Securing critical infrastructure goes beyond regulatory compliance—it’s about understanding your attack surface and adopting security controls for your sector. With the increasing convergence of IT and OT systems, new vulnerabilities need to be addressed to keep Australia’s essential services safe from relentless threats. Strategies like AI-driven threat detection, network segmentation, and alignment with ISO/IEC 62443 and ACSC’s Essential Eight ensure your organisation is protected and ready to respond.
Critical Infrastructure Resilience: A Strategic Priority
Energy, healthcare, water, and transport infrastructure underpins national security and economic stability. Resilience ensures these essential services can continue operating or rapidly recover from cyberattack disruptions. The Security of Critical Infrastructure Act (SOCI) 2018 and the Cyber and Infrastructure Security Centre (CISC) provide frameworks for protecting these vital systems in Australia. However, building resilience is more than compliance; it requires a strategic approach integrating cybersecurity into the broader organisational risk management framework. This means board-level engagement, sector-wide collaboration, and adopting proactive security postures.
IT/OT Convergence: Increasing Complexity and Risks
The integration of operational technology (OT), like industrial control systems (ICS), with information technology (IT) has exposed new vulnerabilities. Unlike IT systems, OT systems were not originally designed with cybersecurity in mind; they prioritised reliability and physical safety. OT systems also tend to have longer operational lifetimes (20-50 years) and stricter availability requirements, which complicates applying modern cybersecurity measures such as regular updates and reboots. For example, you must disrupt essential services before rebooting a water treatment facility. This makes OT systems attractive targets for cybercriminals.
Real-World Attack Examples: Learning from the Past
Ukrainian Power Grid Attack (2015):
In 2015, a cyberattack on the Ukrainian power grid caused a large-scale blackout, affecting nearly 230,000 people. Hackers infiltrated the grid using spear-phishing emails, gaining control of power substations and shutting down electricity for several hours. This attack highlighted the vulnerability of OT systems to sophisticated, coordinated cyber threats.
Saudi Incident (Shamoon Attacks, 2012 and 2016):
The Shamoon malware attack on Saudi Aramco in 2012 was one of history’s most significant OT-targeted cyberattacks, wiping data from approximately 30,000 computers. A similar attack occurred in 2016, again targeting Saudi infrastructure. These incidents underscore the catastrophic damage cyberattacks can inflict on critical sectors such as energy.
NotPetya (2017):
The NotPetya attack, which initially targeted Ukrainian systems, quickly spread globally, crippling industries from pharmaceuticals to logistics. The attack caused billions of dollars in damage and demonstrated how interconnected critical infrastructure can exacerbate the impact of cyberattacks.
Threat Intelligence Sharing: A Collaborative Defence
In Australia, cyber resilience depends on robust threat intelligence sharing across sectors. The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), promotes collaboration through alerts, advisories, and Joint Cyber Security Centres (JCSC), facilitating real-time information exchange between government, private companies, and critical infrastructure providers. Platforms like Information Sharing and Analysis Centres (ISACs) further enable sector-specific intelligence sharing, helping Australian organisations anticipate and respond to emerging threats, and strengthening national resilience.
Best Practices for Securing OT Systems
Adopting industry-recognised frameworks like ISO/IEC 62443 and aligning with the Australian Government’s Essential Eight strategies are foundational for OT resilience. These guidelines provide structured approaches to identifying vulnerabilities, implementing effective controls, and maintaining compliance with Australian regulatory expectations.
Securing OT systems requires a different approach from traditional IT security due to their distinct operational needs. Some essential practices:
Network Segmentation
Isolate OT from IT networks to limit the attack surface and prevent malware from spreading between systems.
Continuous Vulnerability Assessments:
Conduct regular, OT-specific assessments to detect and patch vulnerabilities before they can be exploited.
Incident Response Plans:
Develop response plans tailored to OT environments, ensuring operations can continue with minimal disruption in case of a breach.
Adoption of International Standards:
Implement standards such as ISO/IEC 62443 and NIST to create a structured, reliable approach to securing OT systems.
RELATED CONTENT: OT Security: Recent Attacks Expose Risks for Australia’s Critical Infrastructure
Industry-Specific Cybersecurity Strategies
Energy Sector
Real-Time Threat Detection and AI-Driven Monitoring:
AI-powered systems are vital in monitoring smart grids, allowing real-time analysis to identify suspicious activity. AI also enhances predictive threat analytics, enabling energy operators to anticipate and mitigate potential cyber risks before they can escalate.
Encryption and Intrusion Detection Systems:
Encryption is vital to protecting sensitive data on energy networks and ensuring the confidentiality of communications between energy assets. Intrusion detection systems (IDS) further safeguard operations by monitoring network traffic for anomalies and offering early alerts to potential cyber threats.
Legacy Systems and Renewable Energy Challenges:
Many energy infrastructures rely on legacy systems that must be designed with cybersecurity in mind. Retrofitting these systems with modern controls is essential to prevent vulnerabilities. The growing use of distributed renewable energy resources like wind farms also introduces risks of cascading failures across interconnected grids.
Multi-Layered Defence:
A multi-layered defence strategy, incorporating continuous monitoring, firewalls, and automated patch management, is essential for protecting energy systems. This approach addresses traditional IT threats and the risks associated with OT environments.
Strategic Intelligence and Incident Response:
Developing strategic threat intelligence enables energy companies to proactively address emerging risks, especially from nation-state actors. Regularly updated incident response plans ensure that operators can quickly recover from any successful attack, minimising disruptions to critical infrastructure
Solid cybersecurity strategies in the energy sector require a combination of AI-driven analytics, encryption, legacy system updates, and multi-layered defence mechanisms to protect against increasingly sophisticated cyber threats.
Healthcare Sector
Australia’s healthcare sector faces complex cybersecurity demands, where compliance must cover both sensitive patient data and life-sustaining medical devices. The convergence of IT systems (managing patient records) with OT systems (controlling medical devices) has expanded the sector’s digital footprint, especially with the surge in telehealth and cloud-based services since COVID-19. This shift has introduced new cyber vulnerabilities, with a 33% rise in attacks in 2023 and healthcare accounting for 15% of all Australian data breaches.
To address these dual challenges, providers follow ACSC’s Essential Eight and TGA guidelines for device security, alongside the Australian Privacy Act 1988 and Notifiable Data Breaches (NDB) scheme to safeguard data. Together, these frameworks enable healthcare providers to manage both privacy risks and device protection, building resilience across Australia’s essential healthcare services amid the complexities of IT/OT convergence.
Encryption and Secure Communication:
Medical devices often transmit sensitive patient data across networks, making data encryption essential in transit and at rest. Robust encryption protocols ensure that patient information remains confidential, even if intercepted during transmission. Insecure communication protocols are a common issue, and addressing this vulnerability with encrypted connections helps protect data from being accessed or altered by unauthorised parties.
Multi-Factor Authentication (MFA) and Access Controls:
Multi-factor authentication (MFA) is crucial to safeguard these devices further. MFA significantly reduces the risk of unauthorised access to medical devices and related systems by requiring multiple verification forms. Coupled with role-based access control (RBAC), these measures ensure that only authorised personnel can access sensitive functions and data, such as adjusting insulin pumps or pacemaker settings.
Regular Audits and Firmware Updates:
Regular security audits of connected devices help identify vulnerabilities, such as outdated software or weak security configurations. Audits also ensure that security practices comply with industry regulations like the FDA’s guidelines and HIPAA requirements. Additionally, manufacturers’ timely firmware updates are crucial for patching newly discovered vulnerabilities before they can be exploited.
Network Security and Segmentation:
Since many medical devices are connected to hospital networks, network segmentation is essential to isolate critical systems from general IT networks. This limits the potential damage if one device or system is compromised, preventing widespread access to the hospital’s broader network infrastructure. Regular network monitoring and intrusion detection systems (IDS) also play a critical role in detecting and responding to suspicious activity in real-time.
Global and Local Standards and Compliance:
Adopting international standards like ISO 27001 and IEC 80001-1 provides Australian healthcare organisations with a solid foundation for cybersecurity, setting guidelines for the secure management, development, and operation of connected medical devices.
However, in addition to these global standards, Australian healthcare providers should align with local frameworks, such as the Privacy Act and NDB scheme, which is the ACSC’s Essential Eight Maturity Model.
These local standards address unique regional regulatory and compliance requirements, such as data breach notifications and privacy mandates specific to Australian law. By integrating global best practices and these local standards, healthcare organisations can strengthen cybersecurity resilience, protect patient data more effectively, and ensure compliance with Australian regulations.
Transport Sector
Australia’s transport infrastructure, covering 800,000 kilometres of road and critical rail networks, relies on robust OT systems for real-time data flow, especially in smart transport systems (ITS) in cities like Sydney and Melbourne. These systems are crucial for managing V2X (Vehicle-to-Everything) communications, ensuring the safe and efficient movement of vehicles, passengers, and goods. Safety and supply chain reliability risks are increasing, with a study by BlueVoyant revealing a 17% rise in negative impacts from supply chain cyber breaches among Australian organisations. The Australian Cyber Security Strategy 2023 prioritises OT resilience, urging transport operators to enforce stringent cybersecurity and layered defences to keep Australia’s transport networks secure and future-ready.
Blockchain and Encryption for Secure Communications:
Blockchain technology is being used to create secure, decentralised networks to ensure the security of data flowing between vehicles and traffic management systems. Blockchain provides records with immutability, making it difficult for cybercriminals to alter or corrupt data.
This is particularly important in vehicle-to-everything (V2X) communications, which involve data exchanges between vehicles and infrastructure (e.g., traffic signals and road sensors). Blockchain technology helps secure these communications by preventing tampering and providing a transparent, tamper-proof record of all transactions.
Alongside blockchain, encryption remains a cornerstone of transport cybersecurity. Encrypting data transmitted between vehicles, infrastructure, and traffic control centres ensures that sensitive information is protected from eavesdropping or tampering. In vehicle-to-vehicle (V2V) communications, encryption prevents malicious actors from accessing crucial data, such as vehicle speed and location, which could otherwise be used to disrupt traffic flows or cause accidents.
Artificial Intelligence and Secure Over-the-Air (OTA) Updates:
Artificial intelligence (AI) in cybersecurity allows for real-time monitoring and detection of anomalies in data communication, which can quickly flag suspicious activity. For example, AI-driven security systems can learn typical data patterns and identify deviations that might indicate a cyberattack. This is particularly useful for connected and autonomous vehicles, which rely heavily on secure, real-time data exchanges.
Over-the-air (OTA) updates also play a crucial role in securing vehicle systems. OTA updates allow manufacturers to remotely patch vulnerabilities in-vehicle software, ensuring that vehicles remain protected against emerging cyber threats without requiring them to visit service centres.
By applying these updates securely, transport systems can continuously address security gaps that cybercriminals may exploit.
Network Segmentation and International Standards:
Network segmentation is a crucial security measure isolating different transport network parts. This means that if one section of a network is compromised—such as a vehicle’s infotainment system—it cannot be used to access more sensitive parts of the system, such as traffic management controls. In this way, isolating networks minimises the damage a potential breach could cause.
Complying with international standards, such as ISO 27001, further strengthens the cybersecurity framework of transportation systems. These standards guide organisations in developing robust security practices, ensuring that data exchanges across different systems are protected from internal and external threats.
The transport sector implements blockchain technology, encryption, AI monitoring, OTA updates, and network segmentation to protect against increasingly sophisticated cyber threats. These measures ensure the integrity of the real-time data exchanges critical to the functioning of modern transport systems.
Water Sector
Over 80% of Australians rely on OT-integrated municipal water supplies, making the sector highly vulnerable to cyber threats. Over 30% of water treatment facilities are in regional or rural areas, extending from cities to remote locations. The 2023 State of the Environment report warned that cyberattacks on these systems could harm communities, agriculture, and industry, worsening water scarcity.
The SOCI Act 2018 mandates stringent cybersecurity measures for water and sewerage, requiring water operators to address risks specific to Australia’s geographic and water management challenges.
Real-Time Monitoring & Incident Response:
Implementing continuous monitoring with real-time threat detection allows water utilities to identify and respond swiftly to potential incidents. Automated alerts and well-practised incident response plans help mitigate the impact of cyber intrusions, reducing downtime and ensuring system stability.
Supply Chain Risk Management:
Ensuring that third-party vendors meet cybersecurity standards is essential in the water sector. Water utilities protect themselves from indirect attacks by securing the supply chain and maintaining control over their networks and data integrity.
Advanced Network Segmentation:
Separating IT and OT networks within water facilities limits the spread of cyber threats. By isolating critical OT systems, organisations can prevent attackers from moving between systems if one segment is compromised, ensuring essential water processes remain operational.
Regular Vulnerability Assessments & Penetration Testing:
Conducting periodic vulnerability assessments and penetration testing identifies system weaknesses, allowing water utilities to patch vulnerabilities and strengthen their defences. This proactive approach is essential for OT systems, which may run on legacy hardware and are more vulnerable to attacks.
The Role of Governance: Cybersecurity at the Board Level
In Australia, cybersecurity governance must be integral to board-level oversight, especially within industries managing critical infrastructure. A comprehensive approach to GRC (Governance, Risk, and Compliance) ensures that cybersecurity aligns with the organisation’s overall risk framework. It extends to IT and OT environments, often vulnerable to unique threats.
Australian regulations such as the SOCI Act 2018 and APRA’s CPS 234 enforce rigorous standards for safeguarding essential OT assets. These regulations mandate that boards review risk management annually and clarify that directors must proactively ensure cyber resilience across IT and OT landscapes.
To reinforce OT security, boards and CISOs should advocate for approaches integrating local guidelines, like the ACSC’s Essential Eight, with global frameworks such as ISO 27001.
This combination fosters a resilient, adaptable security framework designed to meet the unique challenges of Australian infrastructure. By incorporating regular updates, independent audits, and tailored risk assessments, boards are better equipped to maintain strong oversight. This proactive approach ensures that organisations stay resilient, informed, and prepared to secure operations effectively across all sectors.
Cybersecurity as a Strategic Priority
Board members are crucial in establishing a cyber-resilient culture across the organisation. They must ensure that cybersecurity is integral to business strategy, risk management, and governance. This involves IT and OT systems oversight, as cyber risks in these areas are interconnected and can impact an organisation’s ability to operate efficiently.
In converged IT/OT environments, boards should treat cybersecurity as an operational and strategic priority within broader risk management frameworks. Australia’s Critical Infrastructure Risk Management Program (CIRMP), part of the SOCI Act 2018, underscores this need, mandating rigorous oversight of asset visibility and cybersecurity across OT environments.
One key challenge boards face is understanding the technical complexities of cybersecurity. To address this, appointing a Chief Information Security Officer (CISO) or ensuring direct reporting from the cybersecurity leadership team to the board is essential. This helps translate technical risks into business terms the board can act on.
Regular Audits and Risk Assessments
Boards should mandate regular cybersecurity audits and risk assessments that extend beyond compliance checks to address real-world IT and OT vulnerabilities. Australian organisations must align these assessments with CIRMP requirements to ensure continuous monitoring and preparedness against threats, particularly in the public sector. Assigning oversight to a Chief Information Security Officer (CISO) or similar role with expertise in both IT and OT provides direct reporting channels to the board, translating complex technical risks into actionable insights for informed decision-making.
Adoption of International Standards
Adopting internationally recognised cybersecurity standards, such as ISO/IEC 62443 for OT environments or the NIST Cybersecurity Framework for broader IT/OT integration, allows the organisation to follow best practices in securing critical infrastructure. These standards provide a structured approach to identifying risks, setting goals for cybersecurity maturity, and implementing the necessary controls. Compliance should extend beyond regulatory adherence, as it is vital to sustain operations and essential services across Australia’s vast and interconnected critical infrastructure sectors.
Boards should ensure that their organisation adopts these standards and continuously benchmarks its progress against them.
Collaboration Across Departments and Industry
Cybersecurity should not operate in silos. Boards must foster collaboration between IT, OT, and other departments to ensure comprehensive coverage of all vulnerabilities. This includes encouraging cross-functional teams to address incident response, patch management, and security governance issues.
Leaders should also actively encourage participation in intelligence-sharing platforms such as the Joint Cyber Security Centres (JCSC) to pool intelligence, gain industry-wide insights, and preemptively address Australian critical infrastructure risks. These platforms are critical in defending against systemic risks, where an attack on one entity could cascade through the supply chain, affecting entire industries.
Board-Level Accountability and Metrics
Accountability for cybersecurity at the board level ensures that governance is reactive and proactive. With the 2024 Cybersecurity Act reinforcing the need for active oversight, these governance practices for organisations navigating IT/OT convergence are foundational in protecting Australia’s essential services and maintaining public trust in critical infrastructure. Boards must implement metrics and key performance indicators (KPIs) that track the organisation’s cybersecurity posture. These should include measures of vulnerability management, incident response times, and the effectiveness of training programmes.
Having the right metrics ensures that cybersecurity is continuously improved rather than treated as a one-time project.
Additionally, assigning cybersecurity accountability to a senior executive ensures a clear chain of command. Many organisations implement RACI (Responsible, Accountable, Consulted, and Informed) charts to define roles and responsibilities at the highest levels of the organisation.
Building a Resilient Future
The convergence of IT and OT systems has introduced new risks and opportunities for resilience. The resilience of our essential services—energy, water, transport, and healthcare—relies on more than compliance; it requires forward-thinking governance, real-time adaptability, and strong collaboration across sectors. By prioritising tailored frameworks like the CIRMP and leveraging national resources like the Joint Cyber Security Centres, Australian organisations are stepping up to the challenge. By doing so, they can build more robust defences, protect critical infrastructure, and ensure the continuity of essential services in an increasingly connected world.
Share
