The Second ACSC Annual Cyber Threat Report: Critical Infrastructure and Cyber Supply Chain Risk

By Ravi Nayyar

The Australian Cyber Security Centre (‘ACSC’) — which sits within the Australian Signals Directorate and spearheads the Commonwealth’s ‘efforts on national cyber security’ —has released its second annual Threat Report, covering the period 1 July 2020 to 30 June 2021.

As the name suggests, the report explores the threat landscape for Australian computer networks and provides advice to Australians on how to tackle their cyber risk profiles. It was contributed to by Australian’s Defence Intelligence Organisation, the Australian Criminal Intelligence Commission, the Australian Federal Police, the Australian Security Intelligence Organisation, the Commonwealth Department of Home Affairs, state and territory agencies as well as members of industry.

There is a lot of great material in this report, including detailed statistics on cybercrime reports and cyber security incidents, and descriptions of malicious cyber activity exploiting the pandemic as well as the ransomware threat.

Given that my PhD is focused, however, on the regulation of the cyber resilience of critical software as part of the regulation of that of critical infrastructure, I will be honing in on two bits of this report: risks to critical infrastructure and cyber supply chains.

Critical Infrastructure Risk

The ACSC said that about 25% of cyber security incidents reported to it during this reporting period ‘were associated with Australia’s critical infrastructure or essential services’.

This is, of course, serious in of itself, given the consequences of the (sustained) disruption of critical infrastructure for society and the economy. The ACSC points to the attacks against health infrastructure, for instance, during the pandemic, the sector reporting ‘the second highest number of cyber security incidents both overall and for ransomware-related cyber security incidents’. The disruption of one of Melbourne’s large metropolitan public health services is used as a case study. The ACSC also flags threats from malicious cyber actors to vaccine development and delivery, both here and overseas.

Source: ACSC.

Per the above table, of incidents involving ‘malware, beaconing or other active network intrusion; temporary system/service disruption’, there were:

• eight incidents of the third-most severe kind (Category 3) that affected national security, essential services and/or Critical National Infrastructure, leaving a ‘significant number impacted’; and
• 44 Category 3 incidents that affected the federal government/national infrastructure or the supply chain for critical national infrastructure.

The ‘about 25%’ statistic is interesting because it is lower than that from the previous reporting period. Last year’s Threat Report stated that our critical infrastructure sectors ‘represented around 35% of the incidents responded to by the ACSC’. In general, the agency notes that ‘the total number of cyber security incidents in the 2020–21 financial year decreased by 28 per cent’ versus the previous reporting period. There were also no Category 1 or Category 2 incidents in the 2020–21 financial year, versus seven (covering both categories) in the previous one.

Why is that? Are classification and/or reporting issues the reason for this drop in reported incidents affecting critical infrastructure? It can’t be because malicious actors have eased off, given the ‘significant targeting’ of critical infrastructure during the pandemic and how cybercriminals have increasingly targeted larger entities, right? Has the cyber resilience of our critical infrastructure assets improved?

It will be interesting how this shapes the policy context for the proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth).

Food for thought.

(Note that the ACSC points to a higher proportion of reported incidents in general during the 2020–21 reporting period being from Category 4, ‘in part [due]to an increase in attacks by cybercriminals on larger organisations and the [greater] impact of these attacks on the victims’, the attacks themselves including ‘data theft, extortion and/or rendering services offline’.)

Cyber Supply Chain Risk

Good on the ACSC for devoting a few pages to cyber supply chain risk — not just because it provides me literature for my own research! Also, an improvement on last year’s report when the phrase ‘supply chain’ only appeared twice — in relation to incident classification, not substantive discussion.

The agency points to the continued targeting of cyber supply chains by malicious actors in order to compromise end-users, doing a case study on SolarWinds and providing a schematic for how cyber supply chain attacks occur. As it points out, such attacks ‘present a high-impact cyber threat that will only increase as networks continue to incorporate more third-party software’.

Little wonder that, as the ACSC warns:

The threat from supply chain compromises remains high — it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.

Importantly, the ACSC highlights how sophisticated cybercriminals ‘may also increasingly focus their efforts’ on doing such attacks in order to compromise ‘many victims at scale’. This is timely in light of, for instance, the exploitation of vulnerabilities in Kaseya VSA software in July this year by affiliates from the REvil ransomware strain to compromise Managed Service Providers and their customers.

Hence, it is not just state(-sponsored) actors playing the cyber supply chain game. That said, some of the great supply chain attacks of my lifetime have been done by state actors:

• Stuxnet (USA-Israel), in part, exploited vulnerabilities in Siemens software which controlled programmable logic controllers in Iranian uranium centrifuges;
• WannaCry (North Korea) exploited vulnerabilities in Windows;
• NotPetya (Russia) compromised the update mechanism for a brand of accounting software practically ubiquitous in Ukraine and exploited vulnerabilities in Windows; and
• SolarWinds (Russia) compromised the update mechanism for the SolarWinds Orion network monitoring software.

One must not forget how high the stakes are when it comes to cyber supply chain risk. The negative externalities borne from suboptimal cyber resilience practices by vendors are most severe for society when compromised software provides an access vector for malicious actors targeting critical infrastructure assets.

Note, after all, the aforementioned 44 reported incidents in the 2020–21 financial year that affected Australian targets including the supply chain for Critical National Infrastructure.

Source: The President’s National Infrastructure Advisory Council, adapted from Rinaldi, Peerenboom and Kelly.

It is vital that software run on critical infrastructure — especially critical software categories — is built with cyber resilience in mind. Not least since it is not that hard for skilled adversaries to cross the IT/OT (operational technology) divide via software vulnerabilities and thus sabotage equipment involved, for instance, in the delivery of essential services and cause cascading disruptions across the economy (see above schematic for software-driven interdependencies between critical infrastructure assets). It doesn’t help that it is quite difficult to update software deployed on OT systems, especially in sectors like electricity generation where assets cannot be tricity grid in the dead of winter in 2016.

Little wonder that securing the cyber supply chain is a regulatory refrain of late. Section 4 of President Biden’s Executive Order on cybersecurity from May 2021 is devoted to ‘enhancing software supply chain security‘. The National Institute of Standards and Technology put out guidance on critical software protection (which American federal agencies have to implement) in July 2021. In July and September 2021, the Bank of England has also warned of the risks posed to the UK’s financial stability by an outage (or compromise) at any of the ‘small number of [cloud service providers] and other critical third parties’ increasingly relied on by UK financial institutions. The Australian Prudential Regulatory Authority (‘APRA’) echoed this in 2020 by highlighting vulnerabilities to the Australian financial system to stem in part from ‘an increasingly complex value chain of providers’. It thus makes sense that one of the pillars of APRA’s 2020–2024 Cyber Security Strategy is to:

rectify weak links within the broader financial eco-system and supply chain by fostering the maturation of provider cyber-assessment and assurance, and harmonising the regulation and supervision of cyber across the financial system.

The Two Species of Risk Are Interwoven, Folks

The relevance of cyber supply chain risk for critical infrastructure protection is recognised by the OECD in the explanatory note for its Recommendation of the Council on the Digital Security of Critical Activities: (emphasis added)

Digital transformation is further accelerating critical activities’ digital dependency... Operators of critical activities manage increasingly massive amounts of data, hardware, software, and network infrastructures that can never be considered entirely secure. These complex and dynamic digital ecosystems increase operators’ digital attack surface and exposure to digital security threats.

But I’ll let Nicole Perlroth have the last word, courtesy of her amazing book, This Is how They Tell Me the World Ends: (emphasis added)

It is now arguably easier for a rogue actor or nation-state to sabotage the software embedded in the Boeing 737 Max than it is for terrorists to hijack planes and send them careening into buildings. Threats that were only hypotheticals a decade ago are now very real.