A new report by the Australian Strategic Policy Institute has warned of the rise that automated operational technology poses to Australia’s critical infrastructure including systems that provide food, water, energy, transport, communications and healthcare.
The convergence of IT (information technology) and OT (operational technology)—devices that monitor physical effects, control them, or both. More and more devices are becoming interconnected to create the ‘internet of things’.
According to the report, while this brings many benefits, it also brings new types of risks to be managed—a cyberattack on OT systems can have consequences in the physical world and, in the context of a critical national infrastructure provider, those physical consequences can have a potentially major impact on society.
Among Australian critical national infrastructure providers, the level of maturity and understanding of the specific risks of OT systems lags behind that of IT systems. There’s a shortage of people with OT security skills, commercial solutions are less readily available, and boards lack specialist knowledge and experience. Mandating or recommending standards could help boards understand what’s expected of them, but it isn’t clear which standards are appropriate for managing these risks.
This study examined the understanding and management of the risks of IT–OT convergence in critical national infrastructure, particularly the telecommunications, energy, water and transport sectors. These areas are considered the most critical to the security of Australia and are the focus of government legislation.
The report found critical national infrastructure providers are under pressure to deliver services more efficiently and at lower cost, due to market competition, technological change, reduced government funding and price regulation.
As a result, organisations have sought to automate and integrate more and more of their IT and OT systems. Stakeholders expect a rapid increase in convergence over the next two years, the report says.
Boards of critical infrastructure providers need to set their cyber risk tolerance and monitor performance against it
Better education and information including general awareness training for boards, specialist courses and enhanced information sharing
Prioritisation of resources to ensure the appropriate organisations are able to implement required measures