Strengthening the security of Australia's cyber infrastructure

 

 

Now, more than ever, governments, organisations and individuals across the world are becoming more and more dependent on digital technologies. Their ability to connect people across the globe, enable more flexible working arrangements, and break down communication and information barriers, have made for more convenient and empowered ways of living.

 

These technologies, however, have also been a potential and threatening catalyst for cybercrime and societal disruption. The positive benefits of interconnectedness, flexibility, accessibility, and convenience have made them invaluable to society, and increasingly susceptible to exploitation.

 

In this article we explore the current state of Australia’s cyber landscape, the national strategy to keep this cyber landscape protected, and what you can do to strengthen cyber security for you and your organisation.

 

 

---

 

 

The current state of Australia’s cyber landscape

 

In the 2022-23 financial year, the Australian Signals Directorate (ASD) responded to over 1,110 cyber security incidents from Australian entities, and approximately 94,000 reports of cybercrime were made to law enforcement via ASD’s reporting service, ReportCyber.

 

The findings from these incidents and reports were presented in the ASD’s annual Cyber Threat Report. It highlights the main cyber security incidents and threats affecting individuals, organisations, and critical infrastructure in Australia.

 

Here are some of those findings:

 

• Data breaches: Data breaches affected millions of Australians, with 150 data breaches recorded to the ASD. Malicious cyber actors were stealing personal information through phishing, taking advantage of simple or reused passwords and unsecured or flawed software.

 

• Ransomware: Ransomware continues to be the most destructive and disruptive cybercrime, with 118 ransomware incidents reported to ASD. Cybercriminals encrypt or hold files and demand a ransom before restoring access.

 

• Business email compromise (BEC): BEC is very costly, with one BEC event costing an average of more than $39,000. Cybercriminals compromise or impersonate trusted email senders to extract sensitive information, money or goods from business partners, customers or employees.

 

• For critical infrastructure: ASD responded to 143 cyber security incidents reported by self-identified critical infrastructure entities. Most of these were low-level malicious attacks or isolated events, however global events, such as Russia’s war on Ukraine, illustrate how cyber attacks on critical infrastructure can be severely disruptive.

 

 

 

 

 

The nation’s new shields for cyber defence

 

Six cyber shields have been introduced as part of the Australian Government’s 2023-2030 Australian Cyber Security Strategy to help guard against the increasing and impending threat of cyber attacks affecting Australian citizens and organisations.

 

The shields will be implemented across three “horizons”.

 

The shields and horizons

 

Shields

Horizons

Strong business and citizens: Supporting businesses and citizens to strengthen their security against cyber attacks. Safe technology: Implementing voluntary and mandatory actions to make digital technologies safe for individuals to use. World-class threat sharing and blocking: Improving the exchange of threat intelligence and threat blocking capabilities. Protected critical infrastructure: Protecting the nation’s critical infrastructure assets and essential government systems. Sovereign capabilities: Investing in jobs and skills training to build a professional and recognised cyber workforce. Resilient region and global leadership: Fostering a more cyber resilient and prosperous region.

2023-25: Strengthening the nation’s cyber foundations. 2026-28: Scaling of cyber maturity across the whole economy. 2029-30: Advancing the global frontier of cyber security.

 

 

 

 

 

 

Protecting critical infrastructure

 

Shield 4 of the national strategy focuses on the protection and resilience of critical infrastructure. Critical infrastructure assets are attractive targets for malicious cyber actors, including state actors, cyber criminals and issue-motivated groups, because they may hold sensitive information, extend across multiple systems, sectors and geographical areas, and maintain essential services.

 

In 2022-23, Australia’s critical infrastructure only incurred low-level malicious cyber attacks or isolated events, but the threat of more disruptive and devastating cyber security incidents is real.

 

The vision of the national strategy is that by 2030, critical infrastructure is better able to prevent, respond to, and be resilient to, cyber attacks, and that Australians are confident that the nation’s essential services are protected and resilient.

 

Reforming legislation to protect critical infrastructure

 

Recent amendments were made to the Security of Critical Infrastructure Act 2018 (SOCI Act) to improve critical infrastructure security. The reforms took place in two stages with the Security Legislation Amendment (Critical Infrastructure) Act 2021 commencing in December 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 commencing in April 2022.

 

Security Legislation Amendment (Critical Infrastructure) Act 2021

 

This Act was introduced to enhance the critical infrastructure regulatory framework by amending the Security of Critical Infrastructure Act 2018 to:

 

• introduce additional critical infrastructure sectors to be covered under the legislation, and specify 22 different critical infrastructure asset classes

 

• require critical infrastructure entities to inform data service providers if they are storing or processing business critical data for a critical infrastructure asset

 

• require responsible entities (owns or operates the asset) to provide operational information about the asset to the Register of Critical Infrastructure Assets, and direct interest holders (holds either a direct or joint interest of at least 10% in the asset or has direct or indirect influence or control of the asset) to provide interest and control information

 

• introduce mandatory reporting of critical cyber security and other cyber security incidents that have or will have a significant or relevant impact (respectively) on the critical infrastructure asset.

 

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022

 

This Act improved information exchange between industry and government and makes risk management, preparedness, prevention and resilience business-as-usual for the owners and operators of critical infrastructure assets. The amendments made by the Act:

 

• require certain responsible entities to develop, comply with and maintain a Critical Infrastructure Risk Management Program (CIRMP). The CIRMP must identify and manage material risks that could have a relevant impact on the asset.

 

• introduce additional requirements for Systems of National Significance – critical infrastructure assets that are deemed most crucial to the nation. Entities responsible for Systems of National Significance may be required to comply with enhanced cyber security requirements, such as:
  • developing cyber security incident response plans
  • undertaking cyber security exercises
  • undertaking vulnerability assessments
  • providing system information.

 

 

 

 

 

Understanding your critical infrastructure requirements

 

If your organisation sits within the 11 sectors of the SOCI Act, and owns, operates or has direct interest in a critical infrastructure asset, the requirements of the Act may apply.

 

For a clear and simple understanding of these requirements, including definitions of key terms, and links to important Department of Home Affairs publications and webpages all in the one place, sign up to Critical Infrastructure in SafetyLaw.

 

Critical Infrastructure in SafetyLaw provides easy-to-read summaries of key requirements from the SOCI Act relating to topics such as cyber security incidents, reporting and risk management programs. These summaries can also be integrated into your risk management strategies and cyber security practices, aiding in compliance, education and engagement with cyber security duties.

 

Sign up for a free trial to SafetyLaw or get in touch with our sales team.

 

 

 

 

 

 

Raising your cyber security defenses

 

No one is immune to cyber security threats, but there are many ways to protect your digital footprint and that of your organisation. By implementing safeguards, you are contributing to the nation’s end goal of improved cyber protection and resilience.

 

Here are some things you can do:

 

For individuals

 

Individuals can:

• enable multi-factor authentication (MFA) for online services, or if this is not available, use long and unique passphrases for every account.
• ensure automatic updates are available for all software
• be familiar with phishing and other scams
• register with ASD’s Alert Service, and report any cybercrime to CyberReport.

 

For more detailed information, refer to ASD’s Personal Security Guides.

 

For organisations:

 

In addition to the security steps for individuals, organisations can:

• train employees to recognise phishing, scams and other social engineering attempts
• only use cloud service providers and managed service providers that have appropriate cyber security measures in place
• implement mitigation strategies, such as ASD’s Essential Eight, to reduce cyber-security risk
• promote and practice good cyber hygiene in the office and from home.

 

Snapshot on Environment Essentials cyber security actions

• Implementing an Information Security Management System to aid in controlling our responses to any identified risks.
• Regular reviews and audits on our software platforms by an external party.
• Ongoing training for all staff and increasing skill coverage within our IT team.
• Continuing improvements for infrastructure, backups, and their administration.

 

 

For critical infrastructure

 

In addition to complying with SOCI Act requirements, critical infrastructure organisations can also:

• implement mitigation strategies, such as ASD’s Essential Eight, to reduce cyber security risk and build a risk management program
• be familiar with the critical infrastructure’s network and all its assets including devices and operational technology
• be proactive and regularly practice incident response plans
• maintain communication with ASD and help build a clearer picture of the nation’s cyber threats.

 

 

 

 

 

References

• Australian Government Publication: 2023-2030 Australian Cyber Security Strategy
• Australian Signals Directorate Webpage: ASD Cyber Threat Report 2022-2023
• Australian Signals Directorate Webpage: Essential Eight
• Cyber and Infrastructure Security Centre Publication: Cyber Security Incident Reporting
• Cyber and Infrastructure Security Centre Publication: Critical Infrastructure Risk Management Program
• Cyber and Infrastructure Security Centre Publication: Guidance for the Critical Infrastructure Risk Management Program
• Cyber and Infrastructure Security Centre Webpage: Enhanced Cyber Security Obligations
• Cyber and Infrastructure Security Centre Webpage: Regulatory Obligations
• Cyber and Infrastructure Security Centre Webpage: Security of Critical Infrastructure Act 2018 (SOCI)
• Department of Home Affairs Webpage: 2023-2030 Australian Cyber Security Strategy
• Department of Home Affairs Webpage: Security Legislation Amendment (Critical Infrastructure Protection) Act 2022
• Federal Register of Legislation: Security of Critical Infrastructure Act 2018
• Federal Register of Legislation: Security Legislation Amendment (Critical Infrastructure) Act 2021
• Federal Register of Legislation: Security Legislation Amendment (Critical Infrastructure Protection) Act 2022