The number of cybersecurity incidents reported by Australian critical infrastructure providers rose by more than 50 per cent over the last two financial years, data from the Australian Signals Directorate’s (ASD) Cyber Threat Report 2022-23 has revealed, with malicious actors taking advantage of increasingly interconnected and internet-facing systems.

Critical infrastructure providers reported 143 incidents to the ASD in the 2022-23 financial year, up from the 95 reported in the previous year.

Further to that, the activity against the Australian critical infrastructure networks is expected to increase as networks grow in size and complexity.

However, the report confirmed that the vast majority of the cybersecurity incidents reported by entities that self-identified as critical infrastructure were low-level malicious attacks or isolated compromises.

The incidents which were caused by state actors, cybercriminals and issue-motivated groups were conducted for a number of reasons, which included attempts to disrupt services, through denial-of-services (DoS) attacks, stealing or encrypting data aimed at gaining insider knowledge for profit or competitive advantages.

Other reasons included installing malware, in anticipation of future disruptive or destructive cyber operations, potentially years in advance, and seeking sensitive information through cyber espionage.

The report has also revealed that while the critical infrastructure networks around the world continued to be targeted during 2022-23, events such as Russia’s war on Ukraine demonstrated that critical infrastructure was viewed as a target for disruptive and destructive cyber operations during times of conflict.

At the same time, the main cyber security incident types affecting Australian critical infrastructure, which accounted for approximately 57 per cent of the incidents were:

• Compromised account or credentials
• Compromised asset, network or infrastructure
• DoS

Other more prominent incident types included data breaches followed by malware infection.

The report also stressed the interconnected nature of critical infrastructure networks, where the third parties in their ICT supply chain, would increase the attack surface for many entities, and this included remote access and management solutions which were increasingly present in critical infrastructure networks.

Systems where software or hardware are not up to date with the latest security mitigations are vulnerable to exploitation, particularly when these systems are exposed to the internet.

At the same time, the ICT supply chain and managed service providers remained another avenue malicious cyber actors could exploit.

“Operational technology (OT) and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors,” the report said.

“OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.”

ASD said that Australian critical infrastructure providers often operated over large geographical areas and required interconnection between dispersed OT environments.

Separately, remote access to OT environments from corporate IT environments and the internet has become standard operating procedure.

“Remote access allows engineers and technicians to remotely manage and configure the OT environment. However, this interconnection or remote access requires an internet connection, which creates additional cyber security risks to OT environments.”

ASD continued to advise entities to prioritise secure-by-design and secure-by-default products in procurements and take a risk-based approach to managing risks associated with new technologies or providers.

“Good cyber security practices will be particularly important during a transition to new technologies,” the study noted.

ASD also identified a number of other key cyber security trends in 2022-23 which highlighted that cybercriminals continued to adapt tactics to extract maximum payment from victims, forcing ASD to have responded to 127 extortion-related incidents: with 118 of these incidents involving ransomware or other forms of restriction to systems, files or accounts.

The data from the report also showed that significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web and that one in five critical vulnerabilities was exploited within 48 hours.

According to the report, Australia will need to consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community. This includes prioritising secure-by-design and secure-by-default products during both development (vendors) and procurement (customers).

As far as cyber security incidents by sector were concerned, federal government sector topped the list (30.7 per cent) and was followed by state and local government (12.9 per cent), professional scientific and technical services (6.9 per cent), educational and training (6.7 per cent) and healthcare and social assistance (5.9 per cent).

This year the information media and telecommunications sector fell out of the top five reporting sectors and moved to the 7th spot, behind financial and insurance services (4.7 per cent) and was followed by construction (3.4 per cent), defence (3.2 per cent) and retail trade (three per cent).