Critical infrastructure security legislation amendment: Here’s what your business needs to do

Recently, Australia’s critical infrastructure has been hit hard by a surge of cyber attacks, culminating in a record 4500 hacking attempts in just one day. The Annual ACSC Cyber Threat Report revealed that the hardest hit sectors during the 2019 to 2020 financial year included government (commonwealth and state/territory), health, education, finance, and IT.

The reported data accords with the government’s own public pronouncements. Everyone remembers the Prime Minister’s announcement of a months-long campaign of cyber attacks, state-backed and wide-ranging, covering all levels of government in addition to essential services and businesses.

Nor did the attacks themselves stop. Later, Defence Minister Linda Reynolds decried a “new normal” of persistent cyber attacks on Australian targets, effectively blurring the lines between “peace and war.”

What leaders need to know about the government’s response plan

The government has reacted in kind, first releasing Australia’s Cyber Security Strategy 2020, an update to the 2016 version. The 2020 strategy laid out what the government considers its own responsibilities and those of Australian businesses in ensuring a baseline of cyber resilience across the economy.

The strategy involves a hefty $1.7 billion in funding over 10 years, with about $500 million of that package allocated to expanding the cyber security workforce within the Australian Signals Directorate (ASD), which has an information security remit.

The strategy is also matched by new legislative commitments passed last week, after the government pledged to update the Security of Critical Infrastructure Act passed back in 2018. Initially, the act sought to manage the national security risks of sabotage, espionage, and coercion posed by foreign involvement in Australia’s critical infrastructure.

At the time of passage, regulated assets were limited to those in the electricity, gas, water, and ports sectors. That’s no longer the case.

Recently passed by Parliament, amendments to the act, Security Legislation Amendment (Critical Infrastructure) Bill 2021, is set to expand the number of regulated sectors to banking/finance, communications, data and the cloud, defence, education, research and innovation, food and grocery, health, energy, space, transport, and water.

Additionally, the amended act will expand the framework established to manage risks related to critical infrastructure. Per the legislation, the new framework will consist of:

• Keeping a register of information in relation to critical infrastructure assets
• Requiring responsible entities for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program
• Requiring notification of cyber security incidents
• Imposing enhanced cyber security obligations that relate to systems of national significance
• Requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset
• Allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security
• Allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain information or documents
• Setting up a regime for the Commonwealth to respond to serious cyber security incidents
• Allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset

On the compliance side, civil penalty provisions are attached. They may be enforced using civil penalty orders, injunctions, or infringement notices. Enforceable undertakings may also be accepted in relation to compliance with civil penalty provisions.

Digital software to help Australian companies prepare

The upshot of the legislation is that broad swathes of Australian businesses will soon be considered critical infrastructure entities for the first time.

How can they prepare for the new compliance regime?

Well, part of that compliance regime entails managing risks that may impact a regulated entity’s business continuity as well as the country’s economy, security, and sovereignty. Complying with the positive security obligation (PSO), for one, will require businesses to identify and understand their risks, mitigate those risks so they don’t turn into incidents, minimise the impact of realised incidents, and implement effective governance and oversight processes.

While this might seem overwhelming to businesses who previously didn’t have to meet mandatory security obligations, at Noggin, we recommend investing in dedicated critical infrastructure protection software technologies. Investing in smart, digital software enables regulated entities to easily demonstrate compliance with new positive security obligations.

How so? The platforms are strategically designed to provide greater assurance that risks are being treated and controls are in place and effective with the following capabilities:

1. Consolidate the threat and risk picture across all assets, for greater visibility and management, by maintaining key details of assets and stakeholder contacts

2. Assess risks and threats using industry-standard tools

3. Enable an ‘all threats’ perspective, encompassing physical, cyber, personnel, and supply chain security

4. Conduct security threat assessments, inspections, crowded place, and impact assessments, with tools for operators to inspect, track, and rate the vulnerability and preparedness of critical infrastructure assets to specific threats

5. Easily communicate and coordinate with asset custodians across the enterprise, by disseminating notifications and products such as official advice to asset custodians

6. Log, task, and report

7. Prepare for and/or respond to planned events or incidents

What’s more, critical infrastructure protection platforms are also purpose built to support highly relevant use cases. With tools available for both regulator and operator user groups; both the tracking and management of access to people outside of the regulatory or operating organisation are also enabled. Another supported process is maintaining key details of the critical infrastructure asset, such as its location, type, criticality, and stakeholders.

The government’s own enhanced security framework to make critical infrastructure more resilient and secure demonstrates the critical need for stronger identification and better sharing of threats. Digital technology plays a key role in offering solutions that provide situational awareness to stakeholders by sending out notifications to emails or bulletin board-style notices viewable on user dashboards.

The risk environment has deteriorated precipitously, and our nation’s critical infrastructure is on the frontlines. For its part, the government has developed a robust compliance regime that ropes in a larger number of critical infrastructure entities.

Although the particulars of that regime are being worked out at the sectoral level, regulated entities will have to develop risk management programs to manage the threats that potentially have spill-over impacts on the country’s economy, security, and sovereignty.

For newly regulated entities, this may seem like a lot. Digital critical infrastructure protection software will help Australian businesses not only to take a meaningful step towards compliance but also to keep improving the quality of their risk and security management processes in the face of a dynamic threat.