In late 2020, the Australian Government proposed changes to the Security of Critical Infrastructure (SOCI) Act 2018. This was introduced through the Security Legislation Amendment (Critical Infrastructure) Bill to Parliament by the Minister for Home Affairs.
The Bill seeks to amend the SOCI Act and expands its coverage from four sectors (electricity, gas, water and ports) to now include communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. The rationale behind the expanded coverage is that these sectors have a daily impact on our standard of living and should be protected as part of our national security.
Recently in the US there was a high-profile Colonial Pipeline attack, and in past years, companies like Saudi Aramco (2017) and utility companies in the Ukraine (2015) have also been hit, with the latter causing the first known power outages as a result of cyber-attacks.
Adam Misiewicz, ASG Group’s National Cyber Security Lead says “Cyber-attacks against Critical National Infrastructure (CNI) are real, have happened, and could become more frequent.
Even with funding, CNI is one of the weakest links within a nation’s security ecosystem. The rise in cyber-attacks, particularly ransomware and the fallout from this disruption has consequences.”
Misiewicz says Australia’s Bill recognises that cyber resilience is challenging and that best practices aren’t always adhered to. For this reason, the Bill which is expected to be passed later this year, will introduce a series of new measures including:
Positive Security Obligation (PSO) requiring entities to manage the security and resilience of their critical assets. While rules will drive what’s included for various CNI entities, this may include asset registers, a risk management program with a focus on data security, and specific notification timeframes for cyber security incidents.
Enhanced Cyber Security Obligations for the most critical entities (systems of national significance), as designated by government. If assets fall into this category, entities will need to establish processes for incident response, regular cyber security test exercises, vulnerability management, and be able to provide security event reporting on-demand.
Government Assistance to respond to cyber-attacks on critical infrastructure in a cyber emergency. This includes providing information gathering directions to the entity, action directions to perform and respond to an incident, and as a last resort, intervene and manage, contain, and take defensive cyber security action (the latter is yet to be defined).
THE BIGGEST CHALLENGE FOR LEGISLATORS, REGULATORS AND ORGANISATIONS WILL BE IMPLEMENTING THE CHANGES
As described by Misiewicz based on his experience working across many sectors including government, the level of cyber security maturity drastically varies between sectors and across organisations, but one thing is consistent.
“As more organisations pursue their digital transformation agenda, introduce new technologies and become more connected, cyber risk management will become even more critical.
The convergence of IT and operational technology is one example where more higher quality data can be collected to support operational decision-making. On the flip side, these same systems can also become new vectors for attackers,” says Misiewicz.
DON’T CARRY THE RISK ALONE
Managing existing environments is already highly complex. For these reasons, many entities choose to release some of the burden to their trusted Managed Security Service Providers (MSSPs).
MSSPs should have the breadth and depth of experience to provide guidance on the best way to holistically manage and reduce risk across the enterprise. This includes providing compliance and maturity assessments, creating a new security strategy, delivering phased remediation, and providing ongoing support and managed security services after hours.
Misiewicz says, “The changes driven by SOCI are much needed to support our national security.
Success will likely be proven over time, and I expect that there will need to be a lot of fine tuning to develop a truly resilient ‘national’ cyber defence capability.
For CNI entities, the changes reflect necessary measures that any connected organisation should have in place today.
Proactivity and action are key, and organisations should take the opportunity now to become armed and better prepared for any future attacks.”
ASG Group is a partner of the Federal Government’s Australian Cyber Security Centre (ACSC) and a member of the Defence Industry Security Program (DISP). ASG Group is provided with continuous threat intelligence which allows us to continually update our own internal security programs, as well as our clients.
Our services include: security consulting; managed security services; cyber defence; identity and access management; secure infrastructure delivery and application security; and DevOps.
To discuss your security or transformation needs, please contact us using the form below.