Every day, millions of Australians rely on power, water, banking, and health services to survive. It’s hard to even imagine what life would be like if any of these services were not readily available due to an attack or disruption, even for just one day – however, with cyber crime increasing by 30,000% in 2020, dangerous cyber threats that can threaten these essential services are on the rise.

As such, the Australian government has proposed a new bill to protect critical infrastructure assets that are considered essential to the Australian way of life, our nation’s wealth and prosperity, and national security.

What is the Critical Infrastructure Bill 2020? 

The new Critical Infrastructure (Security Legislation Amendment) Bill 2020 is set to build on the regulatory regime in the existing Act by introducing a new framework designed to uplift the all-hazards security and resilience of critical infrastructure assets and provide the government with greater visibility of cyber attacks.

Currently, the Security of Critical Infrastructure Act 2018 covers specific entities in the electricity, gas, water and ports sectors. This amendment, the Critical Infrastructure Bill, seeks to expand the scope of the Act to include critical infrastructure entities in a wider range of sectors including:

  • communications;
  • financial services and markets;
  • data storage or processing;
  • defence;
  • higher education and research;
  • energy;
  • food and groceries;
  • health care and medical;
  • space technology;
  • transport;
  • and water and sewerage.

The Critical Infrastructure Bill is and continues to be developed through extensive consultation with industry owners of these critical assets. As the majority of Australia’s critical infrastructure is owned and operated by private industry or state and territory governments, it is vital that all parties work together to mitigate risks. From January 2021, Home Affairs will undertake a staged, sector-by-sector approach to co-designing relevant requirements to reduce regulatory burden and minimise duplication with existing regulatory frameworks.

What do the new changes mean for you?

Organisations that fall within the industries covered by the Act who have the ultimate operational responsibility for a “critical infrastructure asset” are considered responsible entities and will have certain rules applied depending on the asset and the industry it belongs to, including:

  1. Adopting and maintaining a critical infrastructure risk management program, requiring responsible entities to manage and mitigate risks by applying an all-hazards approach;
  2. Mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and
  3. In some circumstances, providing ownership and operational information to the Register of Critical Assets.

If a serious cybercrime were to happen to any organisation covered by the Act, government assistance may be available.

The healthcare and medical sector is a good example of why the Act has been extended to include more industry sectors, as this industry is already in a vulnerable position due to the rise of illnesses relating to the pandemic. That makes the sector very appealing for cybercriminals excited by the opportunity for ransom for money, denial of services for malice or money, and compromising or stealing confidential data. In 2020 the Australian Signals Directorate (ACSC) received 166 cyber security incident reports relating to the health sector, which is almost double the number of reports from 2019. *

The “critical infrastructure assets” within health care and medical relate to those owned or operated by a hospital with a general intensive care unit. If the critical hospital is a public hospital, the responsible entity is the local hospital network that operates the hospital. Alternatively, if the critical hospital is a private hospital, the responsible entity is the entity that holds the license, approval or authorisation under state/territory law to operate the hospital.

What next and how we can help?

At this stage it’s unclear when the Critical Infrastructure Bill will be passed by Parliament. Those with a vested interest in a critical infrastructure sector should consider engaging with the Department of Home Affairs or their industry association to contribute to the co-design process of the Bill.

With cyber incidents evolving rapidly, many organisations lack an up-to-date view of weaknesses in their network, applications and systems. In these circumstances, the wisest course of action is often to undertake a Vulnerability Assessment. This is the process of continually scanning your environment to determine if systems are affected by known weaknesses. Systems affected by these weaknesses have the potential to be exploited in a targeted or large-scale attack.

Our team at Centorrino Technologies (CT) offers a Vulnerability Assessment service that includes the following:

  • Identifying weaknesses in network design or configuration.
  • Reviewing outdated security policies, Insecure applications and platforms, app code flaws, and malware.
  • Thoroughly analysing all issues, eliminating incorrect responses and focusing on real vulnerabilities.
  • Tracking every vulnerability from initial scans to issue remediation, ensuring your infrastructure remains secure.

Increase your cyber security maturity level with CT

Our Managed Security Services offering provides an end-to-end security approach by leveraging our maturity model, borrowing from the key leading frameworks ISM and NIST, and providing a comprehensive continuous assessment across Cyber Principles, Technology Guidelines and Risk, combined with industry-leading security tools across your Data, Network and Cloud Environments. Our focus on building maturity along with our expertise in proactive security, backup and recovery and staff uplift will help you strengthen your organisation’s security posture.

Visit our Cyber Security page to learn more about how we can supply you with the latest cyber security solutions.