WP New reforms will enhance the security and resilience of Australia’s critical infrastructure | Imperva

New reforms will enhance the security and resilience of Australia’s critical infrastructure

New reforms will enhance the security and resilience of Australia’s critical infrastructure

Improving the security of critical infrastructure has become the focus of many governments around the world, including Australia. This is because a failure or disruption in one area of critical infrastructure can have flow on effects that affect a nation’s security, economy and sovereignty.

In the Australian Security Intelligence Organisation’s (ASIO) Annual Report 2020-21, Mike Burgess, Australia’s Director-General of Security said he was “concerned about the potential for Australia’s adversaries to pre-position malicious code in critical infrastructure.” The report goes on to say that pre-positioned malicious software – which can be activated at a time of a foreign power’s choosing – presents the potential for disruptive or damaging attacks.

This is why the Australian Government is enhancing the security and resilience of the critical infrastructure we all rely on with the Protecting Critical Infrastructure and Systems of National Significance reforms.

Owners and operators of critical infrastructure assets in Australia need to keep abreast of these reforms and ensure they understand their changing obligations.

The most recent change was the passing of the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The new legislation will require operators of critical infrastructure assets to report any cyber security incidents that disrupt essential services provided by that asset.

Instead of focusing on the burden of reporting such incidents, critical infrastructure organisations should look at prevention and how they can improve their cyber security posture to protect critical assets from attacks.

Protecting applications from zero day and supply chain attacks

Organisations looking to address the concern of pre-positioned malicious code (as expressed by Mr Burgess) should be looking at runtime protection for their applications. Runtime Application Self-Protection (RASP) fills the security gaps that leave applications vulnerable to attack, protecting both legacy and modern applications.

RASP enables applications to protect themselves using an industry leading, lightning-fast attack detection method called Language Theoretic Security (LANGSEC). LANGSEC understands how payloads will execute within the context of a given environment and neutralizes known and zero-day attacks. The result is applications that are secure by default, regardless of any latent vulnerabilities in the application software that would otherwise be susceptible to attack.

This method is especially helpful in mitigating software supply chain attacks. In the US, the National Institute of Standards and Technology (NIST) has recognised that many security controls fail to address the challenge of mitigating software supply chain attacks. It determined that only runtime protection prevents these stealthy attacks and recommends RASP as a control to respond to emerging threats from the software supply chain.

Ensuring all assets have sufficient DDoS protection

While many organisations are familiar with the risk of DDoS attacks and have protection in place, it is important to ensure you know where all your digital assets are located and that they all have sufficient DDoS protection.

We’ve even seen recent examples where an organisation thought they had sufficient DDoS protection, but had failed to secure one specific digital asset. The attackers found that weakness and successfully took that business offline. If you have gaps in your defences, the cyber criminals will find them and exploit them.

We’ve also witnessed a clear trend towards shorter, higher volume attacks which are designed to take out organisations with low or legacy defenses. This includes those organisations that mistakenly assume their telecommunications or internet service provider (ISP) will automatically provide a level of DDoS protection.

This is not the case. Even those that do, don’t typically protect against all the different types of DDoS attacks. They also tend to use in-house technology and solutions that are not ‘always-on’ and don’t leverage a global mitigation approach. Instead they offer a manual or semi-automated response that uses localised mitigation.

This approach is not effective against the increasing trend of highly distributed, short, sharp, persistence attacks. Since 2020, DDoS attacks have increased four-fold, volume has doubled and the average attack duration is just six minutes. We only expect this to increase with the maturity of 5G networks and the continued adoption of IoT. The most recent example of this is the new Meris botnet which is breaking DDoS records and is powered by 250,000 malware-infected devices.

For those organisations included in the Critical Infrastructure Bill, they need to ensure they have a robust DDoS protection in place. Generally this means using a security-focused vendor that can provide more advanced solutions. These vendors also have experts dedicated to ongoing security research and round-the-clock monitoring of new attack vectors.
Beyond RASP and good DDoS protection, critical infrastructure owners and operators should be implementing a defense-in-depth security architecture to provide multiple, redundant defensive measures in case a security control fails or a vulnerability is exploited. Such a “layered” security model makes it harder for malicious actors to execute an attack, thus improving an organisation’s overall cybersecurity posture.