Facing the Increased Risk to Critical Infrastructure in Australia and the United States
Much like the rest of the world, Australia is witnessing a dramatic increase in cyber incidents targeting critical infrastructure. The Australian Cyber Security Centre noted that one quarter of all cyber incidents in the 2020/21 period were associated with Australia’s critical infrastructure or essential services. Globally, one third of industrial control systems were targeted by malicious activity in the first six months of 2021 alone, leaving lawmakers scrambling to keep up with the rate of change to the threat landscape. Much like the global pandemic and the land war in Europe, the level of cyber threat (once described with the now-worn adjective, ‘unprecedented’) is now very much the new normal. While Information and Operational Technology (IT and OT) convergence continues to expose decades-old operational technologies to the internet, Industrial Control System (ICS) attack kits and other malware tools continually mushroom up on the Dark Web, allowing malicious actors to exploit vulnerable systems with little or no technical knowledge of ICS or SCADA. For example, in April of 2022, the FBI released an advisory regarding the “Pipedream” toolkit, described as a veritable Swiss Army Knife for hacking Industrial Control Systems. While security researchers keep reporting ICS vulnerabilities that are remotely exploitable and do not require user interaction or specific privileges, the pandemic has made it easier than ever for attackers to exploit outdated ‘castle and moat’ network architectures to access OT systems through the compromised devices of remote workers. Meanwhile, continuing uncertainties over the Ukraine conflict have sparked a flood of urgent advisories warning of an additional threat source in the form of direct or indirect retaliatory cyber-attacks, particularly for critical infrastructure. Both Australia and the United States have introduced measures to combat these emerging threats. Australia’s SLACI and SLACIP Acts (collectively referred to as the Security of Critical Infrastructure [SOCI] legislation) and the US Biden Administration’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (referred to herein as NSM for brevity), introduced last year, have some broad parallels in their aims, but also have significant differences in the approaches taken that are worth examining. The rationale for the amendments to the Australian Critical Infrastructure laws were communicated by the government as urgent, with Australia facing a very serious and rapidly deteriorating cyber security environment. The government said they had “compelling evidence that the pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate”. The United States provided a similar rationale in the Biden NSM, stating that “the cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation”. A Look at the Australian Approach In order to compare and contrast the approaches taken by the US and Australian governments, it is prudent to examine the development of each in turn. For the Australians, the challenge was seen as devising a way to deliver a swift and comprehensive response to the emerging threats. However, implementing the response was not as straight-forward as first conceived, and the whole process was burdened by significant disagreements between industry and government on the exact response required. Until recently, critical infrastructure in Australia fell into one of four categories: electricity, gas, water, and ports. However, the pressures of the pandemic and the increasing volume of cyber-attacks on critical sectors beyond these traditional categories forced the Australian government to reassess its conception of what is critical. In order to uplift the cyber security posture of critical sectors, Australia recently broadened its legislated critical infrastructure asset classes from 4 to 11 sectors, bringing Australia’s definition of Critical Infrastructure much closer to the 16 critical infrastructure sectors already established in the United States. The development of the SOCI amendments and their introduction to Parliament was preceded by a consultation process based on discussion papers and exposure drafts of the legislation. The intention of the consultation phase was to involve industry in guiding the framework development. For many in the affected industries, however, the process felt more like being heavily pressured to decide on the purchase of an ill-fitting suit. While the Australian Government continually emphasised the urgency of the legislation to safeguard Critical Infrastructure in an increasingly hostile threat landscape, those impacted called for more consultation to clarify responsibilities, leverage existing frameworks, and reduce the regulatory burden. In the interests of expediting the process, the government chose to design and define much of the regulation in legislative instruments, rather than in the primary legislation. This created an inherent uncertainty in determining the regulatory and financial impact because the definitions were found to be unclear and sometimes inappropriate. Impacted stakeholders complained that the consultation process was too rapid, and that the government had not sufficiently engaged with industry regarding their concerns, questions, and recommendations. It became apparent that achieving both a swift and a comprehensive response to the threat was not going to be possible, and many called for the process to be paused. As a result, Australia’s Parliamentary Joint Committee on Intelligence and Security (PJCIS) were tasked with reviewing the operation, effectiveness, and implications of the proposed changes. The Committee found that “many companies, industry bodies or stakeholders did not feel like their input or feedback had been actioned or acknowledged” due to a lack of promotion of the process, inadequate engagement, and insufficient information to allow stakeholders to make comprehensive submissions. The Committee also warned that if the government persisted in attempting to achieve both a swift and comprehensive response to the threat in the same process, it may achieve neither. The PJCIS concluded that the proposed Bill of amendments should be split into two Bills; the first to promptly legislate urgent measures seeking to address the immediate threat, while deferring the remainder to a second Bill after further consultation and collaboration with industry. Two weeks after the PJCIS report, the government tabled and passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), increasing Australia’s four Critical Infrastructure sectors to 11, with 22 defined asset classes. The SLACI Act also brought into effect government intervention measures, cyber incident reporting obligations, and a mandatory Register of Critical Infrastructure Assets. On April 2nd, 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) became law, implementing the final package of amendments including the Positive Security Obligations and Enhanced Obligations for Systems of National Significance (SoNS) A Look at the United States’ Approach On July 28, 2021, while the Australian government was still wrestling with the concerns of industry to its proposed reforms, US President Joe Biden signed a memorandum to modernise defences in industrial control systems (ICS). This action came hot on the heels of the now infamous Colonial Pipeline cyberattack which occurred on May 7, 2021, when a company managing an oil pipeline system carrying gasoline and jet fuel from Texas to the South-eastern United States suffered a ransomware attack that ultimately resulted in a shutdown of the pipeline and a great deal of public panic. Subsequently, on May 12, 2021, the Biden Administration set out new policy to remove existing contractual barriers to threat information sharing between IT and OT service providers and executive government departments and agencies responsible for investigating or remediating cyber incidents, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). The policy also implemented a range of measures to modernise the federal government’s own cyber security posture, including adopting Zero Trust Architecture and secure cloud services, centralising and streamlining access to cybersecurity data, and ordering investment in the necessary technology and personnel to accomplish these tasks. Other measures in the order included mandating two-factor authentication (2FA), encryption, and log storage requirements for federal government systems; creating standardised playbooks for federal government incident response; establishing government-wide endpoint detection and response system; and mandating baseline security standards for the development of software sold to the government. Utilising the newly established policy, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced a security directive on May 27, 2021, aimed at critical pipeline owners and operators. The directive required critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator who was to be available 24 hours a day, seven days a week. The directive also required critical pipeline owners and operators to review their current practices, identify gaps, and report the results to the TSA and CISA within 30 days. As a result of the aforementioned policy and the first DHS/TSA directive, CISA was able to better advise the TSA on cybersecurity threats to the US pipeline industry and on effective countermeasures. On July 20, 2021, a second directive was issued requiring owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information and operational technology systems, develop and implement cybersecurity contingency and recovery plans, and conduct a cybersecurity architecture design review. On July 28th, 2021, a little over a week after the second directive, President Joe Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (NSM). This memorandum established the Industrial Control Systems Cybersecurity Initiative (the ICSC Initiative), a voluntary and collaborative effort between the Federal Government and the larger critical infrastructure community to significantly improve the cybersecurity of Industrial Control Systems. The primary objective of the ICSC Initiative was described as defending the United States’ critical infrastructure by encouraging and facilitating the deployment of threat visibility and detection systems and associated response capabilities for control system and operational technology networks. The NSM also implemented the sharing of threat information between government and industry, facilitated by the May 12th policy, for priority control system critical infrastructure throughout the United States. A Stick or a Carrot? The voluntary and collaborative approach of the US National Security Memorandum means the NSM was not a regulation or law and there would be no fines for non-compliance. The US government expected that all responsible critical infrastructure owners and operators will apply the measures as a whole-of-nation effort, with industry doing its part. Some commentators suggested, however, that should the engagement of industry fall short of the anticipated uptake, more forceful measures might be introduced. Back in Australia, the government was not willing to place such a level of trust in the owners and operators of critical infrastructure to implement voluntary measures. Instead, the carrots were discarded for a rather large stick. In contrast to the US National Security Memorandum’s voluntary and collaborative approach, Australia established legislated obligations carrying fines for non-compliance. The corporate penalties for failing to comply with reporting or information provision obligations carried a penalty of $55,500 per breach or day for non-compliance, while failing to comply with government assistance measures could result in significantly higher financial penalties, in addition to 2 years imprisonment. In addition, many Australian owners and operators of critical infrastructure assets would now be subject to Positive Security Obligations, including the implementation of a risk management plan and mandatory reporting. Although similar to the Department of Homeland Security’s directives aimed at pipeline owners and operators in regard to risk management, gap analysis, and mitigation, the Australian approach was to apply such obligations across the board. The changes also created a new tier of assets called Systems of National Significance (SoNS) and imposed enhanced obligations on the responsible entities for those assets. Under the changes, the Australian government could privately declare a critical infrastructure asset to be a SoNS, with four core enhanced cyber security obligations, including incident response planning obligations, requirements to undertake cyber security exercises and vulnerability assessments, and provision of access to the Australian Signals Directorate of system information. The differing levels of trust in the critical infrastructure industries between the US and Australia did not stop at compliance, however; there were also significant differences in how the two governments approached the concept of ‘assistance’. Assistance and Enforcement The Biden Administration’s NSM stipulated that sector Risk Management Agencies and other executive departments and agencies were to liaise with and assist those critical infrastructure stakeholders, owners, and operators in implementing the principles and policy outlined in the NSM. These included the deployment of threat visibility and detection systems, developing response capabilities for ICS and OT networks, and establishing the nuts and bolts for the sharing of threat information between government and industry. Meanwhile down-under, any Australian critical infrastructure owners and operators within one of the newly defined eleven sectors could be subject to Government Assistance measures. Note the difference in language compared with the Biden NSM. The Australian government’s wording does not infer the entity would be ‘in receipt of’ or ‘eligible for’ assistance, but rather subject to. response capabilities for ICS and OT networks, and establishing the nuts and bolts for the sharing of threat information between government and industry. Despite industry protests regarding excessive government and ministerial powers without judicial review or independent oversight, these measures would allow the Australian government to request information, direct an entity to take an action, or to intervene directly in an incident. The information gathering direction would be the first stage of escalation in the event of a significant incident where the government would be able to compel an entity to disclose information related to a cyber security incident to determine the need for further escalation of support and intervention. The action direction would allow the government to direct an entity to take action that is reasonably necessary and proportionate to achieving the objective of resolving the incident. An intervention request would be at the extreme end of the government‘s authority, allowing the government to direct the Australian Signals Directorate (ASD), with support from the Australian Federal Police (AFP), to intervene directly in an incident. Different Strokes to Protect the World The National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems recognised from the outset that cybersecurity needs vary greatly among critical infrastructure sectors, as do cybersecurity practices. However, the NSM also recognised the need for consistent baseline cybersecurity goals across all critical infrastructure sectors, as well as a need for specific security controls for select critical infrastructure. Therefore, the NSM ordered the development of cybersecurity performance goals for critical infrastructure in pursuit of these baseline security practices. For Australia, one of the key challenges was the significant differences in cybersecurity maturity within and between the eleven critical infrastructure sectors, as well as between existing levels of regulation. In their responses to the exposure drafts, many industries pointed out that they already had regulatory regimes and standards that adequately managed the risks to their assets and that these needed to be considered and incorporated to make the amendments work as efficiently as possible. To navigate this issue, the Australian government established risk management program obligations designed to establish a minimum set of safeguards where there were no other regulatory settings to achieve the same purpose. Conclusion Both the United States and Australia have sought to establish security amendments with the objective of ensuring that Critical Infrastructure sectors achieve and maintain a defined standard of security. The Australian approach has been to design and define much of the regulation in legislative instruments rather than in the primary legislation, and to brush all eleven Critical Infrastructure sectors with broad security strokes. In contrast, the Biden Administration’s approach has been much more focussed on specific mitigations. While the US memorandum does direct the development of cybersecurity performance goals for critical infrastructure by CISA and NIST, it also seeks to establish a stronger security posture through specific strategies. It is worth remembering that, despite the many shared aspects of culture, systems of government, and core values, Australia and the United States are very different countries requiring different approaches to achieve the best possible outcomes for the security of their most critical assets. Despite these differences, there are shared common adversaries who are increasingly targeting critical infrastructure and threatening many of the foundations on which modern societies heavily depend. The onus of protecting our nations is no longer the sole domain of governments. It is now a responsibility shared with our critical infrastructure owners and operators, their stakeholders, and the entities providing key services to these organisations. Those responsible for the Industrial Control Systems that keep our nation functioning must ensure they are on top of their own Operational Technology protection. If they do not, they may find themselves the first of many dominos to topple in a significant attack, potentially bringing modern life to a standstill.