Critical Infrastructure – Part 2

Author: Mel Griffiths

A new approach for a new threat landscape

On the 11th of July 2018, the Security of Critical Infrastructure Act 2018 came into effect, along with its obligations for owners and operators of assets in the electricity, gas, water, and ports sectors. The aim of the Act was to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure”. However, the provisions in the Act were developed prior to the COVID-19 pandemic, which was accompanied by a flood of cyber-attacks frequently targeting critical sectors not captured in the Act.

This new threat landscape prompted revision of the Security of Critical Infrastructure Act’s definition of which sectors qualified as critical. As a result, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. The Bill will expand the number of regulated sectors to include banking/finance, communications, data and the cloud, defence, education, research and innovation, food and grocery, health, energy, space, transport, and water.

It is the position of Sapien Cyber that it is the responsibility of trusted information-sharing networks the educate the community on the Bill’s purpose and consequences. This article aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Healthcare and Medical and Communications sectors.

The Healthcare and Medical sector – Significant threat in a challenging area

The Health Care and Medical sector has increasingly become a favourite target of cybercriminals and provides an excellent example of the rationale behind extending the Security of Critical Infrastructure Act 2018 to include more industry sectors. The Health Care and Medical sector, as defined in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 includes the provision of health care, or the production, distribution, or supply of medical supplies, while the definition of Health Care includes dental, medical, radiography, nursing and midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, and psychology services provided by individuals. The new definition of critical hospital asset refers to critical infrastructure assets owned or operated by a hospital with a general intensive care unit. However, Telstra Health has rightly emphasised that critical hospital risk management is challenging and that security and continuity of service is comprised of a complex interconnection of technology and people-based systems with long and complex supply chains.

MISA, the Medical Software Industry Association which represents this area of the industry, has asserted that there is a lack of detail regarding incident reporting as well as a lack of alignment with existing legislation, such as the My Health Record Act and various Commonwealth and Jurisdictional legislation and policies. Duplication in these areas may result in organisations being required to undertake “multiple conformance testing without any perceived or real security value”.

Likewise, Medicines Australia which leads the research-based pharmaceutical industry, are cautious of the introduction of government powers that might inadvertently impede the ability of companies to continue usual business operations. They have stated that it “would be an undesirable outcome if, due to onerous security requirements, clinical trials were delayed, thereby denying patients access to innovative life-saving medical treatments”. There is also concern that the costs associated with increased security measures may be passed on to industry and Medicines Australia have urged the Government consider support measures that will assist public and private institutions in transitioning to the higher security obligations.

Consumer Healthcare Products (CHP) Australia, representing the manufacturers and distributors of consumer health care products, have outlined concerns that their industry is impacted by the sector-specific standards and obligations for both the Health Care and Medical and the Food and Grocery sectors in the Bill, arguing that the current definitions of these sectors, as well as Health Care and Medical supplies are overly broad. This position has been repeated by Telstra Health, who have noted that “complex supply lines relating to hospital care in particular” may result in the intent of the measures being difficult to achieve. CHP Australia have highlighted that the manufacture and supply chains required for their products are already subject to a high level of regulatory obligations, characterising the regulatory framework proposed in the Bill as “wide-ranging”, “onerous”, and neither necessary nor warranted.

A common question regarding the Bill raised by a number of sectors and echoed by CHP Australia is why, if no significant cyber security failings have been identified in their specific area, should they be subject to the introduction of such “widespread and onerous legislated requirements”? This may be a somewhat naive and self-preserving position, given the emerging threat landscape in the Health Care and Medical sector, which has become more critical than ever due to the ongoing pressure of the Covid-19 pandemic. Already in a vulnerable position from a cybersecurity perspective, the pandemic has compounded the pre-existing issues for this sector, and together with a surge in targeted exploitation from cybercriminals, the need to provide greater protection is vital.

Fear and loathing in the Communications sector

The Communications sector is defined as businesses that supply, own, or operate a carriage or broadcasting service or asset, or are used in connection with these services or assets. It also encompasses sectors that administer an Australian domain name system. Broadcasting transmission assets are considered critical if they are (a) owned or operated by the same entity and located on a critical transmission site, (b) located on at least 50 different sites and are not broadcasting re-transmission assets, or (c) owned or operated by an entity critical to the transmission of a broadcasting service. Some companies may still be prescribed without meeting the above thresholds, including TX Australia which services many major broadcasters which otherwise do not meet the “at least 50 sites” threshold.

BAI Communications Australia (BAI) have argued that simply defining a number of sites does not capture an accurate measure of control of critical broadcasting assets. Other factors such as population served, unique coverage provided, and alternative modes of delivery available are more appropriate and would allow entities who own and control critical transmission assets to be specified more accurately.

The Communications Alliance which represents the Australian communications industry, is also critical of the asset definitions which it says are overly broad and simply provide a “non-exhaustive list of items that may be considered an asset instead of a clear definition of the term”. For example, the terminology “use in connection with the supply of a carriage service” might conceivably result in every asset within the sector becoming a critical telecommunications asset. This sector is experiencing much confusion as a result of a lack of detail provided by the Government thus far. It has been argued that the timeframe allocated for the co-development of sector specific rules has been too short, making it difficult for this sector to properly understand the impact and function of the obligations. The Communications Alliance has even gone as far as to question whether the proposed regime will meet regulatory best practice at all.

Once again, we also see a lot of disquiet that the Bill will introduce conflict as a result of overlapping and duplicative obligations, both within the Bill, and from co-existence with existing legislation, such as the Telecommunications Sector Security Reforms (TSSR) and the Telecommunications Act 1997. The Communications Alliance has advised that enhancing security obligations would best be achieved under the TSSR, rather than within the proposed legislation, thereby avoiding duplication of obligations such as maintaining a risk management program, which is already captured by the section 313 requirements of the Telecommunications Act 1997.

Both Free TV Australia and the Communications Alliance have joined the chorus of other sectors regarding concerns over potential increased administrative, operational and financial burdens. Free TV have stated that any required boost in security arrangements should have a matching boost in the form of “a funding deed with the Government in recognition of the driver for these costs being a change in Government policy, rather than changes in best practice asset management”. This caustic assessment of the of the proposed legislation is not unique to the owners and operators of broadcast assets.

Within the proposed legislation, an asset is considered a critical domain name system if it is managed by or used in connection with an entity that is critical to the administration of an Australian domain name system. It has also been recommended that the .au country code Top Level Domain be made a critical domain name system. Afilias, the Registry Operator for the .au ccTLD, has clearly stated that “the Government is well-advised to continue its path to keep the Positive Security Obligation dormant for the .au namespace”. They feel the existing “structural guardrails” are sufficient and do not require any further Positive Security Obligations or Agency intervention, which they fear will add unnecessary burdens and costs. Afilias has strongly stated their position, saying that the existing management and oversight of the .au ccTLD is more than sufficient.

Overreach and overlap are common concerns

In this post, we examined the Healthcare and Medical and Communications sectors. It is clear that the proposed Government intervention powers are commonly seen as over-reach that may impede or threaten industry. There is also much concern over the lack of alignment with existing legislation and potential overlap within the Bill for some businesses caught between defined sectors. As a result, there have been calls for an approach that leverages existing legislated obligations. Given the increasing risk to Australian Critical Infrastructure evident in the evolving threat landscape and the urgency with which the proposed legislation is being developed, it seems unlikely the sufficient time will be available to manage amendments or even consult with industry on such suggestions. At this stage, it appears the Bill will proceed, although its final form and specific impacts to Critical Infrastructure owners, operators, and assets remains to be seen.