Thales report reveals critical security gaps in infrastructure
Thales has released its 2024 Critical Infrastructure report, highlighting key security challenges encountered by organisations in critical sectors such as energy, utilities, telecommunications, and transportation globally, including in Australia. This report comes in the wake of Australia's Security of Critical Infrastructure Act (SOCI) set to enforce stricter security and risk management protocols from mid-August.
The research conducted by Thales reveals a concerning trend with 24% of critical infrastructure (CI) organisations reporting ransomware attacks within the past 12 months. Despite the increase in attacks, formal planning in response remains inadequate, with only 15% of respondents indicating they have a formal plan in place for such events. An area of particular vulnerability appears to be human error, cited as the leading cause of cloud-based data breaches by 34% of CI organisations.
Additionally, the report underscores the importance of multifactor authentication (MFA) in securing privileged accounts, with 20% of breaches attributed to the failure to apply MFA. This statistic is significantly higher, by six points, than breaches reported by the general respondent population. CI organisations continue to grapple with the challenges posed by both human error and MFA failures.
Another notable finding is that security consistency across workforce and non-workforce identities remains one of the top challenges, as reported by 61% of CI organisations. External identity is emerging as a critical security concern, compounded by the fact that on average, one-sixth (16%) of all external CI organisational access originates from customers.
The survey also points to operational complexity as an ongoing issue, with 57% of CI respondents stating they utilise five or more key management systems. This figure has increased slightly from 55% in 2022. Furthermore, 34% of CI enterprises reported the use of 50 or more Software as a Service (SaaS) applications, indicating a slight increase from 33% the previous year. Although there is some stabilisation, the need for further simplification in hybrid IT environments is evident.
Security concerns are not limited to current technologies. Future threats from quantum computing and the potential compromise of classical encryption techniques have prompted 69% of respondents to express interest in post-quantum cryptography (PQC). To address these emerging threats, 49% indicated plans to create resilience contingency plans, while 48% intend to prototype or evaluate PQC algorithms within the next 18-24 months.
The report also highlights that AI integration is on the rise among CI organisations, with 26% planning to incorporate AI into their core products and services over the next year, and 29% already experimenting with AI. However, this integration presents new security challenges. The rapid changes in ecosystems and operations associated with AI adoption are viewed as significant risks by 69% of CI respondents.
Thales' findings underscore the critical need for improved planning, robust security measures, and the proactive management of emerging technologies in the critical infrastructure sector. The report suggests that organisations must prioritise these aspects to safeguard against escalating security threats.