|The vulnerable critical manufacturing sector accounts for many cyber security threats according to recent research|
from Kaspersky with higher levels of risk identified in ICS systems.
Kaspersky’s latest report on the state of industrial cybersecurity has some ominous warnings for Australian manufacturers.
This is a significant issue with the Australian federal government addressing it with new legislation. The draft Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is open for consultation, addresses some of the issues and includes a security obligation for critical infrastructure entities and enhanced cyber security obligations for systems of national significance.
Kaspersky recently surveyed 337 global senior leaders including 60 from the Asia Pacific region across all major industries including oil, gas and chemical, manufacturing and energy generation. Of the businesses who participated, 61% had more than 5000 staff.
The survey found 75% of global organisations stating they are very or quite likely to suffer an industrial cybersecurity attack. Of greatest concern is the finding that 27% of respondents from the Asia Pacific fear cyber incidents could lead to loss of life, through service disruption or explosion.
“Unlike our Asian neighbours Australia hasn’t suffered a large-scale cyber-attack that has caused loss of life. But the Australian Government is investing a massive $1.67 billion over the next 10 years to ensure a more secure online world for Australians, their businesses, and essential services,” explains Mr Neil Royle, Cyber Security Consultant, Kaspersky.
“Australia has recently suffered a number of recent cyber-attacks targeting the Australian manufacturing sector, notably the Toll incident, BlueScope Steel being hit by a cyber attack that shutdown its operations globally and the attack on Lion that compromised the production of milk and beer locally,” explains Mr Royle.
In August, the Australian Government released a new framework with security obligations for critical infrastructure providers. The framework focuses on uplifting security and resilience in critical infrastructure sectors such as manufacturing to make Australia’s critical infrastructure – whether owned or operated by industry or government – more resilient and secure.
This approach will prioritise acting ahead of an incident wherever possible. Cyber incidents targeting small, medium and large Australian businesses are costing the economy up to a staggering $29 billion per year, or 1.9% of Australia’s gross domestic product (GDP).
Further, it is estimated that a four-week interruption to digital infrastructures resulting from a significant cyber incident would cost the Australian economy $30 billion and around 163,000 jobs (ACSC Annual Cyber Threat Report, July 2019 to June 2020).
“Although Australia has been fortunate to avoid a catastrophic cyber security incident, we are vulnerable to the cyber-attacks experienced elsewhere in the world. Supporting the continuity of essential services in the face of disruptive or sophisticated attacks is imperative. The loss of an essential service like electricity, water or transport could have devastating impacts across Australia far beyond the targeted business,” warns Mr Royle.
Kaspersky found that respondents were also strongly concerned about the impact cyber security attacks can have on damage to company brand and reputation (23% of global and Asia Pacific respondents) along with loss of customer confidence.
A massive 81% of global respondents reported suffering one or more cyber attacks, compared to only 41% of businesses operating in the Asia Pacific region with 21% of global respondents also confirming the cost of incidents has increased.
The pandemic has also created new challenges including increased and accelerated digitisation of industrial and operation technology and systems used in manufacturing processes.
“In the past, the causes of anomalies in Industrial Control Systems (ICS) were often due to user errors or defective hardware and software. But, in the age of digitalisation, ICS is connected to vastly more components that, in turn, are connected directly to the internet. This makes it possible to communicate via the internet with automation systems, for example, in intelligent buildings, pipelines, or autonomous mobility. This is an emerging risk that is becoming increasingly problematic,” he warns.
Kaspersky’s research found that in response to the pandemic only 14% of organisations globally had revised their cybersecurity concepts, and only 7% percent stated that their cybersecurity strategy was sufficient during the pandemic.
“The pandemic is having the greatest impact in home office workplaces and situations where employees use their own devices to connect to the ICS network. Employees should be frequently trained and PC technology must be deployed to meet required security standards for extreme situations,” stresses Mr Royle.
In terms of Covid-19 impacts, Kaspersky found that 46% of global respondents and 41% of Asia Pacific respondents believe it will have an impact on operational technology security risks.
Additionally, 65% of businesses in Asia Pacific believe that remote work will impact their cybersecurity initiatives and 24% of businesses in Asia report that they have allocated more budget to plan for cyber secure work during disasters.
In terms of being prepared for an attack only 29% of global respondents test their cybersecurity measures organisationally every six months or more, with 50% testing yearly or less.
Businesses in the Asia Pacific are marginally better with 31% testing their cyber security measures every six months or more.
Kaspersky confirmed that almost all respondents across the Asia Pacific are using a framework to inform their cybersecurity effort with IEC 62443, NIST and ISO 27001 being most popular.
The technical trends having the strongest impact on OT/ICS cybersecurity are cloud and SaaS use, use of industrial IoT components and use of edge computing. Ransomware, malware and viruses remains a major concern for organisations in the Asia Pacific.