Critical parts of the energy grid and essential services such as sewage treatment plants could be hit by cyber attacks, shutting down operations and threatening lives, according to Microsoft‘s latest Cyber Signals report.

75 per cent of the most common control technologies used by critical infrastructure companies – such as energy operators – around the world are severely vulnerable to cyber attacks, the report found.

As Australian utility companies increasingly automate their systems and connect their operations to IT systems, they’re becoming more vulnerable to attack, according to Microsoft Australia’s national security officer, Mark Anderson.

“The problem is, similar to many of the devices in our homes, these technologies, especially in an industrial context, where they may be several decades old, may not have been initially built with cyber security in mind,” Mr Anderson said.

“So when these traditionally disconnected systems are bridged to connect to IT, they can be left vulnerable to cyber attacks which originate from the IT side of the business.”

Hacks in the United States have shut down major infrastructure such as the Colonial pipeline, which sparked fuel shortages in five states and resulted in a major jump in prices.

Attacks have also threatened lives, such as when hackers accessed systems at a local water plant in Florida and attempted to raise the level of chemicals in the water to a level which would have been poisonous.

“Nation-State and cybercriminal gangs have figured out that attacking these technologies, when not secured correctly, can in some cases be quite easy, with catastrophic consequences, for example stopping the flow of oil or electricity to an area or country,” Mr Anderson said.

“Cybercriminals have also found that while holding IT systems to ransom can these days be hit or miss in terms of if the victim will pay, holding an operational technology system which may prevent clean water from reaching millions of residents has greater consequence, and as such, increases their chance of a payout.”

Energy companies in particular are at higher risk of coming under attack.

“Adversaries realise the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater, compared to other industries,” the report says.

Companies are increasingly finding weak links in their systems, with a 78 per cent jump in those disclosing “high-severity vulnerabilities” from 2020 to 2022 in industrial control equipment.

There are warnings everyday Australians are being used as pawns by cybercriminals. Microsoft has observed Chinese-linked threat actors target vulnerable home and small office routers to use these devices as footholds from which to launch new attacks.

According to Microsoft, China is the most common country where these attacks originate, comprising 38 per cent of attacks in 2022.

Despite an attack the scale of that on the Colonial Pipeline not being seen in Australia “yet”, Mr Anderson warns companies still need to be careful.

“We hope this new data from Microsoft reinforces the message which is already known in the industry to those who operate Operational Technology systems, and all Australian organisations, that when it comes to cybersecurity, you can never let your guard down,” he said.