Australian utilities face rising threat from cyberattacks

The impact of recent cyberattacks on water and electricity operators in the U.S. and UK has implications for the Australian industry, as revealed in a new study by Semperis.

The report disclosed that 62% of water and electricity operators have experienced cyberattacks in the last year, with 80% facing repeated incidents. Data indicates that nation-state groups are behind nearly 60% of these attacks, posing a growing risk to Australian utilities.

A concerning 54% of utilities reported permanent data and system corruption or destruction as a result of cyberattacks.

A focus of the attacks, compromising identity systems such as Active Directory, Entra ID, and Okta, was reported in 67% of incidents. This finding is of significant concern given similar vulnerabilities reported in Australia's electricity, gas, water, and waste services sector, which ranks as the sixth-highest for cyber incidents among various sectors according to the ASD Cyber Threat Report.

Chris Inglis, Semperis Strategic Advisor and former U.S. National Cybersecurity Director, highlighted the underestimation of foreign infiltration within infrastructure. "Many public utilities likely don't realise that China has infiltrated their infrastructure. For instance, Chinese-sponsored threat actors like Volt Typhoon are known to prefer 'Living off the Land' attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information, or waiting to strike for months or even years," he said.

Australian utilities share comparable vulnerabilities, with the sector accounting for 30% of attacks on critical infrastructure, surpassing sectors like education and training and transport, postal, and warehousing. Ausgrid has projected potential economic consequences of USD $2.9 billion per day in a worst-case scenario cyber-induced shutdown.

Previous incidents highlight the susceptibility of Australian utilities.

In 2022, cyberattacks on EnergyAustralia and AGL resulted in the exposure of sensitive customer data. Prior to that, a 2021 ransomware attack targeted the Queensland-owned electricity generator CS Energy.

Inglis stressed the pressing need for improved system resilience to mitigate such risks. "The systems that supply our power grids and our clean drinking water are the underpinning of everything we do. And yet we go about our business, confident that somebody else is going to handle it. Somebody else isn't going to handle it. We need to harden our systems and extract criminal elements — now," Inglis emphasised.

Semperis Chief Executive Officer, Mickey Bresman, noted that resilience against cyberattacks must be prioritised by operators of critical infrastructure.

"If you don't improve resilience, attackers keep coming. Utilities have an opportunity to address this challenge. They need to assume breaches will happen, and through tabletop exercises, they can practice attack scenarios that could be a reality in the future," Bresman stated.

To bolster operational resilience, utilities are advised to identify Tier 0 infrastructure components critical for recovery, prioritise incident response, document processes, and ensure secure recovery from attacks, focusing on both speed and security.