Time and time again, cyber attackers have shown nothing is off limits.
Healthcare, telecommunications and banking. Education, public sector and energy.
In the past few years, headlines have highlighted the scale of disruption cyber attackers will inflict, with each sector falling victim to incidents that took systems offline, exfiltrated sensitive data, or both.
Against this backdrop, successive Australian governments have implemented and tightened regulations as part of the Security of Critical Infrastructure (SOCI) Act. This legislation aims to strengthen the security and cyber resilience capabilities of Australia’s critical infrastructure industries in the face of ongoing attacks.
One of the act’s initial developments was to expand the sectors classified as ‘critical infrastructure’. These now include communications, data storage and processing, defence, energy, financial services, food and grocery, healthcare, higher education, space technology, transportation and water and sewerage.
In less than two weeks, the grace period for one of the act’s most important obligations will end, when enforcement begins for rules regarding critical infrastructure risk management programs (CIRMP). By August 17, entities specified in the act must adopt a CIRMP cybersecurity framework and must maintain and report upon their adherence.
The Department of Home Affairs will audit, monitor and enforce the obligation. Failure to maintain an approved framework can be punishable by up to $275,000 per day, and businesses will suffer reputational damage if enforcement action is taken against them.
The listed industries have had to adopt one of the act’s suggested cyber security frameworks since February 2023.
With the deadline quickly approaching, what is a CIRMP, and why is it important to critical infrastructure?
Focusing on fundamentals
At its core, a CIRMP is intended to improve security practices and ensure critical infrastructure providers take a holistic and proactive approach to identifying, preventing and mitigating material risks, whether from cyber or physical threats.
As to cybersecurity, the act specifies five frameworks, including those published by the National Institute for Standards and Technology (NIST) and the Department of Energy in the US. Frameworks from the International Organisation for Standardisation (ISO), Australian Energy Market Operator (AEMO) and the Australian Signals Directorate (ASD) have also been included.
In our conversations with local critical infrastructure providers, many have favoured adopting the last of these, the ASD Essential Eight, as it is a framework many have worked towards for some time.
The Essential Eight is a list of prioritised mitigation strategies designed to protect organisations against various cyber threats. Each strategy, which includes patching applications and operating systems, implementing multi-factor authentication and restricting administration privileges, is measured against three levels of maturity; level one is the lowest and level three the highest.
Organisations adopting this framework as their CIRMP should aim for maturity level three across the board, particularly in regard to the strategy of regular backups.
Of the eight strategies, this is the only one to address cyber resilience—limiting the impact of a successful breach and ensuring rapid recovery in the event systems are taken offline.
While the other seven are important, they focus on hardening the perimeter and preventing an attack. As recent headlines have shown, no prevention strategy can ever be 100 percent foolproof. Organisations need to be confident in their ability to recover rapidly following a successful attack.
Systems of National Significance
Under the SOCI Act, some organisations are deemed to be Systems of National Significance (SoNS). These are Australia’s most important critical infrastructure assets and are subject to enhanced cyber security obligations.
When the home affairs minister notifies an organisation it has been identified as a SoNS, it will have to implement the following controls and strategies:
—Incident response plans detail how an entity will respond to cybersecurity incidents that affect its systems. This obligation will assist entities in articulating what to do and who to call in the event of a cyber incident.
—Cybersecurity exercises test preparedness, mitigation, and response capabilities. Ultimately, they are designed to reveal whether an entity’s existing resources, processes and capabilities sufficiently safeguard the system from being impacted by a cybersecurity incident.
—Vulnerability assessments identify gaps in systems that expose entities to particular cyber incidents. These assessments will help entities identify where further resources and capabilities are required to improve preparedness for, and resilience to, cyber incidents.
—Provide system information to develop and maintain a near-real-time national threat picture.
Whether designated as a SoNS or subject to the CIRMP requirements, critical infrastructure providers can expect auditing and enforcement activities to commence this year. With ASD announcing earlier this week that the Chinese hacking group APT40 has been actively targeting Australian organisations, and geopolitical tensions rising in the region, the stakes have never been higher.