by Richard Bergman, Partner, EY Oceania Cybersecurity, and Clement Soh, Associate Partner, EY Oceania Cybersecurity
Every year, organisations are spending more and more money on their security defences. But every year, we see the frequency and severity of cyber attacks against Australia continue to increase.
The upcoming regulatory changes to the Security of Critical Infrastructure Act will set a higher baseline standard for organisations across the sectors now deemed critical infrastructure.
These changes are in response to the increasing threat landscape and acknowledgement that the security baseline across our critical infrastructure is insufficient to protect Australia from the risk of a significant attack or outage.
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), receives a report of a cybercrime attack every eight minutes. That equaled 67,500 cybercrime attacks reported between 1 July 2020 and 30 June 2021. Of concern was that around 25 per cent of these attacks were targeting critical infrastructure.
Further to this, ASD has estimated that a significant attack on our critical infrastructure could cost the Australian economy up to $33 billion and wipe out 160,000 jobs. Across Australia, Federal Government, State Government and Territories, Health, Education and Professional and Technical Services were the top five sectors targeted.
The three most significant challenges that utilities are struggling with are:
1. Skills shortage – the ability to attract, develop and retain cyber security, technology and risk talent in an already competitive skills market
2. Cost of compliance versus risk-based approach – clarity and confidence to define the ‘statement of applicability’ when adopting legislative and compliance obligations. According to the EY Global Information Security Survey (GISS) 2021, 55 per cent of power and utility respondents agree that regulations will become more fragmented and time-consuming to manage in the next few years
3. An appropriate level of investment and prioritisation – to have visibility of risk across the converged OT and IT environments
We predict the frequency and severity of cyber attacks to continue to increase based on these three leading indicators:
1. EY’s Global Information Security Survey identified that 81 per cent of organisations side-stepped their existing cyber security controls and processes
2. Existing maturity across the eleven industry sectors remains low, and most sectors have under-invested in their ability to prevent, detect and respond to a cyber attack
3. Ransomware attacks will continue to increase. There has been a shift by cyber criminals to disrupt critical infrastructure, increasing the pressure and likelihood of payment of hefty ransom amounts greater than $2 million
The draft Security Legislation Amendment (Critical Infrastructure) Bill released in December 2020 expanded the definition of critical infrastructure to broaden the sectors covered by the Act.
There will be eleven critical infrastructure sectors that will be subject to government assistance and may have designated critical infrastructure assets. They include:
2. Financial services and markets
3. Data storage and processing
4. Defence industry
5. Higher education and research
7. Food and grocery
8. Health care and medical
9. Space technology
11. Water and sewerage
Concerns raised by the utility industry
There has been widespread concern from the industry regarding the cost of compliance and the Government’s reach with step-in powers in the event of a cyber attack.
The Bill includes several obligations, including complying with a critical infrastructure risk management program, mandatory reporting of cybersecurity incidents to the Government, and for assets of national significance, to work with the Australian Signals Directorate to conduct cybersecurity exercises.
The Parliamentary Joint Committee on Intelligence and Security (The Joint Committee) has been considering the proposed amendments to the Act. The Joint Committee has tabled an advisory report with 14 recommendations that includes splitting the Draft Bill into two amended Bills.
Bill One will facilitate the implementation of the governance assistance measures to address the increasing threats to Australia’s critical infrastructure.
At the same time, the industry consultation will continue to seek consensus on the less urgent elements to be addressed in Bill Two. The Joint Committee expressed significant concern that it may not be possible to reach industry consensus whilst acknowledging the concerns of industry with the burden of regulatory duplication and the unquantifiable regulatory costs.
The Joint Committee recommends that the government assistance measures outlined in Part 3A be included in Bill One. Bill One will include the ability for the Australian Signals Directorate to step in and effectively take control of an organisation’s response to significant cyber attacks. This is one of the biggest concerns raised by industry.
Recommendations for your utility
The Joint Committee is eager to see Bill One pass before the end of the Parliamentary sitting calendar in 2021. All other proposed amendments, including risk management programs and declarations of systems of national significance, are recommended to be passed in Bill Two, following further consultation with industry on these positive security obligations.
At this stage, it is too early to tell where Bill Two will end up. The expectations across industry are that the minimum expected security baselines and compliance burden would be reduced for most utilities.
While continued debate remains on the legislation across industries, many organisations need to acknowledge that their overall cybersecurity maturity is too low for the increasing risk of a cyber attack. Organisations cannot wait for the proposed bills to pass, we recommend:
• Prepare for Bill 1 and the governance assistance measures to commence, including uplifts to your cybersecurity incident response, recovery playbooks and procedures, including notification provisions
• Participation in the industry consultation process to shape the rules and positive security obligations, balancing the cost of compliance with the necessary risk-based approach aligned to your Enterprise Risk Appetite management of a material risk or catastrophic failure
• Adopt the all-hazards approach to managing security risk, protecting critical infrastructure to manage converged security risk and resilience across critical assets
• Organisations need to improve their supply chain resilience and collaboration to combat security risks, by collaborating across supply chains to mitigate upstream and downstream risks with increased reliance on complex digital ecosystems and supply chains