Recent high-profile data breaches in Australia have called attention to data and cyber security – in a big way. IT managers and tech security experts, such as SIS, have been talking about the potential implications of such cyber hacks for years now but, unfortunately, it’s taken the scale of the Medibank and Optus incidents to make news headlines and get the topic into the national conversation.
Despite these cyber attackers targeting the IT infrastructure of these organisations, there is still a lot that those in charge of operational technology (OT) assets and critical infrastructure can learn from the Medibank and Optus examples.
Here are some points we’d like you to think about:
OT is more vulnerable than IT
If organisations like Medibank and Optus can fall victim to cyber crime, this should act as a wakeup call to critical infrastructure providers. Why? Because IT is relatively easy to secure, compared to OT. And yet, many organisations persist in using IT experts to take care of their operational technology, effectively benchmarking an organisation’s cyber security preparedness solely through an IT lens.
The reality is that cyber attacks regularly target IT and OT services separately, and sometimes one can affect the other. Protecting your OT systems from getting hacked could be a much greater concern because it’s not just data being exposed; if OT is penetrated, it could potentially lead to injury and even death. Consequently, securing your OT assets requires the expertise of people who understand OT inside and out.
Is it time to engage experts to conduct an external assessment of your organisation’s strengths and weaknesses against an OT hack? The answer is most likely yes.
Focus on OT security, not just IT security
There is no question that it’s important to protect your IT from hackers. But many businesses seem to focus on protecting their IT systems at the expense of OT, even though the costs to their business stand to be much higher if OT systems are breached.
Furthermore, if we draw from the consequences of the Medibank and Optus hacks, a cyber attack can have a massive impact on a business’ bottom-line, which only increases exponentially when operational technology is compromised.
There are many examples from recent years that highlight the extent of the financial impact, one being the Molson Coors Beverage Company in the US. In March 2021, Molson Coors experienced a cyber security incident that led to a systems outage and stopped production at some plants for up to a week. This meant that production of 1.8 million hectolitres, the equivalent of US$120-140 million, had to be delayed from the first quarter to later that year.
Sure, Medibank and Optus have suffered some serious reputational and goodwill damage in 2022, but both organisations were able to continue trading as usual after being hacked. As you can see from the Molson Coors incident, the costs of an OT security hack often come from having to shut down the entire business and can create a domino effect of costs that runs into hundreds of millions of dollars.
Regulatory changes are coming
It’s expected that the regulations governing IT services in Australia will undergo a thorough review in the wake of the Medibank and Optus hacks, which is sure lead to greater regulatory control of the industry. It’s something that’s been talked about for a while, but these recent hacks only make it more likely, expediting the need for government intervention into IT and OT security processes.
While our critical infrastructure has already been subject to close scrutiny through the Security of Critical Infrastructure Act (2018), it’s a safe bet that SOCI legislation will most likely be tightened. Getting on the front foot before any new laws are implemented, or the existing ones tightened, would be a prudent move for any organisation.
Be proactive, not reactive
Optus has been accused of a lot of things in the wake of October’s hack, but one thing they can’t be accused of is not being proactive in preventing a similar attack occurring. Among the telco’s first calls following the security breach was to consulting experts Deloitte to make sure that best-practice methods were employed in bolstering their IT security.
Imagine if this had occurred before the breach?
A proactive approach to securing your OT is key to protecting your organisation and its critical systems. This does not only involve engaging an expert to take the temperature of your existing OT security; it also means monitoring your systems on an ongoing basis, identifying vulnerabilities and acting on them and, if a breach occurs, having the appropriate protocols in place to respond immediately to mitigate any risk and provide a comprehensive review and learnings following the incident.
Don’t forget, this should be the responsibility of your appointed OT security specialists, not unfairly dumped on the shoulders of the IT team.
In conclusion
The Medibank and Optus data breaches are a timely warning for industry to take the pulse of their cyber security practices and procedures.
While the two companies will have to deal with major reputational damage and the loss of customer confidence about their abilities to protect sensitive personal data, the stakes are much higher when it comes to an attack on your OT.
The time is now to make sure your organisation doesn’t create headlines for reasons that could have ultimately been prevented.
Want to know more about securing your OT assets? Download the SIS Industrial Cyber Security Playbook.