The problem with near-misses in cybersecurity
Cybersecurity is treated a lot like aviation security. Breaches that don't result in catastrophic consequences don't stay in the national psyche for very long, in much the same way near-misses in aviation don't invite much public scrutiny. Colonial Pipeline was one such catastrophic event from early 2021, and now towards the close of the year, we have the equivalent of a near-miss; Queensland water supplier Sunwater's breach of a content management system.
Australian national infrastructure organisations are prime targets for malicious cyber attacks for exactly the same reason as Colonial Pipeline in the US. There's a high potential to cause chaos, and therefore, a high chance of getting a lucrative result (whether that's information or simply a payout).
As this small blip on the national news radar moves away from us, it's tempting to treat it just as a near-miss is treated in aviation. That we should be reporting the incident to a central authority within Australia's government and let them determine how this was caused and how to help protect management control systems in energy, water or gas, which are particularly exposed to attacks designed to do serious harm.
There's a danger, however, in this thinking. It's too simplistic because aviation can only ever be focused on prevention, never truly on protection.
Let's take Sunwater as an example. File gateways (e.g. web, email etc.) are an obvious place to start with regard to strengthening security. It's easy for malicious code to hide in seemingly benign files, so it's essential that we update legacy anti-malware solutions that have been proven to be no match for unknown malware and zero-day exploits, making them unfit for purpose in today's world of sophisticated cybercriminals.
So how can we do that? The only method that really works is to have content screening technology that assumes all files are a threat and will deconstruct and analyse them before they are shared with the end recipient. Everything else relies on end-user education, which isn't a reliable solution. Sometimes, systems cannot be patched, and humans make mistakes.
If this was a near-miss in aviation we'd have to leave this here, and a lot of the discourse around the attack truly does stop here. We simply cannot afford to ignore the second step - protection.
End-to-end authenticated encryption is a protection every attacker should face, especially for data networks running infrastructure control systems and/or sensitive data. It not only protects the data but, importantly, protects the network from ingress of malware and other unauthenticated data helping slow or stop intruders from slowly taking over a network and crippling an entire system. Such solutions are critical to infrastructure organisations' safety control systems and operations today. It may just be that Sunwater has some such protections in place. At the very least, the attackers found a foothold but were unable to move laterally through the network to higher-value targets before they were detected.
Of course, if the opposite is true and the attackers were simply unwilling or not sophisticated enough to take the next step, Sunwater got lucky this time around. A different attack on another sector could be far more destructive, crashing vital infrastructure for rural communities.
Companies need to be proactive, not reactive, in implementing cybersecurity strategies that prevent breaches while also accepting that they will be breached, necessitating they implement effective protection from that point onwards. Bringing in products or activating protocols after the detection of malware or unauthenticated data is "reactive after the horse has bolted" and won't stop another cyber breach. But having those protections in place can stop attacks from becoming a Colonial Pipeline event, and so that's worth the investment.