On 1 November 2023, the Department of Home Affairs released the Cyber and Infrastructure Security Centre's (CISC) first Critical Infrastructure Annual Risk Review.
The Review provides a summary of the potential security risks that Australia's critical infrastructure providers may face. It does so in light of the threat and hazard categories in the Security of Critical Infrastructure Act 2018 (SOCI Act) and the Rules for Critical Infrastructure Risk Management Programs (CIRMP), which we have previously outlined in our article SOCI Risk Management Program requirements now in effect.
Critical infrastructure providers must remain informed and alert as to the threat environment and must continually uplift their security practices to mitigate these risks.
We outline some of the key findings of the Review below.
Sector interdependency
Australia's critical infrastructure is highly interconnected. Sectors are interdependent and disruption in one can affect others. For instance, the water sector relies on the energy sector to provide electricity for water treatment plants, pumping stations and distribution networks. A disruption in the energy sector, such as a major power outage, could adversely impact the water sector's ability to supply clean water to homes, businesses and industries.
Critical infrastructure providers need to carefully consider these interdependencies and both cascading and compounding effects of an impact event. The outcomes of this analysis should be reflected in their CIRMP.
Cyber and information security
Convergence between operational technology, information technology and Internet of Things (IoT) devices is creating an environment for cyber actors to move laterally to infiltrate critical infrastructure. Increasing digitalisation and rapid adoption of new technologies can also introduce a range of vulnerabilities.
Critical infrastructure providers must invest in managing cyber and information security risks that present through their third party and managed service providers, physical and digital supply chains, and physical infrastructure.
Providers must also understand they are a high-interest target and that cyber actors will look for weaknesses in systems to obtain valuable insights into sovereign research and Australia's economic and technological capabilities.
Supply chain risk
Critical infrastructure providers are operating in an increasingly competitive international supply market. They have few contingencies to manage sustained shortages of critical components from suppliers, particularly foreign or single-source suppliers.
Supply chains are increasingly complex and they are also exposed to a broad range of disruptive geopolitical, environmental, social and economic events. Australia is vulnerable to foreign actors who may hinder supply chain access as a backdoor entry point to its critical infrastructure.
Failure, acquisition of, or foreign interference from, a vendor with critical intellectual property, original equipment, or software could materially impact Australia's critical infrastructure.
It is important for critical infrastructure providers to understand where critical components and services come from, appreciate that labour shortages and workforce issues may heighten risks, and that more and more vendors are likely to have access to the organisation's sensitive data.
Physical security
Foreign interference, espionage, and terrorism may compromise the physical security of critical infrastructure. Communications infrastructure (including undersea cables and satellites) may be intentionally targeted. Disinformation may be spread to amplify disruption, including through protest activity. Remote access to operational technology, industrial control systems and IoT represents a key measure in which both physical and cyber security risks need to be managed.
Personnel also need to be educated on contact reporting and security of personal and corporate devices, given their increased exposure, including through corporate travel, to foreign actors. There is recent evidence of business travellers being recruited to provide sensitive information.
The Review also recognises that foreign influence may creep into company boards, standards bodies and industry bodies, impacting relevant regulation and responses.
Natural hazards
Australia is likely to face more frequent and severe weather events in the future. Managing recovery from, and increasing resilience to these events puts pressure on critical infrastructure systems.
Unpredictable climate change means that risk assessment and mitigation measures based on historic precedent may be insufficient. Continued climate changes may result in more concurrent or consecutive disasters. Extreme space weather events (e.g. geomagnetic storms or solar flares) may impact modern technology in ways we have yet to experience.
Global pandemics or material domestic outbreaks of disease can also alter what is needed from critical infrastructure services and overwhelm already stretched systems.
Personnel risks
A CIRMP must outline the systems used to manage critical workers' access and minimise malicious or negligent employee or contractor activity.
Appropriate measures for security clearances, background checks, and education around information handling all need to be in place. Flexible and working from home arrangements can reduce the detectability of data leaks. Determining the level of insider threat is also acknowledged as challenging.
The Review highlights the rise in dark web job advertisements targeting disgruntled employees, along with the increased leaking of sensitive data through chat forum platforms sometimes driven by an insider keen to show off access or prove a point in dispute. Critical infrastructure providers must therefore expand their vigilance and management of employee online activity, and enhance measures for counteracting foreign influence.
Identifying the risks ahead
The Review identifies the following areas of risk potentially impacting Australia's critical infrastructure:
- new technologies (such as generative AI) are being rapidly deployed (with history suggesting that society is faster to see benefits than downsides);
- the persistence of supply chain disruption, increased costs, and extended wait times;
- staff shortages across all critical infrastructure sectors are likely to worsen over the next 12-36 months, impacting regional areas most acutely;
- more severe (drier) conditions, with increased pressure on water availability;
- solar activity is likely to peak in 2024 requiring new consideration of the potential impacts of extreme space weather events; and
- unabated cyber disruption with potential for even larger and more disruptive breaches.
Importantly, critical infrastructure providers must ensure cyber fatigue does not hinder security efforts – a risk that we discussed in our Perspectives on Cyber Risk 2023 Report.
The Review provides a timely update as critical infrastructure providers plan and uplift their security and risk mitigants. As a full service law firm with adjacent specialist Risk, Cyber and ICT consultancy services offerings, MinterEllison is well placed to support clients as they assess these important matters. Please contact us if you would like assistance in understanding your obligations and implementing safer practices under the security of critical infrastructure laws.
Postscript
Of further note, those in the telecommunications sector should be aware that the Government proposes to move the security regulation of the telecommunications sector from the Telecommunications Sector Security Reforms (TSSR) in the Telecommunications Act 1997 to the SOCI Act, and require a CIRMP. This is to better align obligations for critical infrastructure entities that span multiple sectors, reduce regulatory duplication and complexity, and provide scalable obligations for the telecommunications sector.
