Critical infrastructure assets—along with the connected devices and the Operational Technology (OT) used to monitor and control them — are increasingly a target, says Fortinet's Asia-Pacific head of Operational Technology, Michael Murphy.
November 2023 saw an unprecedented cyber attack on Denmark’s energy infrastructure.
In a co-ordinated breach of 22 companies, criminal gangs gained access to industrial control systems. Investigators believe at least one of the attackers was acting on behalf of a state.
Michael Murphy, who heads Fortinet’s APAC Operational Technology group from the company’s Sydney office, says critical infrastructure was compromised: “Energy generation sites were forced into island operation mode, where they are no longer centrally managed.”
He says the affected companies had a next-generation cybersecurity product in place that they assumed would protect them from any threat. It didn’t.
“They opted out of the security updates, concerned about the cost associated with management of the new hardware and software that they had adopted.”
Perhaps most alarming is that the companies didn’t know they had exploitable assets in their energy facilities. Murphy says the assets clearly hadn’t been appropriately audited or documented.
The Danish energy infrastructure attack was not an isolated incident. Fortinet has data showing cybercriminals launched more than 36,000 malicious scans every second in 2024. Their short-term aim is to weaponise automation to map digital infrastructure and find vulnerabilities that can be exploited later.
Critical infrastructure assets—along with the connected devices and the Operational Technology (OT) used to monitor and control them — are increasingly a target.
“OT underpins the majority of our critical infrastructure. It’s long been neglected because the organisations using the infrastructure are not able to tolerate any downtime. Whether it is energy, water or defence, they are not able to stop,” Murphy says.
“We’re seeing these critical assets are being sweated. Many have been out in the field for some time. This means, from a security point of view, they have become quite brittle and vulnerable to adverse change.”
In many cases, critical infrastructure assets were never designed to be connected to the public internet. They lack any form of built-in cybersecurity. Meanwhile, because of intense competitive and commercial pressures, their owners typically opt for just-in-time servicing and maintenance.
Yet they are vital for modern societies. This makes them key focus points for threat actors and criminal syndicates.
Not all attacks are about extortion. Some are intended to raise awareness for a cause.
In other cases, the attackers are building capability for future use, maybe in a geopolitical conflict. Some incidents that we hear about are dry runs. Murphy says it is possible the Danish attack was about testing the capability.
Fortinet has seen a shift in focus from cybercriminals and state actors. “Historically, threat actors would target enterprise IT systems. They might pivot from there to attack OT systems. Now we’re seeing more direct attacks on infrastructure — either targeting the assets themselves or aiming to disrupt operations.”
He says some of the activity is pure reconnaissance. The attackers are looking to see what assets are available to the internet, what has the potential to be compromised.
Critical infrastructure is susceptible to what security professionals call advanced persistent threats or APTs.
“These are attacks where threat actors obtain access, they lie dormant, and they wait for an opportunistic time to activate and cause as much malicious damage as possible.”
Murphy says much of the infrastructure that has been built in Australia and New Zealand dates back to the 1970s. That means we need to investigate threats that might already be embedded.
At the same time, “We need to understand how threat actors are attempting to deploy persistent threats, so that if they were to target us, they might be able to take down energy and water at the same time to maximise the effect.”
He uses medieval castle sieges as an analogy: “You want to take the castle rather than demolish it. So you besiege the castle. You surround it. Cut off the clean drinking water. Cut off the food supply, then wait for the people inside to become sick or go stir crazy. Then, when resistance is at its weakest point, you just walk in and take over.”
Murphy says taking an “always hazards” approach is complementary to protecting operational technology and critical infrastructure. “This factors in not just the cyber domain, but natural hazards, biological hazards, malicious threats and economic risks. An organisation is at a high level of maturity when it has plans to protect or mitigate all these threats.”
Deep cyber resilience goes beyond these risks into economic models and governance structures.
Many countries in the Asia Pacific region have either adopted or are in the process of adopting legislation to protect critical infrastructure.
Australia has the Security of Critical Infrastructure Act.
“Singapore, India and Malaysia are adopting similar obligations to ensure the owners and operators of critical infrastructure protect what matters most. It’s not complex. There are assets in an environment that can detect malicious manipulation and report any incidents to the authorities,” says Murphy.
“For now, the focus is on core utilities like energy and water, but we’re seeing that begin to expand to cover areas such as retail, defence and education.” It’s about being conscious of what is key and what might cause major ramifications for the public if they stop.
In New Zealand, the Department of the Prime Minister and Cabinet has a work programme underway.
For now, Murphy says, New Zealand’s requirements are voluntary and not yet formalised. “I’d love to see New Zealand ramp that up or form a strong partnership with Australia around how we accomplish that, because I’m sure we have the same adversaries.”
Murphy says Fortinet’s role in this is to make sure its products work in line with the government obligations, the industry standards, and security frameworks that are being either rolled out or updated.
He says: “Our customers are asking us to include capabilities ahead of legislation being introduced or industry standards becoming more mature. That means we need to be well-versed in the legislative changes and reforms that are coming into play.”
When people think about infrastructure, the focus is, understandably, on the physical assets: power stations or water treatment plants. Yet, Murphy says, these companies also hold virtual assets — data storage, software, and cloud systems. It means developing security capability across the domains to help organisations become resilient to malicious manipulation.
Fortinet is an advertising sponsor of the Herald’s Infrastructure report.