12 August 2020

Critical Infrastructure

Just in case you had not heard the news, "The Government’s commitment to the continued prosperity of our economy and businesses is unwavering". 

It would be disquieting if we saw an official statement that the commitment was wavering or absent.

The ongoing commitment is highlighted in the Department of Home Affairs consultation paper on Protecting Critical Infrastructure and Systems of National Significance. It reflects the much-criticised Australia’s Cyber Security Strategy 2020 announced earlier this month. 

Unsurprisingly, the paper is attracting attention as muddled; less generous readers question whether criticisms will be taken on board, given the Department's history of consultation theatre and the Government's egregious disregard of university financial problems. 

The Department states 

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure. 
 
Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption that could result in cascading consequences across our economy, security and sovereignty. 
 
To ensure we continue to protect ourselves from such incidents, we are seeking your views on the details of Government’s agreed reforms ... a key initiative of Australia’s Cyber Security Strategy 2020. 

The consultation paper comments 

Who should read this paper? 
 
All Australians rely on critical infrastructure to deliver essential services that are crucial to our way of life, such as electricity, communications, transport and banking. As such, we encourage all Australians to take an active interest in ensuring that Australia’s approach to protecting critical infrastructure is fit for purpose for the modern age. 
 
From a critical infrastructure perspective, we are especially keen to hear from the following sectors, given their fundamental importance to our economy, security and sovereignty:
  • Banking and finance 
  • Communications 
  • Data and the Cloud 
  • Defence industry 
  • Education, research and innovation 
  • Energy 
  • Food and grocery 
  • Health 
  • Space 
  • Transport 
  • Water. 
 Overview 
 
The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure. Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption that could result in cascading consequences across our economy, security and sovereignty. 
 
A range of hazards have the potential to significantly compromise the supply of essential services across Australia; physical, personnel and cyber security are all increasingly interrelated. Recent incidents such as compromises of the Australian parliamentary network, university networks and key corporate entities, natural disasters and the impacts of COVID-19 illustrate that threats to the operation of Australia’s critical infrastructure entities continue to be significant. 
 
We must work together now to ensure Australia’s security practices, policies and laws bolster the security and resilience of our critical infrastructure and position us to act in any future emergency. We need a better shared understanding of the threats we face and how we can combat them. Together, owners and operators of critical infrastructure, academia and all levels of government must collectively take steps to protect Australians from an attack and other disruptions. 
 
Accordingly, Government will introduce an enhanced regulatory framework, building on existing requirements under the Security of Critical Infrastructure Act 2018 (the Act). This will include:
  • a positive security obligation for critical infrastructure entities, supported by sector-specific requirements; 
  • enhanced cyber security obligations for those entities most important to the nation; and 
  • Government assistance to entities in response to significant cyber attacks on Australian systems. 
 These changes will be underpinned by enhancements to Government’s existing education, communication and engagement activities, under a refreshed Critical Infrastructure Resilience Strategy. This will include a range of activities that will improve our collective understanding of risk within and across sectors. The Government’s commitment to the continued prosperity of our economy and businesses is unwavering. The impacts of recent events only reinforce the need for collaboration between and across critical infrastructure sectors and Government to protect our economy, security and sovereignty. 
 
At the same time, Government recognises the additional economic challenges facing many sectors and entities in the wake of the COVID-19 pandemic. The outcome we seek is clear - we want to work in partnership to develop proportionate requirements that strike a balance between uplifting security, and ensuring businesses remain viable and services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean that all businesses will benefit from strengthened protections to the networks, systems and services we all depend on. 
 
We want to hear from you – owners and operators of critical infrastructure, state and territory governments, academia and the Australian public – to contribute to the design of this framework to deliver a real and meaningful uplift to critical infrastructure security and resilience, while minimising economic impact. 
 
Where we are now 
 
The interconnected nature of our critical infrastructure means that compromise in one essential function can have a domino effect that degrades or disrupts others. 
 
The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life, causing: 
  • shortages or destruction of essential medical supplies; 
  • instability in the supply of food and groceries; 
  • impacts to water supply and sanitation; 
  • impacts to telecommunications networks that are dependent on electricity; 
  • the inability of Australians to communicate easily with family and loved ones; 
  • disruptions to transport, traffic management systems and fuel; 
  • reduced services or shutdown of the banking, finance and retail sectors; and 
  • the inability for businesses and governments to function.  
At its most extreme, such catastrophic disruption could cause loss of life. Recent events, particularly COVID-19, have demonstrated how threats can have flow on effects across multiple sectors. A deliberate cyber attack could have farther-reaching, more rapid and less visible causes and effects. 
 
While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune: • Over the last two years, we have seen several cyber attacks in Australia that have targeted the Federal Parliamentary Network, airports and universities. • Malicious actors have taken advantage of the pressures COVID-19 has put on the health sector by launching cyber attacks on health organisations and medical research facilities. • Key supply chain businesses transporting groceries and medical supplies have also been targeted. 
 
While the Australian Government and industry continually work on responses to incidents impacting our critical infrastructure, there is scope to be more proactive and take preparatory activities to understand, mitigate and prevent threats. A cohesive partnership between the Government and industry, especially through sharing of technical expertise, is a desirable end state. Collective action now will place Australia in the best position to combat both foreseeable and emerging risks. The enhanced framework will meet this need, supported by proportionate sector- specific standards. 
 
What you have told us 
 
The Department of Home Affairs values its ongoing engagement with critical infrastructure entities. Mechanisms like the Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN) are important forums for cross sector dialogue, facilitating ongoing feedback on the security environment facing us all. As outlined in the Cyber Security Strategy 2020, through consultation the Australian Government: • met with more than 1,400 people from across the country in face-to-face consultations, including workshops, roundtables and bilateral meetings; and • received 215 submissions in response to the Discussion Paper. 
 
Government heard that Australia’s critical systems are facing a worsening threat environment and the nation needs to address vulnerabilities in supply chain security, control systems and operational technology. This is consistent with advice from the national intelligence community and other sources. Timely and actionable information sharing was identified as a critical gap. We heard that Government’s role in addressing these threats and gaps should start by: • driving an uplift in resilience across sectors through regulation; • clarifying roles, responsibilities and expectations; and • using its unique capabilities to address serious cyber threats to Australia. 
 
We heard that Government also needs to explain how security risks are managed, how responsibilities are shared across the economy, and how Government and critical infrastructure entities can work together to protect Australia’s critical infrastructure from sophisticated threats. Consultations highlighted that the Australian public looks to both Government and critical infrastructure to secure the delivery of essential services. We need to collaborate and prepare ahead of time, so everyone knows what their role is and what they need to do in an emergency. To do this, Government and critical infrastructure entities need the right processes, authorisations and powers in place to respond rapidly and decisively. 
 
The framework set out in this Consultation Paper is put forward as a starting proposition to position all levels of government – Commonwealth, state, territory and local – and critical infrastructure to identify levels of entity criticality, appropriately minimise the likelihood and impact of significant incidents occurring, and to respond where necessary in the national interest. 
 
Where we need to be – an enhanced critical infrastructure framework 
 
Objective of the enhanced framework 
 
The primary objective of the proposed enhanced framework is to protect Australia’s critical infrastructure from all hazards, including the dynamic and potentially catastrophic cascading threats enabled by cyber attacks. The enhanced framework outlines a need for an uplift in security and resilience in all critical infrastructure sectors, combined with better identification and sharing of threats in order to make Australia’s critical infrastructure – whether industry or government owned and operated – more resilient and secure. This approach will prioritise acting ahead of an incident wherever possible. However, we recognise that one size does not fit all. We need to balance consistent objectives that provide a baseline of cyber, physical, personnel and supply chain protections across all sectors, with the reality that there are sector specific differences in human and financial resources, technology, threats, existing standards and maturity, to name a few. 
 
This is why the framework is proposed to be built around principles-based obligations that will sit in legislation, and underpinned by sector-specific guidance and advice, proportionate to the risks and circumstances faced by each sector. Furthermore, legislative requirements will remain proportionate and collaborative, while avoiding inconsistent application of regulations putting entities at a commercial disadvantage. To ensure these security outcomes, we recognise that uplift is required in all critical infrastructure sectors and that Government must be an exemplar. Accordingly, we will continue to work towards enhanced security for government and democratic institutions, and will work within the Commonwealth and with states and territories to identify the most appropriate mechanisms to ensure governments are held to the same standards as owners and operators of critical infrastructure. 
 
To respond to Australia’s evolving threat environment, we need to build a partnership that benefits all critical infrastructure, as well as the Australian public. It is not enough for owners and operators to uplift their resilience. Government should use its unique position and resources to share aggregated threat information, work with critical infrastructure entities of all levels of maturity to build their capability, and empower entities to appropriately protect themselves when faced with a serious threat. 
 
Features of the enhanced framework 
 
Government has agreed that the proposed enhanced framework will apply to an expanded set of critical infrastructure sectors, comprising of three key elements: 
 
1. Positive Security Obligation, including: a. set and enforced baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk. 
 
2. Enhanced cyber security obligations that establish: a. the ability for Government to request information to contribute to a near real-time national threat picture; b. owner and operator participation in preparatory activities with Government; and c. the co-development of a scenario based ‘playbook’ that sets out response arrangements. 
 
3. Government assistance for entities that are the target or victim of a cyber attack, through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.

These three initiatives will be underpinned by an enhanced Government-industry partnership across all hazards that, among other measures, will focus on:

  • reinvigorating and expanding existing engagement platforms and strategies; 

  • improving coordination across government to provide appropriately classified whole-of- government threat assessments and briefings to entities; 

  • co-designing best practice guidance with critical infrastructure entities, state, territory and Australian Government partners and regulators, as well as international partners; and 

  • delivering a comprehensive, multi-year program of workshops, exercises, information sharing sessions and assessments to complement and inform sector and sub-sector based assessments.

We recognise that there will be a regulatory impost in delivering these reforms. We will work with critical infrastructure entities to ensure that these reforms are developed and implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burden, in accordance with guidance from the Department of the Prime Minister and Cabinet’s Office of Best Practice Regulation. ... 
 
Principles-based outcomes 
 
We want to work with critical infrastructure entities to clearly define the high level, sector- agnostic principles that will form the basis for the PSO. We consider that at a minimum, owners and operators of critical infrastructure should be legally obliged to manage risks that may impact business continuity and Australia’s economy, security and sovereignty, by meeting the following PSO principles-based outcomes. 
 
1. Identify and understand risks 
 
Entities will have a responsibility to take an all-hazards approach when identifying and understanding risks. This will consider both natural and human induced hazards. This may include understanding how these risks might accumulate throughout the supply chain, understanding the way systems are interacting, and outlining which of these risks may have a significant consequence to core service provision. 
 
2. Mitigate risks to prevent incidents 
 
Entities will be required to have appropriate risk mitigations in place to manage identified risks applicable to their sector. Risk mitigation should consider both proactive risk management as well as having processes in place: to detect and respond to threats as they are being realised; and plan for disasters and have a way to lessen the negative impact were it to actually occur. The regulated entity will be responsible for engaging with the regulator to ensure that identified risks and proposed mitigations are proportionate to the risks, while also considering the business, societal and economic impacts. 
 
3. Minimise the impact of realised incidents 
 
Entities will be required to have robust procedures in place to recover as quickly as possible in the event a threat has been realised. This may include ensuring plans are in place for a variety of incidents, such as having back-ups of key systems, adequate stock on hand (such as medicines), redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers. 
 
4. Effective governance 
 
Entities will be required to have appropriate risk management oversight and responsibilities in place, including evaluation and testing. This will involve strong governance with clear lines of accountability, demonstrated comprehensive planning, and a robust assurance and review process in place that is proportionate to the identified risks. Compliance will be assessed by the relevant regulator noting that what is appropriate may be unique to each entity. Regulators will focus on outcomes and seek to avoid compliance burden. 
 
Security Obligations 
 
We consider that the new framework should clearly set out in legislation the high-level security obligations that critical infrastructure entities should meet. At a minimum, we consider these to be: 
 
Physical security 
 
Critical infrastructure entities will be required to protect their systems and networks by considering and mitigating natural, and human induced threats. This may include:
  • Implementing proportionate physical security measures that lessen the risk of harm to people, information and physical asset resources being made unlawfully inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation. 
  • Integrating protective security into the process of planning, selecting, designing and modifying facilities for the protection of people, information and physical assets. 
  • Securing physical spaces where sensitive information and assets are used, transmitted, stored or discussed. 
Cyber security 
 
Critical infrastructure entities will protect their systems and information from cyber threats. This may include:
  • Identifying and assessing sensitive information and implementing proportionate controls. 
  • Understanding access to an entity’s sensitive information, with need to know principles applied. 
  • Endeavouring to safeguard information from common and emerging cyber threats and adhering to best practice guidelines. 
  • Implementing robust security measures during all stages of ICT systems development. 
  • Aiming to ensure systems and personnel can detect, understand and respond to cyber security incidents.  
Personnel security 
 
Critical infrastructure entities will implement policies and procedures which seek to mitigate the risk of employees (insider threats) exploiting their legitimate access to an organisation’s assets for unauthorised purposes. This may include:
  • Ensuring only suitable employees and contractors access the entity’s resources and are aware of, and meet, appropriate standards of conduct. 
  • Assessing and managing the ongoing suitability of its personnel to access resources throughout their engagement. 
  • Promoting a positive and collaborative security culture of continual improvement and engagement across sectors, ensuring lessons learnt are shared. 
Supply chain security 
 
Critical infrastructure entities will protect their operations by understanding supply chain risk. Supply chains can be compromised or disrupted from a variety of natural or man-made activities.