Is the new security legislation enough to protect our critical infrastructure? By Geoff Schomburgk, Vice President for Asia Pacific & Japan, Yubico
E
nergy, utilities, oil, gas and telecommunications are increasingly under cyber attack from nationstates, cybercriminals and hacktivists seeking to cause security and economic disruption. Whilst the 2020 Colonial Pipeline attack was a wake-up call proving just how vulnerable these critical infrastructure companies are to modern cybercriminals due to a single compromised password resulting in a ransomware attack. Have Australian* companies in the critical infrastructure sector done enough to protect themselves in the two years since then?
Widespread regulatory change The Colonial Pipeline attack was a pivotal point, triggering widespread regulatory change across the globe and in March 2022 the United States Senate approved new cybersecurity legislation that will force critical infrastructure organisations to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Based on evolving intelligence, President Biden recently urged critical infrastructure owners and operators that the Russian Government was exploring options for potential cyberattacks so they must “accelerate efforts to lock their digital doors.” Whilst, in Australia, the recent revisions to the Security Legislation Amendment (Critical Infrastructure) Act 2021 represent one element of the Government’s response to the growing cyber threats faced by Australian critical infrastructure organisations.
32 | Australian Cyber Security Magazine
The increasing threats were backed up by the findings in the Australian Cyber Security Centre’s (ACSC) ACSC Annual Cyber Threat Report published in September 2021, which found that cyber-attacks are increasingly severe and frequent at a rate of one attack every eight minutes. Of increasing concern is that the report revealed approximately a quarter of cyber incidents reported to the ACSC in the 2020-21 financial year were associated with Australia’s critical infrastructure or essential services. In passing the 2021 Security of Critical Infrastructure (SOCI) Act, Australia joins other leading global economies in implementing a regulatory regime to protect its core critical infrastructure assets from cyberattacks. Whereas previously the SOCI Act only covered specific assets in the electricity, gas, water and maritime/ports sectors, the Act now expands the coverage to encompass eleven sectors, including higher education, communications, healthcare, water and sewerage, space technology, food and grocery, defence, data storage and transport. *Source - Gilbert & Tobin
New powers to seize control The second tranche of the new controversial legislation introduced in February 2022 includes last resort powers for the Australian Signals Directorate empowering them to install and maintain computer software to allow them to take control of serious cyber security incidents that impact the ability of Australia’s critical infrastructure assets to deliver essential services.
