Categories for Blogs & Articles

IT & OT Convergence

October 17, 2021Published by Jeffrey Eaton
How to confidently protect your converged OT & IT environment.

The integration of Operational IT (OT) and Information Technology (IT) accelerates across industrial sectors as organisations digitally transform. OT and IT convergence, digitised architectures and machine learnings offer improvements, efficiencies and valuable insights into better ways of doing things. However, they also introduce new cybersecurity concerns. There are important cybersecurity challenges to overcome when integrating different and distributed Internet of Things (IoT) devices and technologies.

The cybersecurity challenge in OT and IT environments

Bringing together OT and IT enables agility and new business processes and opportunities. Rapid deployment and scalability are more manageable when using new systems and platforms. OT assets are typically legacy operating systems that don’t have built-in security capabilities in the software. OT assets are vulnerable to cybersecurity breaches because of their inherently complex topologies, lack of visibility and understanding of how and when assets are used.

Introducing intelligent devices and platforms, cloud connectivity, IoT and networks add to the complexity of the OT cybersecurity environment. Digitisation increases the volume of security data, visibility gaps and highlights a need for more automated cybersecurity measures.

In industrial settings, production downtime is measured by cost per minute and relates to lost revenue. An industrial style outage means wasted resources, damaged equipment or worse. Teams need to be able to quickly identify which device is breached and evaluate whether it impacts a critical system that could put people, production or facilities at risk. Organisations require defined processes to quarantine breached devices until they are cleared to return to the operating environment.

A chain is only as strong as its weakest link.

Connected and interconnected devices represent entry points for the bad guys. OT assets on public networks and the internet may be vulnerable to bypassing authentication and provide unauthorised access. Third-party providers installing unsecured assets may expose network access points open to a breach.

Programmable controls, cameras, sensors and equipment often come with embedded software that needs careful integration with existing programs or hackers can expose stack-based vulnerabilities and take control of the assets. For example, a simple flaw in the integration code could result in a breach could disable the safety systems designed to prevent an accident.

OT and IT systems cover both digital and physical spaces that demand continued uptime. Organisations must balance availability, privacy and integrity while protecting their environment from imminent cybersecurity threats.

Gaining better visibility of your OT environment.

Mitigate cybersecurity risks by considering the following:
  • Improving the visibility of your OT assets means gaining insights and information to prevent an unwanted breach.
  • Identify and understand your OT asset software and hardware inventory, including reviewing legacy processes for vulnerabilities.
  • Plan for regular OT network assessments and audits across operating systems and application software.
  • Document the processes across your OT environment and understand those that may impact your organisation’s safety, operation, and environment. Prioritise and protect these areas by securing connections, monitoring for intrusions and logging incident responses for ongoing learning.
  • Enabling automated threat detection is a must.
  • Create an incident response plan, so if a security breach occurs, you have to take immediate and automated action.

Critical Infrastructure #6

October 12, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 6

Author: Mel Griffiths

Preparing For a Cyber Pearl Harbour

“What I’m worried about is a ‘cyber Pearl Harbor’ — an online attack that cripples our critical infrastructure and catches us all by surprise… That’s why we’re seeking to pass legislation that safeguards those critical assets that make up our digital economy and sovereignty.”

Andrew Hastie, Assistant Minister for Defence

The Australian Government continues to reiterate the urgency of their plan to pass legislation intended to safeguard Critical Infrastructure in an increasingly hostile threat landscape. Industry sectors impacted by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have called on the government for further consultation, offering a plethora of sector-specific recommendations designed to clarify responsibilities, leverage existing frameworks, and reduce the regulatory burden.

In an effort to balance the urgent requirement to pass the legislation with industry concerns, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested that the government urgently pass the portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation.

This move may raise further concerns from industry given the number of objections regarding the extent of the proposed government powers, as well as the lack of any avenue for appeal. For example, the Australian Information Industry Association (AIIA) has questioned the appropriateness of the powers inherent in the legislation for the data storage or processing sector, given its complexity, interconnectedness, overlapping regulatory regimes, and the potential global implications. Palo Alto Networks has gone so far as to recommend that the data storage and processing sector be removed from the Bill altogether, citing other governments who have avoided defining this sector as Critical Infrastructure due to its complex and interdependent nature. There are also many aspects of mandatory notification requirements that have been challenged by industry, such as who should report, to whom, how often, under what circumstances, and in what timeframe.

The defence industry sector, the data storage and processing sector, and the space and technology sector are three areas targeted in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, although it appears the Bill is likely to impact businesses in these areas in very different ways. The government has stated that the current DISP defence security mechanisms are sufficient to manage obligations for the majority of the defence industry, and the infant space industry has no assets to regulate yet, aside from those already covered in other sectors. Conversely, the data storage and processing sector has warned that, given the degree of overlap in regulations and the number of cross-sector customers that use data storage and processing services, there is a high likelihood that the data storage and processing sector could be “subject to the regulations and responsibilities of all regulated sectors simultaneously”.

DISP Sufficient for Defence Industry

Little has been made available in relation to Defence Industry responses to the Bill, which may be among the 30 submissions to government that remain confidential. The Bill defines the defence industry sector as supplying or producing goods, technology and services that (a) maintain Defence’s capability advantage, or (b) are limited by Defence due to their potential impact on Defence interests. This definition is intended to exclude industry entities captured under other sectors, such as electricity or water, while including organisations which provide or support a critical defence capability. The Exposure Draft Explanatory document defines critical defence capability as including material, technology, platforms, networks, systems, and services that are required in connection with the defence or national security of Australia.

Under the Draft Asset Definition Rules, any organisation providing or enabling a critical defence capability under a contract to the Department of Defence or the Australian Defence Force may be a critical defence industry asset. The government has noted that, while critical defence industry assets may be subject to each of the Positive Security Obligations, the Department of Defence may continue to manage obligations under its current Defence Industry Security Program (DISP) framework. The DISP framework manages the security and resilience of critical defence industry assets via a non-regulatory risk management program run by the Department of Defence.

Defence industry stakeholders, including peak bodies and federal, state and territory representatives have been invited to work with government in co-designing the rules to shape the requirements for a risk management program that may be ‘switched on’, if required, under the Bill. However, the government has stated that the existing defence security mechanisms under the DISP are considered sufficient for the majority of the defence industry. As a result, it is unlikely that the risk management program will be ‘switched on’ for the majority of businesses that fall within the defence industry asset class.

Can You Hear Me, Major Tom?

The addition of the Space and Technology sector to the list of Critical Infrastructure is a move intended to future-proof the security of an industry that is expected to become increasingly critical. The Trusted Information Sharing Network Space Cross-Sectoral Interest Group have asserted that the legislation needs to cater for significant growth and transformation in the sector.

The explanatory document accompanying the exposure draft of the Bill states that the space technology sector “involves the commercial provision of space-related services, and reflects those functions that are critical to maintaining the supply and availability of space-related services”. However, in sharing their views on the relevant aspects of the Exposure Draft of the Bill, the Philippines Space Agency suggested that the definition of the sector may not encompass critical non-commercial aspects, such as government owned satellites and other space technologies.

It is anticipated that the types of space and technology assets that may be designated as critical will include assets relating to position, navigation, and timing of space objects, space situational awareness services, space weather, space communications, tracking and control, earth observation, and facilitating access to space. However, the Bill does not include a specific definition of a critical space technology asset, because the only existing critical space technology sector assets identified are communications assets which are already covered under the proposed definition of critical telecommunications assets. Further assets may be prescribed under subsection 9(2) of the current SOCI Act as the space sector evolves and more critical assets are identified.

When Criticality Met Privacy

The data storage and processing sector is defined as the sector providing data storage or processing services on a commercial basis. Data storage or processing services may include enterprise data centres, managed services data centres, colocation data centres, cloud data centres, infrastructure as a service (IaaS), software as a service (SaaS), or platform as a service (PaaS).

To be classed as a critical data storage or processing asset, the asset must be owned by a data storage or processing provider and provide services either to government, a body corporate established by law, or a critical infrastructure asset which uses the service for business-critical data. AWS has suggested an amendment to the definition of critical data storage or processing asset in the Bill to include a simpler threshold, such as power usage or number of server racks, and that the definition of asset be limited only to physical infrastructure.

Regardless of the threshold, organisations may not be aware whether they meet this definition or that they have Critical Infrastructure clients, as they often do not have visibility over client data due to privacy requirements. Subsection 12F(3) of the Bill requires entities responsible for Critical Infrastructure to inform their data storage or processing service provider if they meet the definition of a commercial service provider to Critical Infrastructure for business-critical data. However, CISCO has suggested that a more thorough approach would be for government and industry work together to map supply chains to enable the relevant regulators to notify cloud service providers that they are providing services to Critical Infrastructure.

Critical Mass

Every sector has raised concerns about broad and vague definitions within the Bill, and the data storage and processing sector is no different. According to AWS and the AIIA, there are a number of other definitions which, as drafted, are ambiguous, too easily triggered, confusing, and will lead to over-notification and increased compliance costs. For example, the government has stated that the intention of the definition for business-critical data is to capture a critical infrastructure asset’s crucial operational information which, if compromised, would affect the availability or reliability of the asset, or have national security implications. However, Amazon Web Services (AWS) asserts that the government’s intentions are not carried by the definition of business critical data as (a) personal information that relates to at least 20,000 individuals, (b) sensitive information, or (c) critical infrastructure information relating to research and development, operations, or risk management. It is anticipated that the proposed thresholds will capture a minimum of 100 data centres and at least 30 cloud service providers.

The Australian Information Industry Association (AIIA) has asked the government to clarify the definition of ‘activities relating to business-critical data’, while AWS has labelled the definitions of critical data storage or processing asset and business-critical data as vague and unnecessarily broad. They argue that assets would fall into this category even if they are processing or storing business-critical data that is “only ancillary in nature”. In addition, AWS has recommended that the definition of cyber security incident should apply only if the incident has a systemic or broad impact to the relevant critical infrastructure asset and is a direct result of a third party’s malicious actions.

 That’s Not My Cloud

Data storage and processing is a cross-cutting sector, a feature that appears to have been overlooked by government. In cloud environments, for example, responsibility for security is frequently shared between the provider and customer, where the cloud services provider is responsible for “security of the cloud,” and the customer is responsible for “security in the cloud”. Such sharing of security responsibility is not clearly reflected in the Bill.

It has been recommended that an amendment be made to clarify that a cyber security incident only occurs in respect of a data storage or processing services provider or its customer when the incident occurs in their respective areas of responsibility. CISCO has further suggested that cyber security incidents for cloud and data processing entities continue to be reported to customers, who would then report to the Australian Cyber Security Centre (ACSC) as part of their own Positive Security Obligations. CISCO argue that this will maintain the confidentiality of customers while still providing the ACSC with appropriate visibility.

Let’s Split the Bill

The government continues to use strong language to emphasise the urgency with which it feels the Security Legislation Amendment (Critical Infrastructure) Bill must be passed in order to avoid a potential “cyber Pearl Harbor”. The task government originally set itself was to achieve sufficient security uplift across a disparate group of sectors and industries, using broad legislation, within a limited timeframe. Across the sectors, organisations have raised a chorus of objections to the lack of specificity, the degree of overlap with existing regimes, and the lack of guardrails on broad powers proposed in the Bill. Upon review of the situation, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested splitting the Bill in order to satisfy the urgent requirement for intervention powers to counter any significant impending threat, while also addressing the legitimate concerns from current, and soon-to-be, Critical Infrastructure owners and operators.

Whilst this compromise may be viewed more favourably than the alternative, it remains to be seen whether the numerous concerns about the government powers will be addressed to the satisfaction of the impacted sectors, if a splitting of the Bill occurs. Despite the benefits of splitting the Bill, there still remains a lack of clarity on reporting mechanisms and which existing regulatory regimes might be leveraged to avoid duplication of effort. Many sectors are also still very concerned about the prospect of government software and interference in systems and the associated business and risk impacts.

Even with a splitting of the Bill, there is still the risk of a one-size-fits-all approach to the government assistance mechanisms and mandatory notification requirements that will have different implications for different sectors. Although still subject to the Positive Security Obligations, critical defence industry assets will likely continue to manage their obligations under the DISP framework, with the risk management program remaining switched off for the majority of defence industry businesses. Meanwhile, the application of government assistance mechanisms and mandatory notification requirements to the data storage and processing industry is fraught with difficulties due to its complex and globally distributed nature, existing privacy requirements, and the shared control and responsibility models used between providers and customers.

The defence industry remains publicly mute on the Bill, while cloud and data storage providers are strongly calling out the shortcomings of the legislation as it applies to their business, some even calling for an elimination of the sector from the Bill entirely. If the PJCIS recommendation to split the Bill is undertaken, it remains unclear if and how this feedback will be managed by the government.

Critical Infrastructure #5

September 25, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 5

Author: Mel Griffiths

Dams and Dollars: The Impact of the Critical Infrastructure Bill on the Finance and Water Sectors

The overall objective of the Government’s Security Legislation Amendment (Critical Infrastructure) Bill is to ensure that Australia’s Critical Infrastructure is secure; however, the expansion of critical sectors in the Bill has underscored not only the complex interconnections between industries and sectors, but also the number of existing regulatory frameworks that need to be leveraged, or at least considered, to make the amendments work as efficiently as possible. The co-design consultation for sector-specific obligations that will underpin the risk management program is currently underway for the Financial Services and Markets (payment systems) sector and has been completed for the Water and Sewage sector. However, some aspects of the Bill may be passed before others if the compromise suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is implemented. The PJCIS has recommended that the Government urgently pass the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation.

The thinking appears to be that this would enable the swift passage of laws to counter current threats, while also providing additional time for co-design with industry. However, many of the concerns of the Water, Finance, and other sectors, centre around the Government’s proposed intervention powers (assistance mechanisms) which essentially allow the Government to shut down, change, analyse, remove, and control a piece of infrastructure and its component parts if an attack on that asset is perceived to put national security at risk. When discussing the Government’s proposed intervention powers in the Security Legislation Amendment (Critical Infrastructure) Bill, it is important to be aware of the counterbalances in place.

I’ve Got the Power

Most of the intervention actions cannot be undertaken without ministerial authorisation approved by the Prime Minister and the Minister of Defence, and only in the event of an attack on critical infrastructure impacting national security. Affected organisations can be ordered to perform internal or external audit of the security of their systems, and to report on systems either regularly or based on an event. Interestingly, if the information in the reports is potentially incriminating to the company or an individual, it cannot be used for criminal or civil proceedings unless they relate to the Act. The Government can also require that an organisation install, maintain and, wherever possible, keep online software for collecting and recording computer operation information to determine if further powers under the act should be exercised. Personal information is still protected by the Privacy Act 1988 in these circumstances.

The proposed powers also allow Government to intervene in systems for analysis including adding, removing, or modifying installed programs, and connecting computers to the organisation’s systems. Under some circumstances, the Government may order an organisation to take or refrain from taking certain actions, request access to premises, or take equipment for analysis. If access to premises is refused, the Government may engage the police, but cannot engage in force against an individual.

Is All This Really Necessary?

Most sectors have voiced their concern regarding the extent of the powers provided to Government in the Bill and the lack of conventional rights of appeal and oversight. The Water sector have stated that this “erodes natural justice and provides significant concerns in relation to potential regulatory over-reach and poor community outcomes”. For example, the Bill allows for Governmental intervention based on Ministerial authorisation, which would potentially allow an intervention order to be made prior to an event without the involvement or knowledge of the impacted organisation.

The Water sector have argued that there needs to be provision for notification and cooperation prior to an intervention, which should only be implemented in the event of non-cooperation or lack of response capability on the part of the Critical Infrastructure owners and operators.

The Australian Banking Association (ABA) have also voiced concern regarding the Step In powers, stating that the potential for implementing software and/or running scripts in intricate banking technology environments and networks is extremely high risk. Given the complexity and time-sensitive nature of banking systems and networks, there are fears that the potential impacts of interventions may not be easily defined and could unintentionally degrade system security or operate beyond the authorised scope. The Water sector have pointed out that Section 30DJ the legislation allows the Government to install software without any liability for potential damage that may be caused to systems, and has argued for a right of appeal or ability to recover costs.

The powers of physical entry have also raised some questions for the Australian Banking Association (ABA). The Government has indicated that such powers of entry would only be enforced on Australian soil, however, as the ABA has noted that “entry and action on Australian premises could create a connection to… overseas data centres and raise questions about liability under foreign law including regulatory obligations and contractual liability”. Consider a hypothetical scenario in which an Australian financial sector entity is using Amazon to host both their critical systems and their main corporate portal for customers to access. The entities systems and data in the cloud are replicated across different regional availability zones and they use a Security as a Service (SaaS) product provided by a company located in India. If an attack were to occur within the Amazon infrastructure or against the SaaS in India in such a scenario, it is not clear whether the Government would seek to gain access to Amazon or the SaaS infrastructure and premises, where and how access might occur, and which entity would have obligations to ensure this would be possible.

The Australian Financial Markets Association (AFMA) have called for robust checks and balances against these powers, particularly in regard to what clear evidential grounds would be sufficient to satisfy the Government that ministerial action would be warranted. The AFMA have made it clear that in their view, APRA regulated entities have the maturity and sophistication to warrant the ministerial ‘on switch’ for activating the Positive Security Obligations for a critical infrastructure to be kept ‘off’ for these entities. The AFMA have also warned that justified use of intervention powers should not promote distrust in industry cyber capabilities.

Burn After Reading

The Australian Banking Association (ABA) has noted that the information the Bill will require to be provided to government may be sensitive. They have raised questions over how such information will be protected throughout its lifecycle, arguing that legislation should detail its classification, handling, storage, retention and destruction. There is also concern from industry that the provision of the Bill to collect information may be broader than the stated intention of Government policy. Industry understands that the intention of the Government is to ask for data logs, excluding information or documents that may be under third party Intellectual Property. Given this understanding, the ABA has requested that an amendment be made to Section 30DB so that it expressly applies to data logs only, with third party IP exempted, and that entities may refuse to comply with some or all of a request for information that goes beyond this.

The Critical Infrastructure legislation makes it an offence to disclose some protected information, such as when as asset has been declared by the Government to be a System of National Significance (SoNS). However, the ABA has asserted that not all scenarios where an entity has a legitimate reason for disclosing information have been addressed. They have proposed that section 46 be amended “to permit an entity to disclose protected information, if the entity reasonably believes that doing so would assist the entity to comply with its obligations under the SOCI Act, other Australian and overseas law, or if the entity reasonably believes doing so is required under contract.”

The Financial Services Council (FSC) has rather gloomily predicted that, based on the exposure draft, the Bill will result in “another regulatory agency being imposed on financial services without a requirement for a streamlined approach with other agencies that already operate in financial services”. The FSC is not the first to note the degree of overlap and duplication of the Bill with existing frameworks.

One Size Fits None

The ABA has highlighted the need to eliminate differences between proposed requirements and existing regulatory regimes, particularly under prudential regulation. Financial Services Prudential regulations are the current benchmark in the Financial Sector. The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance, and superannuation, and is accountable to the Australian Parliament. Fundamentally, the Financial Services sector feels that the new regime under the Bill should defer to APRA’s existing financial sector regulatory obligations. These include CPS 220 Risk Management, CPS 234 Information Security, CPS 232 Business Continuity, and CPS 231 Outsourcing. Under the APRA prudential standard CPS 220, the Board of an APRA-regulated institution is required to provide APRA with a risk management declaration within three months of its annual balance date.

As it currently stands, the Bill would require an additional annual risk management program report to be submitted within 30 days. There is concern that Prudential Standard overlap with the requirements of the Bill will result in organisations having to prepare two reports with substantially the same information and adopt two distinct procedures for approval and sign off for the reports. The Australian Institute of Superannuation Trustees (AIST) has stated that the requirement to produce an annual report in this timeframe will put significant pressure on superannuation fund staff during an already demanding period.

Not only does the Financial Services sector feel that this would result in a substantial increase of the compliance burden without any meaningful difference in personal accountability of Board members, but that it is also inconsistent with the requirements under CPS 220 by requiring each Board member to sign the risk management program annual report. AIST has argued that such a requirement may be impractical, particularly if superannuation funds are required to do so 30 days after the end of the financial year. As a result, the Financial Services Sector has urged the Government to consider leveraging existing sector regulations covering similar board approval requirements.

Another imposed timeframe raising concerns is the proposed six-month period which organisations have to comply with the provisions of the Bill. The Water Services Sector Group (WSSG) has suggested that the six-month timeframe for compliance with reporting obligations may be insufficient and has suggested that this be amended to provide organisations with six months to provide an agreed implementation timeline.

We’ve Already Got One and it’s Very Nice

In their responses to the Draft of the Bill, many industries have pointed out to Government that they already have existing regulatory regimes and standards that adequately manage the risks to their assets. For example, the New Payments Platform (NPP Australia) have suggested that an asset should only be identified as critical to a critical payment system if the asset is already identified as a SIPS (Systemically Important Payment System). A SIPS is a payment system which, if attacked, could potentially endanger the operation of the whole economy, and are expected to observe the Principles for Financial Market Infrastructures issued by the CPMI and IOSCO. The Reserve Bank Information and Transfer System (RITS), used by banks to settle payment obligations, is the only system that has been determined to be a SIPS. This is not the only example where industry feels that the Bill may disrupt current best practice.

APRA Prudential Standard CPS 234 has been adopted as the cyber security benchmark for the Australian banking sector and is seen as driving appropriate levels of visibility, funding, and support to cyber security in the Financial Sector. As many organisations have undertaken significant work to respond to the APRA CPS 234 requirements, the Australian Banking Association (ABA) has asked Government to consider modifying the reporting requirements for cyber-security incidents in the Bill to match APRA CPS 234 for APRA regulated entities. However, there are several significant misalignments that need to be addressed.

For example, APRA CPS 234 requires an entity to notify APRA as soon as possible and, in any case, no later than 72 hours of a cyber incident, whereas the Critical Infrastructure Bill will require critical cyber incidents to be reported within 12 hours. The Water Sector has noted that the 12-hour reporting timeframe is also inconsistent with international good practice, such as the US National Institute for Standards and Technology (NIST) 800-53 Standard. Both NIST and APRA standards require reporting within 72 hours and the Water and Finance sectors are agreed that this requirement in the Bill should be aligned accordingly.

Apart from critical incidents, all other cybersecurity incidents are required by the Bill to be reported within 24 hours. The Water sector has argued that this obligation places additional regulatory burden on entities, particularly over weekends and holiday periods, and has recommended that the Government restrict reporting to significant risks only. Financial Services Council (FSC) has also urged the Government to revise these timeframes from 24 to 72 hours from the time of becoming aware of a confirmed incident.

In addition to incident reporting timeframes, there have also been calls from both the Financial Services Council (FSC) and the Australian Banking Association (ABA) for Government to clarify the types of incidents that would be covered by sections 30BC and 30BD of the Bill, and to align them with the incidents covered by the term information security incident in CPS 234. Another suggestion aimed at reducing the burden on industry whilst maintaining the integrity of the regime, is that Government agencies share incident reports to avoid imposing duplicate reporting obligations under different regimes. For example, where information on serious cyber security incidents has already been reported to a government agency (such as reporting to APRA under CPS 234), other agencies should seek to obtain the information intra-governmentally.

It Does Not Mean What You Think it Means

As with other areas of industry, there has been much discussion in the Finance and Water sectors of the appropriateness of the definitions in the proposed legislation. The Water Services Sector Group (WSSG) summarised this issue, stating that the uncertainty created by the vague terminology of the Bill undermines industry’s capacity to assess potential compliance costs. This is particularly concerning given the provision for penalties for noncompliance. The consensus from industry indicates that the Government has some work to do to ensure that terms are clear, precise, and that sectors fully understand the activities and costs associated with compliance.

For example, the definition of direct interest holder is expected to capture financiers, including banks, according to the Australian Financial Markets Association (AFMA). This is because banks may have a security position in assets that fall within the scope of the Bill, which means they would be subject to both the reporting requirements with respect to the Register of Critical Infrastructure, and the civil penalties for non-compliance. As a result, the Australian Financial Markets Association (AFMA) has suggested that banks and other lenders should be excluded from the definition of direct interest holder.

The Australian Institute of Superannuation Trustees (AIST) has taken issue with the definition of a critical superannuation asset, which is intended to capture funds with Funds Under Management (FUM) of $20 billion or more. However, the AIST notes that a fund’s FUM can increase or decrease over time, where a fund may have FUM of $19 billion in one year and experience an increase the following year, putting the fund over the $20 billion threshold.

The Australian Banking Association (ABA) has emphasised that the Bill’s definition of business critical data is overly broad and there are fears that, as it stands, the definition will capture a significant proportion of an organisation’s supply chain. In their submission in response to the exposure draft of the Bill, the ABA have also sought clarification as to whether or not the definition of the Data Storage and Processing Sector is intended to capture banks or other organisations that may hold data or provide data storage as an adjunct part of its business.


The Writing on the Wall

The consultation phase of the Security Legislation Amendment (Critical Infrastructure) Bill has underscored the complex interconnections between industries and sectors. It has also revealed that there are a number of existing regulatory frameworks that need to be leveraged, or at least considered, if the amendments are to work as efficiently as possible.

It is unclear whether the Government will manage the differences between the Bill and existing regulatory regimes and standards through consultation and integration, or by imposing requirements regardless of existing benchmarks, overshadowed by the threat of penalties for non-compliance. Sectors have also raised a great deal of concern regarding the extent of the powers provided to Government and the lack of conventional rights of appeal and oversight. There has been no indication from Government that any amendment to rights of appeal is being considered.

Many submissions in response to the Bill’s draft from across the impacted sectors have commented on the adversarial tone of the legislation, indicating that it lacks the spirit of cooperative engagement that Government and Critical Infrastructure owners and operators have a strong history of. The feedback from industry is that the Government needs to ensure that terms are clear and precise, that sectors fully understand the activities and costs associated with compliance, and that existing frameworks should be accommodated by, and integrated into, the legislation.

If the Government is not able to achieve this, it may not only result in increased cost and regulatory burden, bureaucratic overlap, jurisdictional disputes, and unintentional non-compliance, but may also require the Government to use Step In powers to defend Critical Infrastructure whose security has suffered from these inefficiencies.

However, the Government also needs to balance the potential of that outcome with the increasingly frequent and sophisticated cyber threats levelled against Critical Infrastructure. A compromise has been suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), recommending that the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements should be passed with urgency, while the remaining aspects of the Bill should be introduced under a separate Bill following further consultation. It remains to be seen whether this recommendation will be implemented by Government or welcomed by industry.

Why OT cybersecurity should be a high priority

September 9, 2021Published by Jeffrey Eaton

Cyberattacks on operational equipment, processes, systems, and platforms continue to rise. Hackers are targeting operational technology (OT), resulting in disorder and sometimes destruction. Many operating environments are left vulnerable because of a lack of means to detect and respond to these cyber intrusions.

You’ve likely heard about the SolarWinds and Colonial Pipeline attacks, and there are many more examples added to the list of significant breaches every day. Coupled with legacy infrastructure and rapid digitisation in this space, a significant threat looms and it is only a matter of time before the impact of an OT cybersecurity breach proves disastrous.

Beyond accessing and exploiting data, OT attacks create a level of disruption not seen before. The consequences of an OT cybersecurity breach have far-reaching implications; when the bad guys target assets that are essential for a functioning economy and society, the stakes are raised significantly.

Traditionally, cybercriminals have set their sights on Information Technology (IT) to access data and information that can be stolen and used for their continued benefit. In addition to targeting data and information, OT focused cybercrime is also about gaining control of software or hardware that regulates physical systems and processes within critical infrastructure. Disruptions across platforms and systems that operate water and electricity plants, oil and gas plants, transportation systems, and mining equipment can and do affect communities, towns and cities.

What makes OT so vulnerable?

If it’s digitised, it’s a risk. Industry OT assets are evolving from legacy systems with outdated hardware and unpatched configurations to include new technologies that can leave gaps for hackers to leverage. Infrastructure sourced from multiple vendors without security considerations leaves open vulnerabilities that are notoriously hard to protect.

The complexity of OT network assets means organisations frequently struggle to gain visibility of their operations, making it even harder to detect an intrusion. IT updates and vulnerability patching can be done on the fly; this isn’t the case for OT assets, which have longer lifecycles and less flexibility than IT assets, creating security holes and increasing exposure to threats.

In the event of an IT breach, software can be turned off or isolated, but it’s not that simple to flick the switch on a critical service when availability is essential. For the organisations that provide these services, the risk of losing customers due to a breach might be high, but the cost of damage to reputation and equipment can be far more destructive to the business.

Overcoming the OT cybersecurity challenges

Proactive awareness and education are key. OT asset operators should be made aware that cybersecurity threats and risks need to be mitigated in the same way as occupational health and safety issues. In many ways, the risk of an OT breach is an occupational health and safety issue, as an attack could result in injury or even death. Placing cybersecurity on the list of formal training and education topics for employees will help engrain knowledge and understanding. Cyberattacks on OT environments frequently begin with Social Engineering, such as Phishing emails. So the importance of cybersecurity education in helping to mitigate and reduce the impact of a digitised operational control systems breach cannot be understated.

Improving collaboration between OT/IT environments

While OT/IT environments are different, they are increasingly interconnected and need to work together. Aligning security standards, processes, policies, and even teams across IT/OT serves as a more robust approach in responding to threats. Creating and sharing best practices is one thing but putting them into practice is another. Providing teams with the right tools to practice proactive cybersecurity across both IT and OT will strengthen the resilience of organisations facing these threats.

Prevention is better than cure.

Organisations with OT/IT environments need to start by understanding their assets and associated risks. Putting in place multifactor authentication, multi-patching, malware blockers, detection software, and forensic tools will get the basics right. Following this with an OT threat and vulnerability management platform to stay ahead of evolving threats can further protect these assets from OT security threats, allowing intrusions to be immediately exposed. Coupled with an effective and appropriate OT/IT cybersecurity education program, organisations can achieve effective security that will help to prevent their essential infrastructure from significant breaches.

Not a Wake Up Call

September 4, 2021Published by Jeffrey Eaton
In 2021, calling a cyber attack a wake-up call is not only wrong, it is dangerous.

It’s true that we have seen some of the most serious cyber-attacks in history in the last 18 months.

In May this year, a state of emergency was announced across the east coast of the United States, with widespread fuel shortages and panic buying after its main fuel supply line, the Colonial Pipeline, was shut down by one of the largest cyber-attacks on oil infrastructure in the country’s history.

The same month, the information systems of the world’s largest meat processing company, JBS Foods, fell victim to cyber-attacks that shut down production around the world, including in Australia, putting thousands of jobs at risk.

Also in Australia, our corporate watchdog ASIC was struck by a cyber-attack in January which left credit license applications exposed. And last year, wool sales across the nation were cancelled after the IT system underpinning auctions and exports was hit by a cyber-attack.

According to first annual report of the Federal Government’s Cyber Security Industry Advisory Committee, released last week, the Australian Cyber Security Centre responded to 1786 cyber security incidents between 1 June 2020 and 31 May 2021. Many of these affecting essential services including electricity, water, education, banking and finance, health, communications and transport. There was a 400% increase in calls to the ACSC’s 24/7 cyber hotline in May 2021 compared to May 2020.

In June 2020, Prime Minister Scott Morrison announced all levels of the Australian government, critical infrastructure and the private sector were being targeted in cyber-attacks organised by a “state-based cyber actor”.

Around the world, critical infrastructure and services including water and electricity supplies, hospitals, and transport services, are regularly compromised by cyber criminals – and these attacks will become more common.

Researchers Cybersecurity Ventures expect global cybercrime costs to grow by 15 percent per year over the next five years, reaching $US 10.5 trillion per year by 2025, up from an already gob-smacking $US 6 trillion in 2021.

By the end of this year, it predicts the rate of ransomware attacks to reach one business every 11 seconds.

Yet awareness and preparedness among Australian businesses remains alarmingly low. Each time a serious cyber attack occurs, news headlines inevitably react with shock, describing it as a “wake-up call”.

“Hacking American beef: the relentless rise of ransomware – Cyber attack on JBS has been a wake-up call for governments and businesses to strengthen defences”

“Australian cyber attack not ‘sophisticated’ – just a wake-up call for businesses, experts say”

“The Colonial Pipeline attack should be a wake-up call for hardening our cyber defenses”

What more will it take for us to accept the threat of cyber attack is all pervasive and here to stay?

How many jobs or lives lost before we embed cybersecurity into our day-to-day operations in the same way we have incorporated other important concepts like occupational health and safety?

In particular, the danger to our critical infrastructure is very real. And we have known this for decades.

As far back as 1984, former US President Ronald Reagan directed his administration to create policies to protect the US Government’s information technology and systems after the science-fiction film ‘WarGames’ made him doubt his own government’s cyber security capabilities. After looking into his concerns, US generals confirmed the seriousness of the risk.

In recent years we’ve seen State and Federal governments commit millions to bolster Australia’s cyber security capabilities and strengthen relevant legislation. This is encouraging.

But we are vulnerable on countless fronts. It can’t just be left to the government of the day to determine Australia’s cyber security readiness.

What if criminals decided to hack into airline systems, rendering them incapable to receive crucial communications mid-air? What if they shut down the ABC’s emergency response system during bushfire season? All organisations – public and private – need to seriously consider their investment in defensive and comprehensive cyber security measures.

In December last year, the ACSC launched its ‘Act Now, Stay Secure’ campaign targeting the general population and small to medium enterprises. We understand the Federal Government is developing  a further campaign to raise awareness of cyber security, to be launched in 2021-22. For the sake of the Australian community, not just businesses, I hope the message gets through.

Cyber attacks are not new but the threats that accompany them are becoming increasingly dangerous. It is beyond time for us all to take responsibility for protecting our people, businesses and critical infrastructure.

With more than 20 years of experience in electronic warfare and cyber security, I have seen first hand the speed at which defensive technologies have grown and improved.

The technology is there – we just need to use it.

How to strengthen cybersecurity protections for critical infrastructure

August 18, 2021Published by Jeffrey Eaton

Immediately strengthen your cybersecurity protections through network assessments

If you really want to tackle cybersecurity threats, you need to understand, manage, control and mitigate the risks to your critical infrastructure. Senior leadership teams and the board are spending time defining the cybersecurity vision and plan but have fallen short of taking action. The time for talking is done. The bad guys will retain the upper hand if organisations don’t build now and remediate along the way.

Identifying and evaluating the external and internal risks for your OT assets.

You’ve got to know what cybersecurity risks you’re going to address and their degree of priority. A cybersecurity network assessment will investigate threats, vulnerabilities, impact and probability of occurrence. It’s designed to provide informed decision making and recommendations for patches and updates.

Evaluate the likely impact on areas such as data availability, integrity and confidentiality, as well as calculate the potential financial impact of suffering a cybersecurity breach. Measuring the cost of a cybersecurity hack includes financial loss from damage to equipment and hardware, as well as intangibles such as damage to brand and lost partner/supplier confidence.

The list of potential threats grows by the day, from hardware failures and interference to interception and impersonation, not forgetting the risk from natural disasters. Vulnerability identification is an essential part of the process, done through analysis, auditing, database referencing, testing and evaluation, and automated scanning platforms.

Questions to ask.

Ask yourself, what are your most critical infrastructure assets and what impact would a data breach or network exposure have on your operations? What business processes will be impacted? Would your organisation be able to function as expected?

Armed with this detail, you’ll be in a better position to customise your cybersecurity and protection controls aligned with your company’s degree of risk tolerance. Depending on the network assessment results, technical controls such as encryption, intrusion detection, multi-factor authentication, or even administration mechanisms could be customised to your environment.

Implement regular, ongoing assessments

 Network assessments should be a recurring event to give you ongoing posture reporting. Performing cybersecurity assessments regularly will provide you with a thorough understanding and adjust as new threats emerge. These insights will help identify and fix cybersecurity gaps, prevent breaches, select targeted solutions and controls to mitigate risks and prioritise assets according to value and level of risk. Ongoing assessments will also streamline cybersecurity efforts by eliminating unnecessary controls and help support any compliance measures.

You can also use the results from ongoing assessments to increase employee awareness of cybersecurity concerns. Data can inform and educate your teams on threats to your organisation, how likely to take place and how to mitigate them. Network assessments can improve the way your organisation communicates about cybersecurity, providing regular updates on possible breaches or a way to report on suspicious activity.

Click here to learn more about how Sapien Cyber network assessments can help you gain insight and protection immediately.

Critical Infrastructure #4

August 14, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 4

Author: Mel Griffiths

Cost and Duplication are Major Concerns from Industry

This time we are looking at the Energy and Higher Education sectors and the impact of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill). Despite assurances from Government, there are several key concerns that reoccur across almost all sectors impacted by the Bill, including the Energy and Higher Education sectors which we will be discussing in this post. Industry has been vocal in asserting that the Bill lacks detail in its legislative form, that Governance Rules cast too wide a net, that existing regulations already govern many areas that the Bill seeks to upraise, and that there is little understanding of the financial implications. Delivery of the Framework objectives without unintended impacts and business costs continues to be the one of the primary messages from all areas of industry and the Higher Education and Energy sectors are no different.

The Higher Education sector has provided a scathing assessment of the Bill and its relevance to the sector. Innovative Research Universities has gone as far as to request that universities be removed from the Bill entirely. Both Swinburne University and the Australian Technology Network of Universities (ATN) have argued that the Bill leaves too much to be developed within the rules, noting that the significant powers the Bill provides to Government are largely enacted by these rules which sit outside of the legislation. Universities Australia, the peak body for Australia’s 39 comprehensive universities, is concerned that the Bill leaves a range of very significant matters to the rules, with little guidance as to rule making and determination in the primary legislation. They have argued that the details of the legislation are more appropriately contained in the primary legislation. The Bill is seen as somewhat of a broadsword where a scalpel is required in order to mitigate the risk facing diverse industries. The Higher Education and Research sector has called for the government to further develop and refine the Bill in order to produce a statute that is more nuanced and detailed in its application, and also to consider individual level of institution risk.

The Energy sector has also called on the government for further development of details, particularly regarding the proposed intervention powers. The proposed powers would essentially allow Government to shut down, change, analyse, remove or control infrastructure and its component parts. Essential Energy has requested more clarity be provided on the circumstances under which enhanced obligations for systems of national significance would be enforced, given that operators will not be obligated to comply, but “may be required to do so from time to time”, following written notice from the Secretary of Home Affairs. Santos has likewise expressed the need for further detail as to the circumstances in which investigatory powers will be used, the potential operational impacts, and any potential consequences and penalties associated with the use of these powers.

But Aren’t We Already Doing That?

The risk of regulatory duplication within and across sectors has been identified as an issue by almost every sector. Deakin University has indicated that the Higher Education sector is already subject to significant scrutiny by the Commonwealth and sees the new measures as an unfair regulatory burden, adding to already existing compliance regimes. Many stakeholders in the Higher Education and Research sector have advised that they already have standard risk process in place through business impact analysis and disaster recovery planning. As a result, Murdoch University has questioned why universities need to be included in the Bill at all, arguing that there are already numerous existing agencies and legislation that appropriately manage the risks faced by the sector. These concerns about duplication and regulatory over-burden have been echoed by such Energy sector organisations as Ausgrid, the largest distributor of electricity on Australia’s east coast.

Like many organisations, Ausgrid are worried about the potential overlap in accountability between state and federal requirements. Essential Energy, which distributes electricity across 95 per cent of New South Wales (NSW) and parts of southern Queensland, have highlighted that they are already subject to a number of critical infrastructure obligations through conditions that were added to their Distributor’s Licence in 2019. Likewise, the National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA), the Australian Government offshore energy regulator, is of the view that oversight of offshore facility cyber security threats falls under the existing Maritime Transport and Offshore Facilities Security Act 2003 and its associated regulations. There are fears that this duplication and overlap of legislation will trickle down to the day-to-day processes of Cyber Risk Management. Ampol and Shell believe that the potential duplication of existing regulatory systems and processes will lead to duplication in the risk/hazard identification, mitigation, and assurance processes. Some have even argued that the application of irrelevant and duplicative legislation actually elevates the risk to the sector by diverting resources into “rechecking every corner and ticking boxes instead of watching the gate”.

While many sectors have pointed to these areas of legislative overlap, some have argued for the appropriation of them to achieve the Bills aims, rather than apply a potentially cumbersome and expensive duplicative approach. AMEO have asserted that any changes to enhance the Commonwealth critical infrastructure regime will be most effective if they operate alongside the existing State-based legal frameworks for the energy sector. As with many other sectors, the Energy and Higher Education and Research sectors feel that if additional regulatory impositions are inevitable, more needs to be done in regard to increasing clarity around obligations and processes and reducing any regulatory burden and cost. In order to facilitate this, many organisations have set forward their expectations of the framework.

If a Job’s Worth Doing…

Ampol has been clear in their expectation that only the most significant of critical infrastructure assets will have a positive security obligation. There has been much comment from industry on this point, and many sector-specific cases highlighting the realities of what would and would not be captured under the Bill. Industry also expects more detail from Government on a range of areas that are currently characterised as vague and unhelpful in enabling organisations to plan for, and move forward with, preparations for compliance. For example, Santos, Australia’s biggest domestic gas supplier, have requested more detail on the current rules around the “on switch” for implementation of positive security obligations.

There is also concern from both the Higher Education and Energy sectors that timelines for compliance may be unrealistic or may not consider varying levels of organisational maturity. Ampol has argued for realistic compliance timelines to be provided for any new obligations, systems, or processes, while Universities Australia have requested that implementation timeframes are tailored to match the different maturity levels of the various sectors.

Many sectors are interested to know what the implications would be if blanket compliance timeframes were to be unrealistic or unachievable for a less mature organisation. Santos has noted that the civil penalties for failure to develop appropriate systems, monitor, and report, appear to be more punitive than the current legislation, and has asked for more details about Government’s approach and expectations in regard to timing for implementation.

That’s a little outside my budget

Concerns in the Energy Sector in regard to the regulatory impacts and associated costs of the new measures are being magnified by the impacts of the pandemic and negative fiscal outlooks. The Higher Education and Research sector has also called on the Government to quantify the likely additional compliance costs that the proposed changes will impose. Many operators in the Energy Sector want to ensure that costs of compliance are kept to a minimum and are concerned that a number of unknowns are making it difficult to prepare appropriately. This perception of regulatory imposition with an unknown price tag is fuelling calls for Government financial support. The Australian Institute of Petroleum (AIP) believes that if the Government has national security objectives associated with the Bill that go beyond current commercial imperatives, then government support should address any cost from these imperatives.

One of the key factors at the root of the associated costs is the lack of clear and appropriate definitions provided thus far, which most sectors have described as inadequate. Definitions frequently capture too many assets, or the wrong assets, while obligations are described as vague, and processes for the “switch on” of government intervention powers are shrouded in mystery. As Shell pointed out in their submission, without clear and agreed definitions of assets, it is impossible to assess whether the significant costs associated with the implementation of cyber security measures need to occur company-wide or only to specific assets and infrastructure.

We’re Not Critical, You Are

Definitional confusion and disagreements range from debate over which assets are critical to the nation, to confusion over what it means to be “using” an asset. For example, the University of Sydney has called for tightening the definition of a “critical infrastructure asset” owned and operated by a Higher Education provider, only to those whose compromise would truly represent a threat to the nation, while AEMO have pointed out that the terminology of an agent “using” an asset may unintentionally capture third-party systems.

Many organisations and peak bodies in both the Higher Education and Energy sectors have taken issue with the broad nature of the definitions in general, and of several specifically. The Australian Institute of Petroleum (AIP) noted that the broad nature of many asset definitions and thresholds  highlight the importance of identifying only truly critical infrastructure assets. Many areas of industry are attempting to provide feedback on these definitions in order to make them clearer and more usable. For example, the Clean Energy Council (CEC), peak body for the clean energy industry in Australia, has reiterated its position on the definition of ‘critical electricity asset’ after seeing no change based on their Consultation Paper feedback. The CEC has strongly reaffirmed that the proposed electricity generation capacity threshold is currently too low and should be increased from 30MW.

The Australian Energy Market Operator (AEMO), who manage electricity, gas systems and markets across Australia, have argued that the definition of “energy sector” in the Draft Bill should also include transmission as well as distribution and supply. AMEO have also proposed changes to the new definition of “critical energy market operator asset”, arguing that AMEO should be excluded from the definition to avoid duplication of critical infrastructure responsibilities existent in the Security of Critical Infrastructure Act 2018. The Group of Eight (Go8) also have taken issue with asset definitions, calling the proposed definition of a “critical education asset” a vague and ill-defined over-reach of the “intent and purview of the proposed reforms”. They have called for the definition to be made tighter and clearer. The definition of “significant impact” is another example which Ausgrid has raised as requiring more clarification in reference to security incidents. Shell Australia have argued that clearer definitions are required on critical cyber breaches and critical infrastructure asset data to assist asset owners in navigating reporting and sharing requirements.

What’s next?

Recounting the journey of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) thus far, we see that the initial consultation and amendments to the proposed legislative changes occurred just over one year ago in August and September 2020. Before the end of 2020, the Government had consulted for three weeks on an Exposure Draft of the Bill before introducing the Bill to Parliament on 10 December 2020. This was followed by the Parliamentary Joint Committee on Intelligence and Security commencing a review into the operation, effectiveness, and implications of the reforms. In March 2021, the Government began the co-design consultation phase for the development of the Governance Rules for the Risk Management Program aspect of the Positive Security Obligations introduced in the Bill. It is expected that the staggered co-design process will continue into 2022. In April 2021, the Government published the Draft Critical Infrastructure Asset Definition Rules and thresholds, welcoming further feedback. The remainder of 2021 and early 2022 will see the Government continue a staged sector by sector approach and work with industry to design the sector-specific requirements.

Cybersecurity Insurance: A Cautionary Tale.

August 2, 2021Published by Jeffrey Eaton

According to the latest statistics, a ransomware attack is likely to occur every 11 seconds, with catastrophic consequences for both organisations and broader society. With global cybercrime costs set to top US$10.5 trillion by 2025, cybersecurity insurance policies rising and reducing protection for ransomware attacks, what can organizations do to protect their systems, brand and bottom line when transference of risk and cost is no longer an option?

Ransomware attacks at the IT level are how cybercriminals gain access to locate your OT and go after your critical platforms and systems. All it takes for an employee to unknowingly click on a malicious or phishing link. During the San Francisco water supply attack, the hacker obtained the username and password of a former employee’s account. Within minutes, the bad guys have encrypted files and are holding them hostage. The fallout of such a breach can last weeks or months. Ireland’s health service ransomware attack in May continues to disrupt critical services for doctors, nurses and patients today.

If you’re hoping to call your insurance company in the scramble following a breach, think again. Historically this may have been a safe bet to ward off harm, but that’s now changing. Insurance providers have introduced more onerous requirements to get hold of a policy and premiums are much higher. Besides these challenges, if your organisation falls victim to a breach, regardless of whether you hold insurance or not, you’ll face more scrutiny from the government and regulators regarding the ‘Why’ and ‘How’ your OT was vulnerable.

On top of everything else, did you know that simply having a cybersecurity insurance policy could make you an easy target?

The cybersecurity insurance dilemma.

It’s little surprise that ransomware attacks on organizations with cybersecurity insurance are on the rise. Hackers are seeking out those organizations that hold a policy and identify their vulnerabilities within a few clicks. Insights from recent ransomware attacks show that organisations with cybersecurity insurance are viewed as prime targets because the cyber criminal is guaranteed a ransom payment. Being covered by an insurance premium that includes a guaranteed ransom value means the bad guys will almost certainly be financially rewarded for their efforts and will continue to do so, creating a perpetual spate of cybercrime.

Speak to any cybersecurity or cybercrime expert and you’ll get an explicit recommendation against paying a ransom, as this only encourages more of the same behaviour. As they say, you don’t negotiate with terrorists and the same goes here. Increasingly, nation-states and known international groups are behind the crimes and insurance companies are flagging such attacks as terrorism or acts of war – all of which are generally not covered by cybersecurity policies.

Relying on insurance to pay your way out of an attack might help financially, but what about reputational damage, loss of sensitive data, revenue loss and impact on customers? There’s no catch-all policy to manage the significant fall-out.

Underwriting ransomware just got tougher.

Anyone organisation looking for cybersecurity insurance will come up against increased examination by underwriters. You’ll need to comprehensively demonstrate what you’re currently doing to protect your OT. Are you regularly testing staff against phishing attacks? What education programs do you have with your employees, what types of security patches do you have in place and how long will it take to roll them out in the case of an attack? Reviewing these questions and more is a good place to start for any cybersecurity planning process. If you get these basics done right, you can protect your business and avoid hefty insurance premiums.

Mitigate the risks by preparing and planning.

What is clear is that you shouldn’t be choosing insurance over a cybersecurity planning, vulnerability management and prevention investment.

Attacks are preventable if you can secure your infrastructure. Protecting your OT infrastructure by ramping up protocols, practices and policies will safeguard you from a breach. This, coupled with top-down knowledge and awareness programs for employees on the threats posed by email attachment harm and phishing ploys, will provide an even more vigorous defence.

Smart City Risk

July 30, 2021Published by mikesITguys
Smart Cities

The rise of user-friendly ‘smart’ cities, where many services are automated, networked and online, has put Australian businesses at greater risk of cyber-attack.

To read more download our press release below.