Nozomi Networks Inc., the leader in OT and critical infrastructure security, today, says Australia and New Zealand critical infrastructure
owners/operators will see a major uplift in cybersecurity – particularly in their operational technology (OT) and IoT
environments – next year.
The company’s A/NZ OT and IoT security experts called out the importance of improving visibility over networks and
devices, ‘secure-by-design’ frameworks, avoiding victim blaming when organisations are attacked, and tackling the skills
shortages impacting the industry.
In Australia, the predictions come on the heels of the launch of the 2023-2030 Australian Cyber Security Strategy by the Federal Government, and as Security of Critical Infrastructure (SOCI) Act measures make an impact across critical infrastructure providers.
Anthony Stitt, Regional Senior Director, Nozomi Networks:“As the official and unofficial grace periods come to a close on the SOCI requirements, we’ll see regulated critical
infrastructure providers continue to uplift their OT and IoT security posture. Interest from non-regulated adjacent
industries is high and more organisations will begin the journey.“The inaugural Critical Infrastructure Annual Risk Review highlighted some important risks, including vulnerabilities in
the connections between IT, OT and IoT environments, cyber literacy and security practices are not keeping pace with
digitalisation, and next-generation technologies are needed to change the way to assess risk.“One of the key issues to address is visibility over deep, widely connected networks with so many devices potentially
talking to each other. All too often, IT and OT networks run together on the same flat network. For these organisations,
many are planning segmentation projects, but they are complex and disruptive to implement, so in the meantime
organisations want to understand what’s going on in these environments.“What’s really positive to see is that organisations are more willing than ever to get their foot in the door. They
understand there’s a lot of work to do, but starting with some basic tools and monitoring capabilities can still make a
huge difference, and it starts the process of maturation.“In Australia, the Government has performed very well by developing and executing the SOCI legislation reforms, and
other regions are engaged in or considering similar initiatives. But across the region, we need a generational change to
move away from victim blaming when cyber-attacks occur.“There’s always something an attacked organisation could have done to remain protected, but we can’t forget that
cybercrime is crime. Greater involvement and offensive capabilities from law enforcement will help to change that mindset, and it’s great
that is a priority from Government through the 2023-2030 Cyber Security Strategy.”
Marty Rickard, Director of Customer Success and Technical Support - Asia Pacific“The industry in Australia and New Zealand is still embattled with a major skills shortage. The limited talent we have
is spread primarily among vendors, leaving gaps in internal OT teams and partners, which provide a broader range of
security-focused services.“People talk a lot about the skills shortage in IT regularly, but at least there’s a fundamental understanding of the
fundamental importance of security in IT. That can’t be said of OT yet, but it’s improving - we're going through the
same pain IT did a decade ago of building these skills and understanding, often from scratch, which is positive.“As it matures, we need to see OT and IoT security become ingrained into governance, risk and compliance (GRC) teams and
we’ll be working closely with a range of critical infrastructure providers to take or at least build towards that
journey in the year ahead, but the inaugural Critical Infrastructure Annual Risk Review reminded us these skills
shortages aren’t going away.“In New Zealand, we’re seeing some much-needed maturity in the market which is positive, and we expect that to continue
in 2024. The ‘sky is falling in’ fear mongering is being replaced by practical engagement, technology discussions, and
compensating controls to recognise and address risks for what they are.”
Dean Frye, Solutions Architect – Australia and New Zealand“Networks and devices need to be secure by design, a methodology we expect will ramp up significantly in 2024. But even
then, there are still too many projects taking place where secure by design isn't considered, isn’t known or understood
as a concept. It comes down to fundamental controls normalising and recording the privileges granted to each device and
network, holding that in a database and reviewing it regularly, assisted with automation tools.“We need a major education and upskilling journey to change this, and the advent of SOCI, greater knowledge sharing
between facilities managers, OT professionals and others are making a difference.“The greater challenge is tackling environments built before cyber security even existed. One example we encountered
involved a council environment where a sewerage system network had an open line to the council chambers, the library,
the dog pound, and more. This creates unnecessary risk, but segmenting and securing these networks in a legacy
environment takes time. We’ll see strong improvement in this space in 2024, but ultimately it will take a long time to
fully rectify.”