Alarming data shows how vulnerable nation’s critical infrastructure is to hackers

There are now 11 critical sectors designated by the federal government under Australia’s Security of Critical Infrastructure Act, which was amended in 2018 to introduce tougher regulations.

Under the changes, businesses are required to complete annual reporting to notify the federal government of any attempts to access their networks.

Speaking to Sky News Business Weekend host Ross Greenwood on Sunday, Fortinet Head of Operational Technology and Critical Infrastructure Michael Murphy said the 188 cyber security incidents across those sectors in the 2022-2023 financial year showed just how real the threat of cyberattack is to vital national networks such as the water and energy supply.

According to the Australian Bureau of Statistics, 34 per cent of businesses reported a loss of resources in managing cyber security attacks in the 2021-22 financial year.

Twenty-two per cent of Australian businesses experienced a cyber security attack during that period, more than double the number reported the year before.

“So ultimately what we’ve seen is, within the entities that now have mandatory reporting, they’ve reported 188 incidents,” Mr Murphy said. 

“There are also entities that are not necessarily critical infrastructure, but they have also reported 142 incidents.”

Critical infrastructure assets include sectors in communications, data storage, financial services, water and sewerage, energy, as well as health and medical care, according to the Australian Government’s website.

Organisations in the field of higher education and research, food and groceries, transport, space technology and the defence industry are also identified as critical infrastructure sectors.

The cybersecurity expert said there can be a number of motivators for hackers aside from just financial gain, such as the element of control.

“What we’ve observed is in many incidents there are motivators at play, historically it’s been based on financial profiteering,” he said. 

“We’ve seen an increase in socio and political influence and more importantly, some hackers and syndicates simply want to raise their own credibility.”

Mr Murphy also revealed just how detrimental a cyber attack can be when a hacker shuts off access to a certain system.

“What we’re identifying is disruption leads to down time, down time leads to revenue loss and can lead to irreversible brand damage,” Mr Murphy said.

“In many incidents within the critical infrastructure landscape, we don’t necessarily have the luxury like in the IT enterprise, where we can turn different levers to bring things back up online. It can take a considerable amount of time.”