{"id":36846,"date":"2018-01-24T12:30:27","date_gmt":"2018-01-24T01:30:27","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=36846"},"modified":"2018-01-24T11:41:47","modified_gmt":"2018-01-24T00:41:47","slug":"rethinking-security-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/","title":{"rendered":"Rethinking the security of our critical infrastructure"},"content":{"rendered":"
<\/figure>\n

Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel<\/a> shows that over 75% of devices are used in manufacturing, retail and healthcare. In short, the \u2018vast majority of IoT devices today are used by businesses, not consumers\u2019<\/a>.<\/p>\n

The introduction of industrial internet of things technology offers businesses many benefits, like production-line tracking and remote worksite management. But it also increases the attack surface for malicious actors. I wrote last year in The Strategist<\/em> about the scary nature of the IoT<\/a> and the difficulty in developing IoT security standards<\/a>. Those issues pale in comparison to the havoc that could be caused by industry-level security breaches.<\/p>\n

Major attacks on critical infrastructure have already occurred in Ukraine<\/a> and Germany<\/a>. In 2010, information about the now infamous Stuxnet virus<\/a> came to light, detailing how it had been designed to ruin hundreds of centrifuges used in Iran\u2019s uranium enrichment program. It was the first time a digital weapon was intentionally used by a nation-state to physically damage an adversary\u2019s industrial control system.<\/p>\n

The US Department of Homeland Security has identified 16 sectors<\/a> that it considers to be vital components of critical infrastructure, including such things as \u2018commercial facilities\u2019\u2014shopping and convention centres, office and apartment buildings, and other sites where large numbers of people gather\u2014emergency and financial services, and information technology. In May 2017, President Donald Trump issued an executive order<\/a> to further strengthen the cyber security of the nation\u2019s critical infrastructure.<\/p>\n

In Australia, our view of critical infrastructure is generally confined to physical systems that enable telecommunication, water and energy services to operate unimpeded. We need to rethink our approach. Our outdated, horizontal understanding of critical infrastructure downplays the co-dependent relationships between sectors. American cybersecurity expert Melissa Hathaway proposes switching the focus to critical services<\/a>. Using that approach, energy and the internet (or telecommunications as a whole) would sit atop a hierarchy of other services that rely on the first two to operate.<\/p>\n

In both the US and Australia, a majority of critical infrastructure is privately owned, making common standards difficult to enforce. In addition, many industrial control systems were constructed in the mid- to late 20th century, when the internet was fresh and cybersecurity wasn\u2019t a major concern. Adapting or replacing legacy systems and protocols presents a serious challenge, which has often been used as an excuse to continue to use outdated and unsafe technology.<\/p>\n

A campaign<\/a> against the use of smart meters was launched in Australia in 2013 after a study<\/a> from the University of Canberra revealed privacy and safety vulnerabilities in similar devices used overseas. Some smart meters collect personal information that could reveal when users are away from home, and even disclose how often appliances are used. Such devices could also prove dangerous for utility providers. Several years ago, hackers cost the Puerto Rican power company as much as $400\u00a0million<\/a> by compromising smart meters.<\/p>\n

So what damage could a cyberattack on Australia\u2019s critical infrastructure inflict? Well, we already know. South Australia\u2019s 2016 statewide blackout<\/a> had effects similar to a cyberattack. A once-in-50-year storm disrupted crucial services such as energy, telecommunications, finance, transport and the internet. Nearly two million people lost power. Trains and trams stopped working, as did many traffic lights, creating gridlocks on flooded roads. An unknown number of embryos<\/a> died at a fertility clinic in Flinders Hospital when a backup generator failed. The average financial loss to businesses was $5,000, with total losses of $367\u00a0million.<\/a> The incident highlighted<\/a> the danger of cascading failures in interconnected<\/a> critical infrastructure.<\/p>\n

Disrupting utilities that power an entire city could cause more damage than traditional terror tactics such as bombings, and can be performed externally with more anonymity. Again, severe storms provide an example: a loss of power can cause more deaths than the physical destruction itself. When Hurricane Irma damaged a transformer, for example, and the air conditioning failed, 12 residents<\/a> at a Florida nursing home died of suspected heat-related causes.<\/p>\n

The risks associated with industrial control systems don\u2019t only affect human safety; they threaten the environment as well. In Australia\u2019s first case of industrial hacking in 2000, Vitek Boden<\/a> compromised the Maroochy Shire Council water system, sending a million litres of sewage into parks and waterways.<\/p>\n

Our heavy reliance on connected devices means that exploitation of internet-dependent platforms can cause not only physical disruption, but also financial chaos. Last week the World Economic Forum<\/a> revealed that the financial damage caused by an attack against a cloud-computing firm could equal or surpass that caused by Hurricane Katrina. That fact further supports the notion of switching the focus from physical infrastructure to critical services. The Australian government\u2019s creation of the Critical Infrastructure Centre<\/a>, which includes information technologies and communication networks<\/a> in its definition of critical infrastructure, is a step in the right direction. And in March, ASPI will publish a report detailing IoT vulnerabilities and critical service protection, along with recommendations to address them.<\/p>\n

But it\u2019s clear that to safeguard Australia\u2019s critical services from cyberattack, we need to improve communication and coordination between service providers, and to clarify the roles and responsibilities of cyber agencies. We must also prioritise the introduction and adoption of safety guidelines for IoT devices and strengthen international collaboration in this area.<\/p>\n

The threats to energy grids, commercial facilities and online platforms vary significantly, yet all share a similar, frightening susceptibility to cyberattack. It\u2019s a worry that\u2019s not going to go away.<\/p>\n","protected":false},"excerpt":{"rendered":"

Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and …<\/p>\n","protected":false},"author":680,"featured_media":36847,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[1395,95,914],"class_list":["post-36846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-critical-infrastructure","tag-cyber-security","tag-internet-of-things"],"acf":[],"yoast_head":"\nRethinking the security of our critical infrastructure | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rethinking the security of our critical infrastructure | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-24T01:30:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-01-24T00:41:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"426\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Eliza Chapman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eliza Chapman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg\",\"width\":640,\"height\":426},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/\",\"name\":\"Rethinking the security of our critical infrastructure | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#primaryimage\"},\"datePublished\":\"2018-01-24T01:30:27+00:00\",\"dateModified\":\"2018-01-24T00:41:47+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/c23d92db95f5817d2432b94c4511c30f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Rethinking the security of our critical infrastructure\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/c23d92db95f5817d2432b94c4511c30f\",\"name\":\"Eliza Chapman\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/028215f3d9a2e12e4143cdf7fd9030fb?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/028215f3d9a2e12e4143cdf7fd9030fb?s=96&d=mm&r=g\",\"caption\":\"Eliza Chapman\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/eliza-chapman\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rethinking the security of our critical infrastructure | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/","og_locale":"en_US","og_type":"article","og_title":"Rethinking the security of our critical infrastructure | The Strategist","og_description":"Many people believe that the internet of things (IoT) is aimed simply at supplying consumers with connected household devices. However, data from Intel shows that over 75% of devices are used in manufacturing, retail and ...","og_url":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2018-01-24T01:30:27+00:00","article_modified_time":"2018-01-24T00:41:47+00:00","og_image":[{"width":640,"height":426,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg","type":"image\/jpeg"}],"author":"Eliza Chapman","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Eliza Chapman","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/01\/computer-2196819_640.jpg","width":640,"height":426},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/","url":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/","name":"Rethinking the security of our critical infrastructure | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#primaryimage"},"datePublished":"2018-01-24T01:30:27+00:00","dateModified":"2018-01-24T00:41:47+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/c23d92db95f5817d2432b94c4511c30f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/rethinking-security-critical-infrastructure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Rethinking the security of our critical infrastructure"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/c23d92db95f5817d2432b94c4511c30f","name":"Eliza Chapman","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/028215f3d9a2e12e4143cdf7fd9030fb?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/028215f3d9a2e12e4143cdf7fd9030fb?s=96&d=mm&r=g","caption":"Eliza Chapman"},"url":"https:\/\/www.aspistrategist.ru\/author\/eliza-chapman\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/36846"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/680"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=36846"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/36846\/revisions"}],"predecessor-version":[{"id":36851,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/36846\/revisions\/36851"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/36847"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=36846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=36846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=36846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}