if you don't enter the playing field. But if you enter the playing field, you can absolutely do this.
Emily Grant: Brilliant. Thank you so much for those comments, Rob. We might try and track down that document and place it in the chat.
Before I hand to Pip. I just wanted to welcome those that have joined us online. This session is being recorded, but we do encourage you to pop any questions you have for our very experienced panel members into the chat, and we will commence asking some of those questions very shortly.
So over to you, Pip, for your views on the evolution of cyber security for critical infrastructure.
Pip Cogswell: Thanks, Emily and thanks everyone for having me today.
I look, I'm just going to start actually by reflecting on a few of Rob's points as well and from sort of from my own perspectives when I returned home in 2018 after working overseas. And so from a global perspective and very much in critical infrastructure organisations as well. I was told to expect Australia not to be as mature as what I got used to working overseas. And and to be honest, I sort of took that comment and thought, you know, that comes as a bit of surprise to me. A lot of the practitioners I knew who are either in IT or OT are amazing, right?
So I was really surprised sort of here you just not as mature. It was, you know, probably 12 months later or so, I really came to realise that the, the difference was that Australia just wasn't ready. We had been living a little bit isolated. I don't know how we hadn't had some of the major events happen that we've seen happen elsewhere in the world. Also, I do to Rob's point around the sugar-coating around executives, I think that's very, very real because in my mind, the executives from what I'd seen weren't necessarily as aware as executives I had come across elsewhere in the world. So I think that's a really, really important piece.
Look, as I sort of look globally around sort of how some of the other critical infrastructure frameworks are actually operating, it's fair to say that every country has a lot of its own framework of how they're doing, its own list of sectors, etc.. You know, how what they're considering to be critical. And I think this to be fair, this is going to continue to shift and evolve. And I know that, you know, over time, government and otherwise are probably going to get criticism and because of this change and that's because we're facing into so much change. But, you know, again, if we just took the US as an example, they they've had what, in their nearly 30 year history of doing this, they've gone up and down in the number of industries that they've had.
You know they originally had I think it was eight, then they went to 15 sectors, they went down to nine, the back up to 16 sectors. So I think, you know, just from an industry perspective, I think we probably will expect to see that flurry as we kind of go through also what we tend to find is, is looking so globally, a lot of that change has actually been driven by, you know, unfortunate events, administrative changes or other catalysts that do make us rethink what is critical infrastructure.
And I think, you know, to some of Rob's points as well, historically over time, we've been very concerned about specifically nation state actors, you know, things being highly technical, being particularly bespoke capabilities and what have you. But the reality is in this space as well, a lot of it has grown into, you know, cybercrime, ransomware, extortion groups as well as hacktivists. Conversely, as we sort of look at the greater threat landscape as well, you know, unfortunately, we're also facing into more sort of, I guess, opportunistic targeting as well.
You know, we've had threat actors recently, you know, even here as well by chance discovering vulnerabilities and assessing those those critical infrastructure networks and using that as a leverage point to learn and sort of, you know, exploiting those. The other sort of lenses, I guess, that I look at in terms of some of the critical infrastructure otherwise developments is, you know, the technology and digital environment that we're actually looking into, and that's OT. And Rob has done a great job of explaining how that's evolved.
But IT as well, you know, we've brought in, in the last decade a huge amount of change, whether it's moving to cloud environments, leveraging, you know, 5G in certain circumstances, introduction of many, many connected devices, particularly in the IOT space. So we've had a huge change in terms of the footprint exposure that we have in these environments as well.
I've no doubt that Hamish will touch a little bit more on some of the sort of compliance and regularly changes, but also the legal requirements as well. If we look to Australia in the last five years alone, it's been a huge list of inquiries, reforms, strategies, bills, legislative changes, reviews and so on, right.
So again, if you couple that from an industry perspective, that's a lot of change for us to be facing into When you're thinking about what do I need to be react reacting to as well, and not just for cyber security, but also a lot of sort of close adjacent fields as well, whether it's privacy or data security or operational resilience and so on as well. I touched on it slightly before as well. Like stakeholder expectations has changed dramatically and stakeholders inside a lot of these organisations vary. It may be the board, but it may be your customers, your members, employees, students, you know, our partners.
In OT we're actually looking to citizens as well, right. So it's a very different perspective in terms of people's perceptions and also what their expectation is and how they sort of, you know, delivering and relying on some of these services in a way that we probably haven't had to be quite so visible for us in the past. The other major change, I would say, is also around how we're sort of leading into our third parties and our supply chains. That again has changed dramatically, I think as well.
We've got an enormous reliance on third parties in some cases that we haven't necessarily done so before. In particular, you know, data storage and cloud providers. That wasn't something that we were experiencing prior in the way that we are now. And again, you know, that becomes a greater attack surface we're seeing a lot more attacks into cloud providers again, because of the way that they provide that sort of common service to us as well. And of course, I would be remiss if I didn't talk a little bit more about the cyber threat landscape as well.
You know, if we looked at some of the sort of top types of attacks being things around, you know, ransomware and data theft, supply chain attacks, Web attacks, insider threat. We're seeing some new interesting changes in that space as well, DDOS and also destructive attacks, which I think we'll probably unfortunately see a lot more of to come. Again, I think the types of attackers, there's no particular major change in the types of attack groups that we're seeing, but we are seeing probably a lot more state aligned attacks than what we've probably seen previously, as well as around to state sponsored state aligned. And look, if I was to think of some of the recent publications that, you know, Unit 42 on the Palo Alto Networks has put out.
We've had some really interesting sort of threat intelligence information around critical vulnerabilities. Some of the lessons learned that we've applied, particularly from our incident response or consulting engagements, you know, ways that we detecting certain types of attacks as well, if particularly if they're novel or different, right through to executive briefings and also lessons learned, which I think is very important and one that I hope we talk about more today as well.
But look, in in terms of just touching at a very high level on some of those papers that we've recently and a bit of perspective, actually, to be fair as well. So with Palo Alto, we've got 85,000 customers globally. So when we look at our telemetry, when we look at our number of incident responses that we actually go in and operate to, if we also look to our consulting business where we've got, you know, red team, compromised assessments, threat hunting, those types of services all feed some of our intelligence. We've got a huge malware repository. We're often learning a lot from that as well. But you know, a lot of the report we've I'm not sure if it has come to your attention, but some of the reports recently around China's targeting of some of its allies, so Cambodia in particular, and a lot of compromise of exhaustive agencies within Cambodia. But again, interesting because of the the ally perspective there and the closeness of their governments working together, we've seen North Korea doing a lot more targeting around specialist roles, specifically developers as well. Some of that might just be from a cryptocurrency perspective, you know, trying to get, you know, for monetary gain but also for staging as well.
You know, we've seen scenarios where we've also got some IT workers with high confidence who are assessing it to be North Korea but trying to gain employment in various companies as well. So we're seeing a lot more of on the boot on the ground there, if you will. So the Iranian backed APT groups we've also seen targeting, you know, education and technology sectors in Israel. Now some of that's around stealing sensitive information, but we're also seeing more common deployment of wiper malware as well, more destructive malware.
You know, initially you might be thinking covering your tracks, but, you know, again, more broadly, we're seeing more of that coming to our attention as well. And of course, you know, we're also publishing things like critical vulnerabilities around things like Citrix Bleed. When we saw that we use some of our sort of scanning attack surface management tooling to get a bit of a perspective for what that looks like globally. And, you know, we researchers observed it was around 8000 IP addresses were advertising vulnerable versions of that gateway globally. That's you know that's a lot of point of potential that right and when when you think about attacks being able to become more automated either from a an initial attack perspective, an automation of collection of information or otherwise perspective, that scale is obviously quite fast.
So as I said, we're seeing a lot more in the way of new malware families in particularly including malware wiper variants. We're seeing more novel techniques, including people trying to stage individuals into organisations. And again, because of the remote way we work, hat has become more doable, more achievable. We're seeing more brazen behaviours with some of those threat groups as well.
So in terms of more interaction with media, you know, notification of potentially regulators and other stakeholders to try and, you know, attempt to pressure and create greater persistence and urgency in some of the things that they're dealing with. And like I said before, greater targeting around cloud environments and sort of the general supply chains.
So things where you can have a much greater impact across the board as well. Look, I'm not, you know, sort of mentioned as well. I think, you know, Australia from our perspective remains one of the most impacted countries across sort of the region that I look after. So across JAPAC in particular. And if we look at some of the analysis around some of the data leak sites, what we're sort of saying is, you know, we continue to be one of the most targeted areas in the region as well. And you know this, we saw a lot of this being fairly consistent since a lot of the double extortion attacks sort of started flattening and playing out since 2019 and thereabouts.
But look, I might want to actually just pause there and see if we can back to Hamish or to the group for questions at this stage.
Emily Grant: Thank you Pip.
Pip and Robert, they weren't concerning addresses at all. I'm going to sleep really well knowing all of that information tonight, so thanks for that.
So Hamish is going to assure us all now that the Australian regulatory environment is fit for purpose and going to save us all from those threats.
Hopefully, Hamish, it no, yes?
Hamish Hansford: Well, it's not such luck there Emily, of course, because such a dynamic changing threat environment and I kind of think regulation and our responses have kind of always going to be much slower than the speed of the adversary and much slower than the technology that's been developed. And I've been thinking about this over the last couple of weeks when I've been out talking to infrastructure providers in Australia and really on the same minds as Rob and Pip.
I was in a hospital a couple of weeks ago and I was talking about security issues and what things that they were doing, particularly for Internet Of Things devices and one of the doctors turned to me and said, mate, we're dealing with patients who are dying. Can can we just focus on the issue at hand? And I thought, well, actually the issue at hand might be a whole lot of patients are going to die because the machines that you rely on won't work anymore. And we have that really close call in Dusseldorf Hospital with the ransomware attack, ransomware attacks all over Australia in the last couple of years in relation to health providers where I just think the evidence bears that out as an immature response.
But that means the regulatory framework and our job needs to actually influence those outcomes. Same thing when I went to a utility provider a couple of weeks ago who said, we don't have any networks, we've just got things that we can use manually. Yep, but, how do you monitor, I'll tell you who it is, but the water levels in that particular facility, they're like, no, I've got a system for that.
So, okay. So actually you have a fundamentally large SCADA system which underpins the functioning of your business. Sure, there might be some manual override for some elements, which is good, but actually it showed me a fundamental kind of misunderstanding of the systems and networks that made up the infrastructure asset.
And last year, actually I went to an education provider who had a really significant research project into a major national security issue that had all of this really comprehensive and complex data. And when you looked at the systems that protected that data, every single person who had access to that university system could access that data, which is kind of fascinating when you think about the type of research national, security research that that institution was undertaking.
And so that kind of gives you a sense about some of the things we find on a day to day basis when we talk to infrastructure providers, but also when you talk to governments across Australia. And in the last 12 months we had 188 successful cyber incidents on Australian critical infrastructure. So that for us gave us insight into the level at which Australian critical infrastructure are having successful cyber incidents and reporting it. And then you got to look in the last couple of weeks the Australian Securities Investments Commission put out a really interesting survey which said 33% of Australian companies don't have a cyber incident response plan. 58% of companies have a limited ability to protect confidential information. 44% of organisations don't manage third party or supply chain risk. And so when you kind of look at the question about is regulation helping, well, of course it's setting the framework and companies are looking at how they comply, government agencies are looking at how they comply.
But the overwhelming issue and I think actually Rob, you picked up on it, is this disconnect between the security manager, the CISO, the Chief Information Officer and what boards are really talking about and thinking about in terms of risk. So, sure, we have some really great regulations in place, but I think the more important thing that we should really be focused on is how do you talk about cyber risk? How do you be a much more curious organisation or government agency? How do you think about prevention and more importantly, response? How do you think about doing things that are practical, like exercises to make sure that the first time you suffer a cyber attack, you're not thinking about what you're going to tell your customers, what you're going to tell your staff, how you're going to respond, who you're going to call for advice and support for the technical remediation.
And so I think that's kind of the area where Australia needs to focus on at the moment. How do we build up that culture and how do we start to create a much more organic culture where we're thinking about security as something we do and thinking about risk and risk management and risk mitigation as something that we do on a day to day basis, not just a compliance exercise in doing a risk management program, sending it to a board, getting it signed off and reporting to the government that its done, that kind of defies the purpose of of why you're doing it. And so I think that's going to be the great challenge and and effect that's going to be one of the most difficult things to change in Australia, both on the government and industry side and the environment is going to get much worse. And so you heard from our other two speakers about OT risks, I'd add to that the interoperability of systems and a common supply chain, increasingly common supply chain.
I’d add that people haven't thought about data and whether or not they should shed a lot of data is that is there economic value in keeping the data compared to the economic losses that you would suffer if that data was stolen? And then thinking about aggregation threat, what are the areas of threat that we particularly run? From my perspective, from the country, which are getting too risky, and that's not on an individual company basis, but it might be on a state basis or indeed a national basis. And so I think that that's the kind of issues that are on my mind when you ask the question about where is Australia at on our cyber security maturity, particularly as it relates to critical infrastructure.
Emily Grant: Hamish, you were supposed to appease me.
Hamish Hansford: Well, you know, the journey is never done, is it.
Emily Grant: Well I guess all keeps us employed. So that's a positive thing. So thank you for that Hamish.
Really, really insightful. In the chat there, you can see that a number of documents have been dropped in there, including Rob’s paper on the five ICS critical controls, as well as Dragos's response to that.
We've also popped a link to the cyber strategy in there, and we encourage you to ask any questions.
So our first question and I'll ask this of all three panel members, if I can. We'll start with you, Rob. So the question comes from Cody and Cody is asking, are there any lessons learned for Australia from the geopolitical events in Ukraine and Israel and Palestine in terms of hardening or being resilient to cyber attacks on critical infrastructure?
Rob Lee: Yeah, I mean, I would say there's probably quite a few to extract, but I think both are ongoing conflicts and the real lessons learned are probably be quite a bit after. I think the problem that I've seen so far and I hope I don't come off too coarse when I say this, but I think too many folks sitting pretty, pretty long distance away from both those conflicts have tried to extract lessons learned that sort of fit their purpose. Instead of waiting for the conflicts to resolve and sort of extracting some lessons learned or said a different way, we in cyber security and I include myself in that historically have a problem of bias of we're looking for the answers we want versus sort of letting it speak for itself.
But at a high level, just some of the things and acknowledging my own bias and that we've seen, one we've consistently seen that critical infrastructure, especially on the operations side, is considered a valid military target by foreign states. Whether we'd like to pretend it is or not, I would say that there's a lot of standing policy and various governments around the world that targeting civil infrastructure are supposed to be off limits. But when you get into the discussion of what is civilian infrastructure, everybody's got a different definition and then ultimately comes down to if it serves the government's purpose to target it, they will do so.
The second thing I think is consistent, and I don't mean any disrespect to any government, but kind of all governments fall into this where it is very difficult sometimes to call out bad behaviours, and especially when you get more technical nuance into it. And I remember responding to the 2015 Ukraine attacks, the first time ever cyber attacks, took down electric infrastructure and advising the White House and others about a response. And no world leader ever came out and even condemned the attacks. The first times of an infrastructure at that level have been targeted and nobody even said it was a bad thing to do. So I think the idea or the precedents that you don't need to do defence, just wait on the government and you'll be okay. The government has an extraordinarily strong position and role and responsibility, but being your cyber defence team is not one of them. And so you just have to take responsibility.
The next thing I would say is we've seen IT Security practices in OT consistently been misplaced. A lot of your standards and frameworks around the world are not built off of what reduces risk. They're built off of what of the IT security controls can be applied to OT, not, should they be applied. I'll look at patching as the very obvious one. A lot of people walk into infrastructure sites and go, my gosh, look at all these legacy systems, these vulnerabilities by our research at my firm, we would say less than 2 to 4%, 2 to 4%. So single digits of the vulnerabilities that matter at all on industrial structure. And if you try to look at how many known vulnerabilities were ever used in any actual ICS attack, you would find it being single digits, if not zero. And yet that's the first thing people want to come in out of and apply for IT. So by and large, what we're seeing is, yes, continued targeting.
And yes, you need to actually take an OT approach if you’re going to protect OT and you got to play your own game. Again, Governments have very strong roles to play, but you have to take responsibility on your own infrastructure.
Emily Grant: Thank you, Rob.
Was there anything you wanted to add to that Philippa?
Pip Cogswell: Look, I'll just jump in on a couple of points if I can do. I think Rob summarised it very, very well. Thank you.
But he did raise a couple of points around sort of reducing risk. Now, I think that's very true when it comes to cyber security, we kind of look at these frameworks, as Rob alluded to, and we just sort of assume like with this, we're supposed to implement all of those controls across everything in our environment, but we need people to step back and say, what is the context of our environment?
And the reality is every single environment is actually unique. Even if we start talking about, you know, more common kinds of platforms being rolled out. What each business is trying to achieve, the amount of resourcing that we have, you know, whether we're multinational or whether we're working in a single location. All of these things play into us being distinctly different organisations, right.
The type of technology that we have in those organisations. So we need to consider the context of our organisation when we think about how protected, what are we actually there as an organisation to operate, you know, what are the key threats? So you kind of firstly, you want to say, what are the key assets, right. So its data, information systems, services. You know what? What is that? That's key to that organisation.
One of the threats that we're going to see, what are the common them capable threats that we see to those types of environments. And with that, what are the impacts that we're likely to face into? And Hamish touched on before some of the financial types of losses, right. And that could be productivity that could be reputational, it could be response costs or other things, right. But the reality is from knowing those things and knowing the context, the threat, your assets, what your impacts are going to be, that's where we start thinking about the controls that we want to implement. It's not all controls everywhere. We want to be protecting what's important. We want to be protecting, you know, also where we do have the need to also recognise system and key business process dependencies as well.
So then sorts of things that we need to be looking at again rather than everything everywhere. The other one that I did want to just touch on is there was a there was a mention of lessons learned. You know, I've spent years doing, you know, a lot of sort of defensive security, whether it's as a security analyst doing incident response, threat hunting, compromise assessments or otherwise.
We are still not doing enough in the lessons learned space. There are still too few, in my opinion, post-incident review is actually occurring. right. And that is not a two day thing that is actually is also an in-depth piece of how did my business respond? Who was involved, how did key stakeholders respond? What was fatigue management like across the team. A whole host of things right. And from that, what can we make public? How can we share those true lessons learned, Right. Because we don't tend to do enough of that. And some of that could be things to uplift technology, but it could very well be, oh we really need to think about how we change that process within an organisation or how we interact with that third party or otherwise.
Thanks Emily.
Emily Grant: Great, thank you, Pip.
I think both that question was answered really well by Rob and Pip.
So I'm going to go to this next question for Hamish. But before I do that, I do encourage people to download our podcast, which is available on all good podcast channels. We have two seasons. We have critical conversations, which does include an episode with Hamish and the Ukrainian Ambassador and we also have one on the trusted Insider.
So addressing insider threat, like I said, you can get those on all good podcasting stations. Hamish, I'm going to hand to you now for a question from James Caws. James asks that shield five of the strategy talks about attracting global cyber talent through reforms to the migration system. What measures should Australia be considering as part of this action to ensure we don't open ourselves up to attracting malicious global cyber talent, which ends up putting our CI at increased risk of insider threat directed by foreign entities?
Hamish Hansford: Well, first of all, thanks for reading the strategy and getting to shield five, so that's amazing.
Obviously, migration is one of the answers to how do we deal with cyber talent. But, not the only answer, obviously, because we've got to have our own sovereign capabilities as well and build skills up everywhere from schools to TAFEs to people who are thinking about company specific cyber skills. We do have pretty strong mechanisms in the migration system to refuse or cancel visas. But if you're a company thinking about bringing somebody in from overseas, the migration system is kind of one of the elements. So are personal and background checking and constant monitoring of people who are using your infrastructure asset or your company. And so it's a mixture of different elements that make up the personnel security of Australian companies and businesses.
The migration system will play a part and we have some pretty strong character related elements to each of our visas.
Emily Grant: Thank you, Hamish.
I hope that answers your question James.
Hamish, I am going to go straight to you for another question because I think this is quite important. The Minister has made it clear that we are contemplating amendments to the SOCI Act, which is relevant for all of those people that are online today. So are you able to give us, we understand a consultation paper will be released in due course, but can you give us any sort of little teaser on what amendments to the SOCI Act the Government is considering?
Hamish Hansford: Yeah, sure. So the part of the strategy really relates to, how do we build on the regime that we've got with the Security of Critical Infrastructure Act. And there are four kind of key elements. First element is bringing telecommunications fully into SOCI. So thinking about changing the Part 14 of the Telecommunications Act obligations and moving them across to SOCI in their entirety, that's an area the Government's announced is their intention.
Second area is about, have we truly captured managed service providers that are fundamental to the functioning of infrastructure? So that's a question the Government has asked us to explore. On the back of some of the major incidents last year. The Government's also asked us to say or to look at have we captured the data that infrastructure holds where it has a consequential impact on the functioning of the infrastructure asset so that the extent to which definitions might change or be slightly expanded. That's an area the Government's asked us to look at.
And then finally, in response to a cyber incident, we had all the powers we needed for some of the major incidents last year to respond to an impact on the infrastructure asset. We didn't have the powers to manage the secondary consequences that arose from some of those attacks. And so the Government's asked us to look at what would a consequence management power or direction look like and how would that be used and what sorts of circumstances would you envisage that being used? So they’re the four elements that we're looking at at the moment.
Emily Grant: Thank you, Hamish. And like I said at the commencement and I think most of our stakeholders are aware we will always do these consultation processes, in consultation with you.
There will be information provided and our door will be open during that period to explain some of the changes to the SOCI Act.
I'm going to finish with one final question now, Rob. I'm going to ask you to make it snappy, maybe two or three minutes just so we can then go round for final reflections.
Rob Lee: Are you accusing me of being long winded Emily?
Emily Grant: No, no, no.
Hamish Hansford: We call it as it is in Australia don’t we!
Rob Lee: Yeah, it's good. I like it.
Emily Grant: Especially me. Anyway, so this one's quite a good question and I think its right up your alley Rob. So Jurgen asks, are there any examples of cyber defence being done well? What practices can Australia companies adopt?
Rob Lee: Yes, it happens quite regularly. It just doesn't make the news and the lights stay on. And I would say it goes to some of the comments that Pip made where we take a risk based approach. A lot of people come in and say, hey, here's your 30 or 40 controls you to implement across your organisation, and though it's not an enterprise IT project, it's an OT project. Which means, you have hundreds of OT networks potentially. And the idea that the most critical site is getting protected in the same way at the same time line is the least critical side is just bad risk management. So I would say apply the five critical controls on top of what are your high, medium and low criticality assets at the right time. Do the highest first. You'll find that you can do it and we've seen consistently, organisations get targeted by state actors and defend themselves very, very well.
You were too quick for me. I couldn't find my mute button. Thank you so much for that, Rob.
I'm just going to hand to Pip and Hamish now, quickly, just to give a quick 30 second, I guess, a synopsis or overview of their thoughts of today's session and then hand to you Rob for the final word before I close off. Pip.
Pip Cogswell: Apologies, I wasn't sure whether it was myself or Hamish going first.
Look, in terms of some the key takeaways, I think what's really sort of encouraging out of the current strategy and the conversation we've had today is that discussion around industry and government collaboration. I think it's absolutely important in terms of how we're going to get ahead of this and how we're going to work together. There has to be an element in trust in government, has to be a two way piece, Right. So I think that'll be very, very important. Government's ability to leverage industry as well in terms of scale, agility and visibility and lived experiences is where Rob described some fantastic examples as to how we can bring that from an industry lens into some of the government thinking. Look, they're probably some of the first things that come to mind, but without going into too much more detail, I'll let, Hamish have some air time as well.
Emily Grant: Thank you Pip.
Love the comment on government industry partnerships. That's what we're all about here in the Industry Partnerships Branch, as the name suggests.
Hamish, over to you.
Hamish Hansford: Well, Emily, I might end by just issuing a challenge. And the challenge is for those people who are technically minded, who have intricate details about technology, cybersecurity, OT security, anything that kind of lends itself to complexity to try and think about people you're trying to convince and people you're trying to explain things to, because cyber security has a whole lot of cyber snobs in it. And sometimes that's witting and sometimes that's unwitting. But actually trying to make sure cyber is everyone's responsibility, I think the responsibility on those who are professionals in cyber security actually have an obligation to explain it in a much simpler way.
And as an additional challenge, if you can add a cost benefit analysis on top of it, even better.
Emily Grant: Love it. Thank you Hamish. Rob, over to you.
Rob Lee: And I would just close that by saying again, it's all doable. You just have to invest in it and I also sort of always put out a pitch to people to play to their expertise, play to what our strengths are. Government, as an example, is really good about setting the why and the what. Why do we need to do this change? Because we're all comfortable where we are. Why do we need to take the pain of change, whether it's resourcing, whatever, what should the outcome be? But to how ought to live with the asset owners and operators? They know how to operate those assets, the criticality of them, the importance of and the distinct nature between one or another. And when we see regulatory framework standards frameworks around the world and asset are talking with government, etc., kind of respect those lines where governments, why and why it would stay as either how an asset owners about how works really well. When we see people try to get overly prescriptive and not play to their strengths and we see things go extraordinarily wrong, we've got dozens of regulatory examples of that around the world that have done more damage than good.
So if we all step up, work together and play to our strengths versus trying to do it all, it is something that adversaries quite simply can't keep up with.
Emily Grant: Thank you so much, Rob, for those remarks.
So we're going to finish up here, but Campbell's just popped a link in the chat to a couple of of our products.
So just a reminder, there's still time to get involved in Critical Infrastructure Security Month. We have a tool kit available on our website, which I encourage you to download. We also have our inaugural risk review, which was released at the beginning of November. That's also available on our website.
I encourage you to follow us on Twitter and LinkedIn or X, as it's now called. And as I said earlier, we do have a podcast out there as well.
For those of you that are protecting our critical infrastructure here in Australia, we also encourage you to become a member of the Trusted Sharing Information Network. A link to that is also in the chat.
Thank you today for everybody for participate. Thank you to those people that asked questions. As I said, this session was recorded and will be placed on the CISC website at a later date, so you can come back to watch it if you want.
Thank you so much to Rob, Pip and Hamish for your time. I know how busy you all are, but thank you so much for sharing your expertise and being a part of today.
