Analysis: critical infrastructure vulnerable to cyber-attacks
In this Covid-19 world, the Department of Home Affairs has upped the ante on cyber-security planning while canvassing feedback about ways to protect critical infrastructure and systems of national significance.
The department is expanding the definition of critical infrastructure into sectors like banking and finance, communications, data and the cloud, defence, education, energy, food, health, space, transport, and water.
The Department’s latest consultation paper says critical infrastructure is increasingly interconnected and interdependent. This connectivity exposes infrastructure to new vulnerabilities, especially as people work from home, or businesses access information in a remote setting.
Cyber resilience and protecting critical infrastructure also comes under the spotlight at Akolade’s Virtual Cyber-Resilience & Security Summit being held 24-26 November. The agenda features 25+ cyber-security experts, drawn from government, industry, and higher education.
Expanding the scope of critical infrastructure
More broadly, cyber-attacks are increasingly in the headlines including those involving state-sponsored intrusions, or malicious actors. “These can deliberately or inadvertently cause disruption that could result in cascading consequences across our economy, security, and sovereignty,” warns the Department.
Among the concerns, the cyber-attacks could compromise the supply of essential services. Earlier high-profile incidents have compromised the Australian parliamentary network, university networks, and key corporate entities.
“Together, owners and operators of critical infrastructure, academia and all levels of government must collectively take steps to protect Australians from an attack and other disruptions,” the Department observes.
In a future scenario, a prolonged or widespread failure in, for example, the energy sector would be catastrophic to the economy, security, and sovereignty. Any fall-out would also impact medical supplies, food or grocery supply chain, water supply, and sanitation, or mission-critical telecommunications networks.
Building the ‘Security Uplift” action plan
Alongside the Home Affair’s consultation, the Australian Government is focusing on a “Security Uplift” program to ensure that infrastructure and critical assets remain resilient against future attacks.
The Department of Home Affairs’ consultation will continue throughout 2020 – with a more detailed “Sector-specific co-design” slated in the New Year.
Earlier, Home Affairs Minister Peter Dutton said the evolving threat landscape posed additional and ongoing risks to Australia’s networks, systems, and capabilities.
He said it was vital for all stakeholders to protect the essential services. “We cannot be complacent. Owners and operators of critical infrastructure are facing evolving threats including increasing cyberattacks.”
Taking shared responsibility
Any attack on critical infrastructure impacted the broader economy, security, and sovereignty, Dutton said. “Security is a shared responsibility. Businesses and all levels of government have a role to play and we are committed to building on this partnership.”
Additionally, proposed national security laws will grant federal government agencies the power to “take direct action” against cyber-attacks and seek information from the critical infrastructure entities where this information is deemed to be in the “national interest.”
The broad definition of critical infrastructure – under the Security of Critical Infrastructure Act 2018 currently places regulatory obligations on specific entities in the electricity, gas, water, and maritime ports sectors.
The future scope incorporates sectors such as banking, finance, communications, data and the cloud, defence industry, education, research, innovation, energy, food, grocery, health, space, transport, and water.
These entities are categorised as either a “critical infrastructure asset”, a “regulated critical infrastructure asset”, or “systems of national significance”.
The Government has canvassed developing a national alert system for cyber-attacks that is similar to the current National Terrorism Threat Advisory System for emergencies.
The National Terrorism Threat Level works on a scale of five – from certain, expected, probably, possible to not-expected. This colour-coded system informs citizens about the level of a terrorist threat, national alerts, and the more immediate preparation and planning during an emergency.