Author: Glyn Geoghegan, Security and Compliance, Devicie
One of the most talked about security topics of late has been reform to Australia’s critical infrastructure (CI) legislation.
Changes to the Security Legislation Amendment (Critical Infrastructure Protection) Act are now well underway or waiting Royal Assent, and form part of the Federal Government’s efforts to uplift Australia’s security defences.
There has understandably been mixed reception, from concerns raised around the ambiguity of what constitutes a ‘critical infrastructure sector asset’, to fears on if and how the government would go about installing monitoring or other software on CI systems. Others tout the reforms as the cost of doing business or welcome them as a step forward in bolstering security.
Regardless of what stance you take, one thing is certain; that security threats, and the regulations that aim to keep us safe, are not going away anytime soon.
What might be useful is to reflect on the new regulations and what we can learn from them.
But first, a quick recap.
In essence, the CI reforms increase the scope of what is classed as ‘critical infrastructure’ and increase obligations for those who own and operate the infrastructure.
Among the most significant CI regulatory changes are:
- Increase in sectors classed as ‘critical’ (11 up from four)
- Additional government powers to respond to suspected or actual security incidents where they impact on a CI asset
- New obligations for mandatory reporting of security incidents
- Creating and maintaining a CI risk management program
- Increase cybersecurity obligations for ‘systems of national significance.’
Now for my takeaways.
No need to be critical
Recent security incidents have increasingly highlighted that protecting only what was once considered critical infrastructure is now insufficient to protect our daily lives.
Attacks – on the supply chain, end users, mobile devices and simply any digital compute – are having unpredictable and, in many cases, devastating effects throughout the infrastructure we rely on. This has been further amplified by logistical and behavioural challenges during the COVID-19 pandemic.
Critical infrastructure in the civilian world once focused on power, water, transport and other large-scale industry we rely on. It has become clear that scope had to widen (to toilet paper at least) in order to truly keep the lights on.
Organisations that are considered critical may still rely on organisations that are not deemed critical. So if you’re part of a supply chain, chances are you’re critical – regardless of regulatory definitions.
What’s the risk?
Ultimately these changes are about managing threat and risk, which is the essence of our game.
Aside from the escalation in malware, the increasingly distributed workforce coupled with heightened geo-political tensions has changed the threat landscape drastically. There has never been more opportunity for cybercrime, and the situation is likely only going to get more complicated (not for the better).
Previously air-gapped and protected critical assets are increasingly accessible from potentially insecure networks or devices. And as noted above, what constitutes ‘critical’ is no longer the power plant control network. It’s the tablet in the hands of the delivery driver, the kiosk at the airport (remember airports?), or the laptop of the employee working remotely (you see why this has piqued our interest at Devicie).
Change is coming, own the risk
As Gartner recently pointed out, cyber risk isn’t just security’s problem: it’s a business and organisational responsibility that needs to be led from the top.
For organisations to meet the new CI reforms, they’ll need to seriously uplift their risk maturity. This means ensuring IT risk is properly considered alongside others affecting the organisation, and having people who can focus on, and prioritise, the ability to anticipate, mitigate and respond to threats.
Not every organisation will be able to sustain (or recruit) a Chief Risk Officer or a Chief Information Security Officer, but all should be able to equip key people within their organisation with the wherewithal to think about technical risks and how they affect operations. Furthermore, those people need to have the ear of the Board.
Ah! That’s the pitch!
Critical infrastructure relies on connected devices. No one knows this more than the cyber criminal hungry for the lowest hanging fruit.
Attacks on CI have long since departed the realms of espionage and physical infiltration; since Stuxnet we’ve seen real-world examples of chained attacks from any weak point in the supply chain, and sadly the oft sought angle is the end-user and their devices.
Attacks on the logistics supply chain, health sector and other industries are rarely even targeted. A scatter gun approach yields an entry point, and the organisation is fair game for the attackers to extort. It’s not only about data exfiltration or pivoting to gain access to control networks; it’s any and every avenue to monetise the breach (if arguably lucky) or destroy digital and physical assets (if particularly unlucky).
Consider the 2017 WannaCry ransomware attack. The attack used EternalBlue, a leaked NSA hacking tool, to target Windows machines that were yet to receive a critical security patch. The NHS wasn’t necessarily a specific target, but became a major victim, forcing thousands of appointments to be cancelled, and ambulances to be ramped or rerouted.
Perceived (or actual) ambiguity around the new definition of a ‘critical infrastructure sector asset’ is redundant if the mechanism to disrupt the infrastructure starts on a user device.
The rise of remote working, remote access and control means devices are inherently critical and need to be secured to protect the infrastructure that underpins a functioning society.
There are many aspects to securing the organisation and its assets, regardless of whether it currently falls under the scope of critical infrastructure. The requirements and scope are likely to get wider and stronger, rather than diminishing; and the practices are good benchmarks for all. Again, the pandemic has made it very clear that roles and companies we didn’t consider critical were indeed pivotal to a functioning society.
Protecting organisations by protecting their people forms a key part of this equation (and yes, that’s where Devicie can help).