Critical Infrastructure is Under Attack from Hackers

Why a ‘Wait and See’ Approach May Prove Disastrous for Australia

Earlier this month, Australian security researcher Sick Codes hacked a John Deere 4240 display and installed the vintage 1990s video game DOOM. This demonstration showed just how easy it is to infiltrate our agriculture. By using code freely available on the internet, it took no time to get through their unsecured operating system.

The demonstration shook security experts around the nation, as it showed just how open the agriculture industry is to attacks that could compromise food safety, quality and supply. However, it’s not the only industry that needs to shore up its defences.

Last week in the UK, South Staffordshire Water, which provides drinking water for over 1.6 million people, was attacked. The hackers caused disruption to corporate IT networks, stole over 5TB of data and attempted to extort a ransom payment for its release.

A similar attack occurred at a water treatment plant in Florida last year, where hackers were able to tamper with chemical levels in the water supply. It caused the water supply to become so toxic, it would’ve been poisonous to drink. Thankfully, the incident was caught and contained before any water left the plant.

Other concerning attacks on critical infrastructure around the world include:

  • Triton malware attack in 2017 on a Saudi petrochemical plant that allowed hackers to take over their safety instrument systems,
  • 2016 attack on Ukraine’s power facility PrykarpattyaOblenergo, leaving half the population of the Ivano-Frankivsk region without power during winter,
  • 2016 attack on San Francisco’s MUNI light-rail system, accessing and encrypting over 2000 office systems that caused their ticketing system to be shut down for four days.

This list is by no means exhaustive, yet it shows how cyber-attacks on critical infrastructure are not just a danger to the economy and organisation itself, but the health, wellbeing, and safety of the everyday person.

Security expert, Jason Alcorn, says that now is not the time to be lax. “We may not have had a significant (reported) attack on our critical infrastructure in Australia this year, but that doesn’t mean it can’t or won’t happen. We need to shore up our cyber defences now, to avoid catastrophe. Waiting for government enforcement or mandates is ignorant at best and negligent at worst.”

While there has been a major push in the Australian market to focus on cyber security, it’s imperative that we don’t allow the bombardment of cyber messaging to lull us into a false sense of security.

“We all have a role to play to ensure our critical infrastructure can stand up to any future cyber-attacks. That means starting in your own backyard,” says Dave Cohen of the ISRM Cyber Security Special Interest Group. “We can limit the likelihood and effect of any attack by safeguarding our networks. This starts at the very basics, like ensuring default or easy to guess passwords aren’t being used, and multi-factor authentication (MFA) is applied, particularly to critical systems.”

As cyber security can be complex for critical infrastructure, particularly for those using older systems, it’s important to ensure that you engage in a cyber security specialist to help you ensure your network is secure. As a nation, we need to act today, to prevent the potentially catastrophic consequences not just for organisations, but for whole communities and society as a whole.