Threat actors are successfully targeting particular operational technology products rather than specific organisations when compromising operational technology components, according to the Australian Cyber Security Centre (ACSC).
The ACSC says many operational technology products are not designed and developed with secure-by-design principles and commonly have weaknesses. Threat actors can easily exploit these weaknesses across multiple victims and sectors of critical infrastructure to gain access to control systems.
To help reduce the potential damage from these types of attacks, in collaboration with our international partners, the ACSC has released a new report this week, Secure by Demand: Priority Considerations for Operational Technology Owners and Operators When Selecting Digital Products.
The report highlights the key security elements that organisations should look for when selecting operational technology products, particularly industrial automation and control system products.
“This new Five Eyes-supported guidance illustrates that cyber threat actors are going after the low-hanging fruit when it comes to compromising the operational systems that run our most critical services,” said Assistant Director-General of Cyber Security Resilience Alan Marjan.
“They are targeting known vulnerabilities in operational systems or ones with insecure default settings, passwords and protocols. This focus on targeting the weakest point is why it is so important for our critical infrastructure owners and operators – our energy, water supply, and transportation providers – to ensure their operating software is resilient to cyber-attacks, including by reducing as many vulnerabilities as possible that cyber attackers may exploit,” he added.
“The energy, health, and transport sectors are critical to our daily life and require robust cyber security protections.”
You can read the full report here.
