Australia’s industrial infrastructure such as water, power, sewage and transport faces a heightened security risk as state sponsored hackers increase their activities globally.
Global cyber defence firm Darktrace which services large infrastructure clients including in Australia says it has observed an increasing number of state-based attacks on plants in the past two years.
Director of technology for Darktrace Industrial, Andrew Tsonchev, said infrastructure was increasingly using public internet rather than private communications.
“Critical infrastructure environments used to be very locked down and separate from the more exposed normal computers and IP systems,” he told The Australian. “Over the last few years, that separation has broken down quite a lot. There’s a lot more connection now between what used to be very, very restricted critical systems and just somebody‘s laptop.”
He said Prime Minister Scott Morrison’s press conference last week warning about cyber attacks was “more of a raising of awareness announcement of an ongoing series of campaigns rather than something requiring immediate action on any particular company or industry”.
“The details of the sorts of attacks that are mentioned are very much in keeping with what we see all the time for high level type nation state attacks on critical infrastructure.”
Yesterday the Federal Government announced it would spend $1.35bn over 10 years to boost its cyber security defences. “The federal government’s top priority is protecting our nation’s economy, national security and sovereignty. Malicious cyber activity undermines that,” Mr Morrison said.
Mr Tsonchev said the incidence of physical cyberattacks and hybrid attacks were growing rapidly. “The big concern here is, obviously, if you can successfully penetrate into those systems as an attacker, you can begin to cause significant real world harm and outage through the manipulation of the physical systems involved, like turning off the power or causing serious sabotage and accidents to happen.
“A lot of the attacks that we‘ve seen are simply attempts to gain entry for future weaponization … so a lot of the times they won’t be getting reported, and probably a lot of what’s been happening in Australia falls under this banner, attackers just trying to penetrate these facilities so that they have access to use (them) later down the road.
“We have critical infrastructure customers who use Darktrace where we have evidence of being attacked … fairly regularly now.
“We had a customer, a multinational construction company; recently their building management system was compromised.
“We have a customer in Australia, one of their major manufacturing plants. We found that an attacker had compromised the fingerprint scanner that was used to control physical access in and out to the machinery in the plant.
“The attacker was replacing the legitimate employees’ fingerprint data on that scanner with their own fingerprint data on that scanner.”
He said this was a prelude to people associated with that hacker entering that facility. He suspected state actors were behind these attacks rather than lone wolf hackers.
“There‘s a lot less motivation for individuals to attack construction or critical infrastructure companies. It’s not obvious how an attacker will directly monetise that if they are financially motivated,” he said.
“Sometimes it‘s industrial espionage. A lot of industrial espionage is nation state as well.
“There’s the potential for economic impact if you can disrupt industries like the Maersk (ransomware) attack that disrupted global shipping and caused many millions of dollars of damages to all sorts of companies in the supply chain.
“There may be an interest there for them to destabilise global supply chains, for example to see the sorts of blocks of countries that are involved in the supply chains experience economic damage and turmoil.
“We know that countries spy on other countries’ critical infrastructure environments to get competitive advantage by looking at how their heavy industry manufacturing works.”
Mr Tsonchev said a large part of spying centred around potential future conflict. “Early this year, for example, in March, we detected a number of our customers being hit by (Chinese actor) APT41, which is a Chinese activation state group that‘s attributed to a wide campaign where China was just trying to gain access to these during a window of opportunity.
“There was a vulnerability that made it for a while possible to get access to these companies and so they jumped on it.”
He agreed with assessments that Australia is now more of a target for this type of attack.
“Australia has a very large base in things like mining and manufacturing. There‘s also been a lot of digitisation recently in Australia, so lots of modernisation in these environments.
“We work with a number of manufacturing companies and others in Australia. We work with people like Veloia, Red Energy, Santos, and Ramelius (Resources), and there is a lot of modernisation going on.”
He said the most significant recent attacks in this area were the Triton and EKANS attacks – ransomware targeting industrial environments to knock them offline.
The Triton attack targeted Triconex Safety Instrumented Systems used for automated emergency shutdown functions in more than 11,000 plants globally. Just three weeks ago Honda was forced to shut down factories after infiltration by EKANS ransomware.
“So what the Prime Minister did is the right move, which is to raise awareness, and (place) a sort of moral pressure on private industry to step up the game and invest more. That‘s not to say that I think that the private sector in Australia is not doing a good job today.
“We‘ve seen good adoption, good proactiveness from the private sector in Australia, especially heavy industry and the like. So I wouldn’t say that they are better or worse than anybody else in the world.”
He said ransomware attacks on infrastructure sometimes were accidents. “Because of the way the ransomware spreads, it accidentally bleeds over into these heavily critical industrial environments, and when it hits those environments, it doesn‘t work properly. All it does is just break stuff. So when it tries to encrypt them, it just causes outages.”
He said he didn’t believe it was plausible to maintain a separate internet system for critical infrastructure that prevents attacks from the public internet. “I don‘t think that’s plausible or feasible. It’s not the direction of travel. The direction of travel is to converge everything critical and industrial with non critical, non industrial stuff.
“There’s a lot of movement to move these things into the cloud. The direction of travel is to move away from bespoke private infrastructure.“
Published in The Australian newspaper.