The introduction of the industrial internet of things (IoT) across production and supply lines is likely to lead to a broader number of cyber risks and potential attacks.

Australia’s critical industrial infrastructure is at heightened risk of cyberattacks due to increased connectivity across production and supply lines, risk experts have warned.

The introduction of the industrial internet of things (IoT) across production and supply lines is likely to lead to a broader number of cyber risks and potential attacks.

Australia’s reliance on operational technology to run its water supply, energy production and transport leave it highly vulnerable to state-sponsored or criminal cyberattacks, according to cyber risk analysts.

In the wake of Petya malware attacks in 2017, infrastructure providers are on red alert for potential malicious cyber incidents. According to the Australian Criminal Intelligence Commission, cybercrime costs the economy $1 billion annually in direct costs alone.

Craig Searle, the founder of cybersecurity consultancy Hivint, says energy security is an “ongoing concern”, “whether it be the ability to get access to the necessary resources and technology required to provide energy at scale, or the risk of disruption to established and relatively reliable energy infrastructure”.

Searle added: “Disruption via deliberate means will undoubtedly become a more attractive attack vector during times of conflict or escalated tensions between nations due to its asymmetric and highly visible nature.”

Searle says the “potential for disruption and failures” could hit Australia the hardest. He called on critical infrastructure operators to make a concerted effort on cyber.

“An industry-wide focus is necessary to recognise the risk to the sector through poor cybersecurity practices and the potential for significant disruption that may occur as a result.”

Susie Jones, director and co-founder of Cynch security, believes the nation’s infrastructure operators are aware of the potential threat and subject to “thousands, if not millions” of attacks each day.

Jones says the cyberattack prevention work already conducted by infrastructure companies should “not be underestimated”. However, she warns the impact could be huge if operators fail to keep on top of the issue. “There’s some comfort to be taken in the fact there hasn’t been a large outage, but that’s not to say it won’t happen in the future. There will be incidents like there are in every business.”

Jones added: “A worst-case scenario there could be a major power outage or hit to the water supply, and that threat cannot be underestimated,” Jones said. “It’s a question of whether cyber risk is being treated as the number one risk [by industrial infrastructure operators]. I would argue it should be.”

“We have such a large landscape, and it is just such a difficult issue to sort out. The internet of things and greater connectivity brings us under greater threat,” Jones said.

Neil Smith, a senior figure from Schneider Electric, recently warned of the grave threat facing Australian infrastructure operators. Smith believes the infra sector “needs to lift its cybersecurity game or face devastating consequences”.

Smith believes businesses need layered defences against cyberattacks,

Jones believes the threat will come from state-sponsored actors as well as opportunistic criminals.

“There’s a lot of money to be made, so naturally they are going to be a target. But there’s no shortage of threats that come from [states] as well.

Jones said infrastructure operators need to take a “holistic view” of their computer systems “and what they are connecting” to their systems. “It’s about understanding the entire network and assets, and what goes into the data systems of critical operations,” she added.

Jones says infrastructure operators need to go further than corporates.

“Depending on the criticality of your company, as well as to the nation, you will need to gold plate things a lot more. Standards are higher than standard corporates. They greater budgets, greater resources, support and visibility of their network,” Jones said.

Schneider Electric’s Smith called for mandatory reporting on cyber breaches affecting national infrastructure. He said Australia should follow the UK and Europe by introducing risk-based cybersecurity management for operational technology systems.

Jones said regulation could encourage best practice on the topic.

“Enforcing regulation only goes so far in protecting the asset. But it can make discussions easier, and help when it comes to allocating budgets. For any operators with competing priorities, regulation could help them get the budget they need,” she added.

Searle believes Australian authorities will sharpen their focus on infrastructure cyber risk in the coming years.

“In the energy space, The Australian Energy Market Operator (AEMO) has taken on a more active and visible role in managing the cybersecurity posture of the energy marketplace as a whole, which is a positive change. It has stopped short of regulation yet, but there are encouraging signs around the Federal Government via AEMO gaining improved insight into the cybersecurity posture of energy market participants via the release of the Australian Energy Sector Cyber Security Framework,” Searle added.