Thales has unveiled its 2024 Critical Infrastructure (CI) report, highlighting significant security vulnerabilities within essential sectors like energy, utilities, telecommunications, and transport globally, including in Australia. This report arrives just ahead of Australia's Security of Critical Infrastructure Act (SOCI), which will enforce stricter security and risk management protocols from mid-August.
The research conducted by Thales paints a concerning picture, with 24% of CI organisations reporting ransomware attacks in the past year. Worryingly, formal planning for such events remains inadequate, with only 15% of respondents stating they have a structured response plan in place. Human error is identified as the primary cause of cloud-based data breaches, cited by 34% of CI organisations, highlighting a crucial area for improvement.
The report also underscores the importance of multi-factor authentication (MFA) in securing privileged accounts. A staggering 20% of breaches were attributed to the failure to implement MFA, six points higher than breaches reported by the general respondent population. This reinforces the need for robust authentication measures within CI organisations.
Furthermore, the report identifies security consistency across workforce and non-workforce identities as a top challenge, reported by 61% of CI organisations. External identity is emerging as a significant security concern, particularly with 16% of all external CI organisational access originating from customers on average.
Operational complexity continues to pose a challenge, with 57% of CI respondents stating they use five or more key management systems, a slight increase from 55% in 2022. The reliance on technology is further evident in the use of Software as a Service (SaaS) applications, with 34% of CI enterprises reporting the use of 50 or more SaaS applications. While there is some stabilisation, the need for simplification in hybrid IT environments remains crucial.
Looking towards the future, the report addresses emerging threats from quantum computing and the potential compromise of classical encryption techniques. In response, 69% of respondents have expressed interest in post-quantum cryptography (PQC), with 49% planning to develop resilience contingency plans and 48% intending to prototype or evaluate PQC algorithms within the next 18-24 months.
AI integration is on the rise within the CI sector, with 26% planning to incorporate AI into their core products and services over the next year, and 29% already experimenting with AI. However, this integration presents new security challenges. 69% of CI respondents perceive the rapid changes in ecosystems and operations associated with AI adoption as significant risks.
Thales' findings highlight the urgent need for improved planning, robust security measures, and proactive management of emerging technologies in the critical infrastructure sector. The report strongly suggests that organisations must prioritise these aspects to effectively mitigate escalating security threats.
