Rising ransomware incidents and the adoption of artificial intelligence are seen as potential data risks facing Australia’s critical infrastructure organisations, according to a new report. This news comes as new cybersecurity rules under the Critical Infrastructure Security Act 2018 come into effect in August 2024.
The Critical Infrastructure edition of the 2024 Data Threat Report, produced by technology organisation Thales, found that ransomware incidents in critical infrastructure organisations are increasing globally, even as these organisations explore AI applications and data risks.
In a conversation with TechRepublic, Thales ANZ data security director Erick Reyes said ransomware attackers are more likely to target organizations with critical infrastructure that hold critical data. He recommends taking a multi-layered approach to security, making it a core part of technology development.
Critical infrastructure organizations juggle ransomware and AI
The Thales report found that 42% of critical infrastructure organisations across all global markets surveyed had experienced a security breach at some point in the past, down 7% across all industries. In the past 12 months, only 15% had experienced a security breach, down from 22% when the survey was conducted in 2021.
Ransomware is on the rise, but preparation is lacking
Twenty-four percent of critical infrastructure organizations globally reported that they had experienced a ransomware attack in the past, up 4% from 2022. Globally, only 15% of organizations surveyed had a formal response plan for a ransomware attack, down 5% across all industries.
SEE: How improving industrial cybersecurity basics could help in APAC
Data breaches: often the result of human error
Human error caused 34% of cloud data breaches in critical infrastructure, 4% higher than the average across all industries. Lack of multi-factor authentication enforcement on privileged accounts was also a major issue, causing 20% of breaches, 6% higher than other industries combined.
AI adoption is happening despite concerns about risks
26% of critical infrastructure organizations plan to integrate AI into their core products over the next year. Thales said AI adoption is happening despite critical infrastructure being the most concerned (69%) about managing the rapidly emerging technology’s environmental and operational risks.
Ransomware has become a global problem
Reyes said Australian critical infrastructure organisations surveyed in the 2024 Data Threat Report, along with others in the market, reported similar feedback to their global counterparts. This was particularly the case when it came to the threat of ransomware.
The value of the data held by these organisations is the main driver for cybercriminals, he said.
“In the case of critical infrastructure organisations in Australia, when they also deal with highly critical data, they become prime targets for cybercriminals,” he explained.
What is it that “keeps most people up at night”?
AI adoption is also occurring among critical infrastructure organisations in Australia.
Reyes said most critical infrastructure organizations, from telecom providers to those in the transportation and logistics sector, had been investing in AI technologies in recent years. They were looking to make their operations more efficient, generate cost savings and innovate, he said.
The drive to innovate is prompting organizations to rapidly adopt AI. Reyes said, “What people are most concerned about is whether or not cybersecurity teams are prepared to deal with what is coming.”
The SOCI Act could help make Australia's critical infrastructure secure
Better regulation could push Australian critical infrastructure organisations to become more secure.
Australia introduced the new SOCI Act in 2018
The Critical Infrastructure Security Act 2018, which regulates risks to critical infrastructure in Australia, was amended in 2020 to expand the definition of critical infrastructure to a broader range of industries, including financial services, healthcare, higher education, and data storage and processing.
Cybersecurity is a priority for organisations under the SOCI Act. New rules introduced in August 2024 require critical infrastructure entities to have established and maintained a cybersecurity framework commensurate with their maturity level to protect data as part of a broader risk management programme.
SEE: Should Australian cybersecurity professionals be concerned about state-sponsored attacks?
Raising the level of compliance makes violations more difficult
The Thales report showed a strong correlation between compliance achievements and reduced breaches: Among critical infrastructure respondents who said they had failed a compliance audit in the past 12 months, 84% reported having experienced a breach in their history.
In contrast, among critical infrastructure organizations that did not fail a compliance audit, only 17% have a history of violations and only 2% experienced breaches in the past 12 months.
Further security improvements can be implemented.
The SOCI Act could mean more positive security outcomes for critical infrastructure. Reyes said some industries less reliant on operational technology, such as financial services, are leading the way in data protection, while more traditional industries with operational technology are still catching up.
He added that OT is becoming an increasingly important target for cybercriminals as operational technology merges more with IT. While traditional critical infrastructure organizations are on the path to improving security through increased knowledge and awareness, Reyes cautioned that “we are not there yet.”
Where Australian organisations should focus
Australian critical infrastructure organisations must focus on security, Reyes said.
“They know this is important, they know what they need to do, they know what a good cyber model looks like,” he said. “Now it’s more about how they become proactive and ask themselves how they can take this a step further so that if something happens, they know that the critical assets they have can be protected.”
Integrating security as part of future design
DevSecOps offers a valuable framework that organizations should consider when addressing the IT and OT aspects of critical infrastructure. Reyes stressed that the need for good security practices throughout the process should not be underestimated.
A multi-layered approach to CI security
While security at the edge through identity management is important, Reyes said critical infrastructure organizations will increasingly need to think multidimensionally about how to protect critical assets. This starts with knowing what assets they need to protect, why they need to protect them, and then controlling those risks.
Reyes mentioned that supply chain risks, as well as emerging technologies such as AI or quantum computing (areas in which NIST has recently published new standards) are factors that critical infrastructure providers must consider as part of a multi-layered approach.
Transforming knowledge into proactivity
The 2024 Data Threat Report concluded that businesses operating critical infrastructure must take proactive measures that they can control, which may involve implementing formal ransomware responses to successfully pass audits.
“New technologies such as 5G, cloud, IAM and GenAI promise new efficiencies when programmed into continuous integration operations,” the report states. “Higher expectations and greater commitments around operational resilience and reliability will move enterprises into a position of greater security and less susceptibility.”