A rise in ransomware incidents and the embrace of artificial intelligence are considered potential data risks facing Australia’s critical infrastructure organisations, according to a new report. This news comes as new cyber security rules under the Security of Critical Infrastructure Act 2018 come into force in August 2024.
The Critical Infrastructure Edition of the 2024 Data Threat Report, by technology organisation Thales, found that ransomware incidents at critical infrastructure organisations are on the rise globally — even as these organisations explore the applications and data risks of AI.
In a conversation with TechRepublic, Thales’ ANZ Director of Data Security Erick Reyes said ransomware attackers are most likely to target critical infrastructure organisations that hold critical data. He recommends taking a multi-layered approach to security, making it a foundational part of technology development.
Thales’ report found that 42% of critical infrastructure organisations in all global markets surveyed were breached at some point in the past — 7% lower than all industries. Over the last 12 months, just 15% had been breached, down from 22% when the survey was conducted in 2021.
Twenty-four per cent of global critical infrastructure organisations reported that they had experienced a ransomware attack in the past — up 4% from 2022. Globally, only 15% of organisations surveyed had a formal response plan for a ransomware attack, 5% lower than across all industries.
SEE: How improving industrial cyber security basics could help in APAC
Human error led to 34% of cloud-based data breaches in critical infrastructure, 4% higher than the average of all industries. Failure to apply multi-factor authentication to privileged accounts was also a significant problem, causing 20% of breaches, 6% higher than other industries combined.
Twenty-six per cent of critical infrastructure organisations plan to integrate AI into their core products in the next year. Thales said AI adoption is happening despite critical infrastructure being most concerned (69%) about managing the rapid environmental and operational risks of the emerging technology.
Reyes said that Australian critical infrastructure organisations surveyed in the 2024 Data Threat Report, along with others in the market, reported similar feedback to their global counterparts. This was particularly the case when it came to the threat of ransomware.
The value of the data being held by these organisations was the essential driver of cyber criminals, he said.
“For critical infrastructure organisations in Australia, once you are also dealing with very critical data, that is when you become prime targets for cyber criminals,” he explained.
The embrace of AI is also taking place among critical infrastructure organisations in Australia.
Reyes said most critical infrastructure organisations — from telecommunications providers to those in the transport and logistics sector — had been investing in AI technologies in recent years. They were seeking to make their operations more efficient, drive cost savings, and innovate, he said.
The push to innovate is driving organisations to rapidly adopt AI. Reyes said, “Whether or not cybersecurity teams are prepared to meet what’s coming is what is keeping most people awake at night.”
Enhanced regulation could push Australian critical infrastructure organisations to be more secure.
The Security of Critical Infrastructure Act 2018, which governs critical infrastructure risks in Australia, was amended in 2020 to expand the definition of critical infrastructure to a broader range of industries, including financial services, health, higher education, and data storage and processing.
Cyber security is a focus for organisations under the SOCI Act. New rules introduced in August 2024 require critical infrastructure entities to have established and maintain a cybersecurity framework for their level of maturity to protect data as part of a broader risk management program.
SEE: Should Australian cyber security pros be worried about state-sponsored attacks?
Thales’ report showed a strong correlation between compliance achievements and reduced breaches: Among those critical infrastructure respondents who said they had failed a compliance audit in the last 12 months, 84% reported having experienced some breach in their history.
In contrast, among critical infrastructure organisations that did not fail a compliance audit, only 17% have any breach history and only 2% were breached in the last 12 months.
The SOCI Act could mean more positive security outcomes for critical infrastructure. Reyes said some less operational technology-reliant industries, like financial services, are leading the way for data protection, while more traditional industries with operational technology are still catching up.
He added that OT is becoming more of a target for cyber criminals as operational technology merges more with IT. While traditional critical infrastructure organisations are on the pathway towards better security through more knowledge and awareness, Reyes warned that “we are not there yet.”
Australian critical infrastructure organisations must focus on security, Reyes said.
“They know this is important; they know what they need to do; they know what good cyber modelling looks like,” he said. “It’s now more about how they become proactive and ask how they can take that a step further where, if something does happen, they know that the critical assets they have can be protected.”
DevSecOps offers a valuable framework for organisations to consider when addressing both the IT and OT aspects of critical infrastructure. Reyes emphasized not underestimating the requirement for good security practices throughout the process.
While security at the edge through identity management is important, Reyes said that critical infrastructure organisations will increasingly need to think multi-dimensionally about how to protect critical assets. This starts with knowing the assets they have to protect, why they must protect them, and then controlling those risks.
Reyes mentioned that risks from supply chains, as well as emerging technologies like AI or quantum computing — areas where NIST has recently released new standards — are all factors that critical infrastructure providers must consider as part of a multi-layered approach.
The 2024 Data Threat Report concluded that critical infrastructure enterprises must take proactive measures they can control. That may involve implementing formal ransomware responses to successfully comply with auditing.
“New technologies like 5G, cloud, IAM, and GenAI promise new efficiencies when programmed into CI operations,” the report said. “Higher expectations and increased commitments around operational resilience and reliability will drive enterprises to a position of greater security and less susceptibility.”