The business industry at large has been discussing (ad nauseum) the requirements and effects of Australia’s Notifiable Data Breaches scheme, the General Data Protection Regulation (GDPR), and the proposed Assistance and Access Bill in recent months. But the implications of another, less talked about new law introduced by the Australian government have largely flown under the radar: The Security of Critical Infrastructure Act.
Applying to 160 operators of essential services, such as electricity, water, gas and ports, the new law came into effect on 11 July 2018. It is intended to improve national security defences by safeguarding Australia’s critical infrastructure assets against espionage, sabotage and coercion from foreign actors.
The legislation focuses on risk management and incident reporting obligations, including:
- Operators are required to detail who owns and controls their IT assets, and who has access to their networks, industrial control systems, data holdings, security systems, and corporate systems
- The relevant federal minister has power to direct critical infrastructure operators to “do or not to do a certain thing” in order to reduce risk to national security
- The government can request information such as procurement plans, contracts, and tender documentation in order to mitigate “a risk that is prejudicial to security”
While the Act is currently only applicable to 160 identified critical infrastructure operators, the definition of a critical asset is fairly broad. Under the Act, the relevant federal minister has the power to declare an asset critical infrastructure if it’s deemed to affect the social or economic stability of Australia or the defence and national security of Australia.
As such, one might imagine that our concept of “critical infrastructure” could be expanded to include a range of other “essential services” including transport, banking, healthcare, aviation, manufacturing, and even government social media accounts.
The Security of Critical Infrastructure Act hasn’t benefited from the same spotlight as mandatory breach reporting and the proposed encryption laws because it is more refined in scope, and doesn’t apply to or effect all Australian businesses. As it relates to national security, the legislation is intentionally vague and the register of critical infrastructure assets is a tightly held secret.
Even though it hasn’t been as widely discussed, the Security of Critical Infrastructure Act will have a significant impact on cybersecurity practices and policies, and should be reviewed by any company that could be deemed to provide an essential service, or that is a third-party supplier or contractor to a critical infrastructure organisation.
How the Security of Critical Infrastructure Act puts the security focus on response strategies
The Security of Critical Infrastructure Act will have the greatest impact in industries that historically haven’t been regulated as heavily as, for example, banking and insurance. Industries such as energy and utilities will now have to address their cyber risk exposure directly, instead of simply maintaining compliance with cybersecurity standards.
In order to better manage risk, organisations will need to adopt a more proactive approach to security, in which they adopt the mindset of external attackers, investigate the extent of their security vulnerabilities and brainstorm what attackers might do when they infiltrate a company’s networks. This is where the Security of Critical Infrastructure Act is key, as it forces organisations to consider how they could be compromised and what they would do to contain such an event.
Protecting access to critical data
When reviewing the documentation concerning the Act, the term that continues to crop up is access. The Australian government is particularly concerned about any foreign influence or connections to offshore entities that might have access to compromise the provision of essential services to the Australian public.
As critical infrastructure providers around Australia align their security strategies with the Act, they must prioritise the security and management of privileged access when they consider how to protect their networks and information systems.
Unsecured secrets, privileged accounts and their associated credentials can be exploited by an attacker or malicious insider to seize control of a network or disable critical services and systems, upon which Australian citizens and businesses rely.
Placing controls on privileged users – both humans and machines – is a crucial step in reducing the risk of a security event that impacts critical services. There are various tactics which can help in this process: introducing the principle of least privilege, enforcing multi-factor authentication and segregation of duties (SoD), and locking down privileged access pathways.
Taking it one step further, the application of threat detection and analytics on privilege-related activity can also help prevent attackers from comfortably navigating the network, performing their own reconnaissance and gaining access to domain controllers, where they can harvest the accounts and credentials that provide privileged access.
Risk Management and Incident Reporting
The strange thing about the Security of Critical Infrastructure Act is that there is no starting obligation for service providers to be secure, but there is an obligation to manage risk and report certain things that may create a vulnerability.
There is also no obligation to seek permission, rather there is an obligation to report a change after the fact. This means that arrangements may need to be unwound, or that something may have a tangible impact on national security before it is reviewed by the Department of Home Affairs.
To avoid having to wind back changes, critical infrastructure operators will need to put technical and organisational measures in place to better manage risk and ensure the level of security on the networks used to deliver services is appropriate.
Nefarious characters and nation-state actors continue to find ways to compromise critical infrastructure and gain access to top tier resources. Managing and preventing this risk starts with
protecting access to an organisation’s IT environment.
Organisations must improve their access policies and management of risk to meet the requirements of the Security of Critical Infrastructure Act, without looking at it as another compliance exercise. They must start thinking like an attacker – envisage how company networks can be infiltrated, and what attackers are likely to do once they’re in.