Legislation SOCI Act 2024: Thales Study Reveals Breaches in Critical Infrastructure in Australia
Australia’s critical infrastructure sectors are facing potential data vulnerabilities due to an increase in ransomware incidents and the adoption of artificial intelligence, as outlined in a recent study. This update coincides with the implementation of new cybersecurity regulations under the Security of Critical Infrastructure Act 2018 from August 2024.
The 2024 Data Threat Report – Critical Infrastructure Edition, conducted by technology firm Thales, highlighted the rising global trend of ransomware incidents targeting critical infrastructure organizations while they confront emerging challenges associated with AI applications and data security.
During an interview with TechRepublic, Erick Reyes, Thales’ Director of Data Security for ANZ, pointed out that ransomware attackers tend to focus on critical infrastructure entities with vital data. He advised implementing a comprehensive security strategy as a fundamental aspect of technological advancements.
Balancing ransomware and AI in critical infrastructure
Thales’ study revealed that 42% of critical infrastructure organizations worldwide had experienced breaches at some point in the past, which is 7% lower than the average across all industries. Over the last year, only 15% reported breaches, down from 22% in the 2021 survey.
Surge in Ransomware Incidents with Inadequate Preparedness
Twenty-four percent of global critical infrastructure organizations admitted to falling victim to ransomware attacks, a 4% increase from 2022. Despite this, only 15% globally had formal response plans for ransomware attacks, lagging behind other industries by 5%.
SEE: Exploring the Potential of Industrial Cybersecurity in APAC
Human Error Fuelling Data Breaches
Human errors were responsible for 34% of cloud-based data breaches in critical infrastructure, exceeding the industry average by 4%. Neglecting multi-factor authentication for privileged accounts also contributed significantly to breaches, accounting for 20%, a figure 6% higher than the combined average of other industries.
AI Adoption Amid Risk Concerns
Despite concerns about managing environmental and operational risks, 26% of critical infrastructure organizations plan to incorporate AI into their core systems within the next year. Thales noted that while AI adoption is escalating, the sector remains wary of the implications on critical infrastructure.
Global Challenge of Ransomware
Reyes highlighted that Australian critical infrastructure firms, as per the 2024 Data Threat Report, shared feedback similar to their global peers, especially concerning the ransomware threat due to the critical nature of their data.
He emphasized that cybercriminals target organizations holding critical data, making Australian critical infrastructure entities prime candidates for such attacks.
Key Concerns Triggered by AI Integration
The adoption of AI is gaining traction in Australian critical infrastructure sectors, spanning from telecommunications to transport and logistics. Companies are leveraging AI to enhance efficiencies, reduce costs, and drive innovation, albeit with concerns about cybersecurity preparedness amidst the technological shift.
SOCI Act and Enhanced Cybersecurity
Stringent regulations under the SOCI Act could incentivize Australian critical infrastructure organizations to bolster their security practices.
Introduction of SOCI Act in Australia
The Security of Critical Infrastructure Act 2018, overseeing critical infrastructure risks in Australia, was expanded in 2020 to encompass a broader spectrum of industries, including finance, healthcare, education, and data management.
Under the SOCI Act, cybersecurity takes precedence, with new regulations enacted in August 2024 mandating critical infrastructure entities to establish and maintain cybersecurity frameworks aligned with their security maturity levels as part of comprehensive risk management.
SEE: Evaluating the Risk of State-Sponsored Cyber Attacks for Australian Professionals
Elevated Compliance Standards for Enhanced Security
The report by Thales highlighted the positive correlation between compliance adherence and reduced breaches. Organizations reporting failed compliance audits in the past year had an 84% breach history, contrasting with only 17% breach incidents among compliant entities. Only 2% of compliant organizations experienced breaches within the last year.
Future Security Enhancements
The SOCI Act is poised to deliver improved security outcomes for critical infrastructure. Reyes pointed out that industries less dependent on operational technology, like finance, are setting a benchmark for data protection, while traditional sectors incorporating operational technology are gradually catching up.
Although critical infrastructure organizations are enhancing their security posture through increased knowledge and awareness, Reyes cautioned that optimal security levels are yet to be achieved.
Target Areas for Australian Organizations
Reyes emphasized the critical importance of security for Australian critical infrastructure institutions.
He elaborated, stating, “They understand the significance; they grasp the necessary steps; they recognize the fundamentals of effective cyber strategies. Now, the focus is on proactivity; understanding how to advance further to ensure the safeguarding of essential assets in the event of a security breach.”
Embedding Security in Future Designs
DevSecOps framework emerges as a vital tool for addressing IT and OT elements in critical infrastructure, stressing the importance of consistently implementing robust security measures throughout operational processes.
Comprehensive Security Approach for Critical Infrastructure
While emphasizing the importance of edge security through identity management, Reyes underscored the growing need for critical infrastructure organizations to adopt a multidimensional security strategy encompassing asset identification, risk control, and understanding complex threats posed by supply chains and emerging technologies like AI or quantum computing.
Transforming Awareness into Proactive Measures
The 2024 Data Threat Report recommended that critical infrastructure enterprises proactively engage in measures under their control, such as establishing formal protocols to combat ransomware effectively and meeting auditing requirements.
“Adopting novel technologies like 5G, cloud solutions, IAM, and GenAI offers efficiencies when integrated into CI operations,” the report suggested. “Elevated standards for operational stability and resilience will drive organizations towards enhanced security and lower susceptibility to risks.”
About Author
