Critical Infrastructure 1 of 6
Critical Infrastructure – Part 1 Author: Mel Griffiths Critical Infrastructure cyber-attacks are on the rise Cyber-attacks targeting Critical Infrastructure are increasing in frequency and efficacy. These attacks are profitable for cybercriminals and offer plausible deniability for Nation States who use these groups as “hired guns”. In late 2020, the software supply-chain compromise of SolarWinds resulted in one of the most significant cyber intrusion incidents to date, impacting businesses and Critical Infrastructure assets across the globe. In February of this year, a cyber-attack on a water treatment system in Oldsmar, Florida very nearly resulted in the poisoning of water supplies. In May, a ransomware attack led to the shutdown of the Colonial Pipeline, resulting in one of the most significant and successful cyber-attacks in US history. June saw ransomware attacks on meat producer JBS USA and on St. Joseph’s/Candler Hospital in Georgia, impacting food supply chains and healthcare systems. There is a clear global uptick in cyber-attacks on vulnerable Critical Infrastructure chokepoints, with the intention of creating severe and significant impacts to maximise profit or damage. It is also clear that threat actors have broadened their targets beyond traditional ideas of what constitutes Critical Infrastructure. The reality is, if it is critical and vulnerable, there is money to be made. Australia’s Critical Infrastructure clearly faces a realistic, credible, and immediate threat. The Critical Infrastructure Bill is now a matter of urgency In response to the increasing threat, the Australian Government’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 is set to significantly broaden the defined Critical Infrastructure sector. The proposed Bill will introduce positive security obligations, including enhanced obligations for systems of national significance, and allow Government intervention in security incidents. Despite several Tech giants who operate within Australia taking issue with the proposed Government interventions, Minister for Home Affairs, Karen Andrews has recently announced that passage of the Critical Infrastructure Bill through Parliament will be prioritised, stating that the Bill “provides significantly more protections than it does introduce risks”. Understanding your sector, your security, & your obligations However, it may not be clear exactly how these changes may impact your sector and how your organisation will be required to change the way it manages its cybersecurity function. The Bill itself is not an easy read, and many Critical Infrastructure owners and operators are unclear as to what the proposed changes will mean to them. Additionally, the broadening of the definition of Critical Infrastructure means that many organisations which were not previously identified as such may be caught unaware and unprepared for the obligations laid out in the impending Bill. Michelle Price, CEO of AustCyber has highlighted the importance of education on the Bill’s purpose and consequences through trusted information-sharing networks. This series of blog articles from Sapien Cyber is intended to assist organisations in tackling the challenges they may face with the introduction of this new legislation and provides fresh insights as the Bill progresses. These articles will discuss the broadened definition in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, what will constitute Critical Infrastructure, and how the new legislation will impact the security function of each of these defined sectors. We will also examine the positive security obligations imposed by the Bill, what they entail, and what changes Critical Infrastructure Owner / Operators will need to make to meet these obligations. In addition, we will tackle the somewhat controversial topic of Government intervention in the incident response process in the event of a significant attack on Critical Infrastructure, what this actually entails, and how organisations can prepare.