Published on the 26/07/2022 | Written by Heather Wright
Expanded ‘critical infrastructure’ definition could catch AU business out…
Many Australian organisations are now required to report cybersecurity incidents within 12 hours with businesses of all sizes impacted by the SOCI Act amendments.
The amendments to the Security of Critical Infrastructure Act 2018 came into force earlier this month, expanding the number of sectors regulated from the previous four sectors to 11, and apply to cyberattacks impacting any ‘critical infrastructure assets’ as defined under the newly introduced Critical Infrastructure Bill. There are 22 critical infrastructure classes, with new reporting and notification obligations, as well as increased government response powers.
“I’m concerned about SMEs, particularly in supply chains, such as ‘farm to plate’ and freight services”
Attacks which significantly impact availability must be notified within 12 hours of the event, while incidents that have a ‘relevant’ impact must be reported within 72 hours.
The changes have prompted warnings that some businesses, particularly SMEs in newly impacted sectors such as food, grocery, health care and transport, could be caught out and face fines, which start at AU$11,100.
Darren Booth, director and national head of cyber security and privacy risk services at audit, tax and consulting company RSM, says despite efforts by those overseeing the roll-out of the new laws to identify affected industry stakeholders, some businesses and organisations could still be in the dark about the new reporting obligations and other cyber security risk management requirements commencing later in the year.
Booth says while well-regulated sectors such as energy, utilities and financial services should already have well developed security procedures and reporting in place, less regulated sectors may have stronger physical security measures for assets, but weaker cyber security and could have significant work to do to bolster their mitigation, response reporting and recovery approaches to potential cyber attacks.
“I think there’s been engagement with the big industries and players impacted by the legislative changes, but I’m concerned about the SMEs, particularly businesses in supply chains, such as ‘farm to plate’ and freight services,” he says.
“When I’ve raised the new regulatory obligations with businesses that I’m dealing with, many have been unaware of the changes and have had to seek legal advice to determine if they’re captured in the expanded net of critical infrastructure assets,” Booth says.
“The complexity of the changes, the current IT skills shortage, and the commencement of the new cyber incident reporting requirements just after the end of the financial year – the busiest time for business – may have also relegated the impending changes to the ‘too hard basket’ for some entities.”
Sectors now defined as critical infrastructure – which originally included electricity, gas, water and ports – now also include communications, data storage or processing, financial services, healthcare and medical, higher education and research, food and grocery, transport, space technology and the defence sector.
The amendments have wide ranging implications, according to Australian law firm Corrs Chambers Westgarth, which notes that the process of determining applicable critical infrastructure assets and whether an organisation is actually a ‘responsible entity’ for that asset ‘may not be entirely straightforward’.
“In some instances, the SOCI Bill goes beyond assets owned by a responsible entity and captures a responsible entity’s supply chain, such as cloud storage or data processing providers.
“Responsible entities will need to review vendor contracts to ensure they contemplate compliance with the new government powers. This may include requiring vendors to provide assistance to responsible entities in responding to directions from the government and the ASD (for instance providing information on a cyber security incident or facilitating access to a critical asset).”
Corrs also notes significant regulatory burden for many in the newly defined critical infrastructure sectors, who have not previously been regulated and will now need to ensure they have appropriate cyber incident monitoring and reporting systems in place.
There is some good news however, with the Cyber and Infrastructure Security Centre noting that for the first 12 months from 8 July 2022, it will be taking a ‘learning and familiarisation’ approach, working with entities on education, with enforcement reserved for ‘egregious non-compliance’ rather than timeliness or detail of reporting incidents.
The new requirements comes two months after the Federal Court found that financial services RI Advice had breached license obligations when it failed to manage cybersecurity risks. Sensitive and confidential personal information of several thousand clients was ‘potentially’ compromised through after hackers gained access via a brute force attack that went undetected for several months.
The case was the first time ASIC had exercised its powers over cybersecurity risk management, with RI Advice ordered to engage a cyber-security expert and take remedial steps supervised by ASIC.
In handing down judgement, Her Honour Justice Rofe, noted cybersecurity risk was significant for business and the provision of financial services.
“It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” Rofe said.
Concerns over critical infrastructure attacks have been rising globally, with Australian organisations not exempt from the increases.
ACSC’s Annual Cyber Threat Report for the FY2020-21, noted about one-quarter of the more than 67,500 cyber crimes reported to ACSC were attacks on critical infrastructure or essential services.
“Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life,” the report says.
“While all Australian organisations should remain alert to the threat of ransomware, top-tier cybercriminals have demonstrated a growing preference to hunt ‘big game’ entities – those they perceive as high profile, high value, and/or those that provide critical services. The preference for big game hunting means that ransomware attacks may have rapd and serious consequences for the Australian community if deployed against essential services or critical infrastructure.”
Globally, attacks on the US’ Colonial Pipeline, which disrupted fuel infrastructure and lead to panic buying in the US last year, and the JBS attack, which impact Australian operations of the meat processor and saw the company paying a US$11 million ransom, have highlighted the impact of critical infrastructure attacks.