Increased potential for cyber attacks | Urgent steps to mitigate risk

3 minute read  02.03.2022 Paul Kallenbach

In light of the rapidly evolving situation in the Ukraine, organisations – especially owners and operators of critical infrastructure assets – should be on alert for potential cyber attacks, particularly through the use of malware and ransomware.

Due to the increased risk of cyber attacks, the Cyber and Infrastructure Security Centre (CISC), acting under the instruction of the Department of Home Affairs, has made a strong recommendation to all owners and operators of critical infrastructure assets. It has asked them to voluntarily commence implementing the obligations proposed in the draft Risk Management Rules under the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (SLACIP Bill), which is currently before Parliament.

Security of Critical Infrastructure laws

The security of critical infrastructure laws are being introduced in two tranches, and enact (or will enact) the following measures:

1. Amendments already introduced in the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)

Asset register

If 'turned on' for a particular asset by Rules to be made by the Minister for Home Affairs (Rules), reporting entities must report ownership and operational information to CISC. They must report at the time of registration of the entity and keep CISC updated.

Incident reporting

If 'turned on' for a particular asset by Rules, responsible entities must notify the Australian Cyber Security Centre within 12 hours if there is significant impact on the availability of assets, and within 72 hours if there is relevant impact on the availability of assets.

Government assistance measures

Provided certain pre-requisite conditions are met, the Government will be empowered to issue information gathering and provision of support directions in response to a cyber security incident.

2. Amendments proposed to be introduced in the SLACIP Bill

Risk management program

Although the SLACIP Bill is not yet law, as indicated above, CISC has recommended affected organisations begin voluntarily complying with these requirements. Once enacted as law, if 'turned on' for a particular asset, responsible entities will be required to adopt and maintain a Risk Management Program, with annual compliance certification to CISC.

Enhanced security measures

If the SLACIP Bill is passed in its current form, enhanced security measures would apply to assets that are declared to be ‘systems of national significance’, where such measures are notified to a responsible entity. The measures that could be notified to responsible entities include obligations to:

  • prepare incident response plans;
  • conduct cyber security exercises;
  • conduct vulnerability assessments; and
  • provide systems and other information.

More information is available in our updates, First Security of Critical Infrastructure Bill is now live and SOCI Round 2 - Security of Critical Infrastructure regime update.

Responding to cyber security incidents

If your organisation has suffered a cyber incident or data breach, it's best not to panic. We recommend following these steps:

1. Contain the breach

2. Activate

  • contingency plans
  • incident response plan, including internal escalation pathways and external support (forensic, insurer, legal, PR)

3. Assess and mitigate/remediate

  • gather and retain evidence
  • protect legal professional privilege
  • comply with legal and contractual obligations (including ransomware payments)

4. Notify

  • regulators (OAIC, GDPR, APRA etc)
  • counterparties to contracts that require notification
  • affected individuals
  • communications strategy

5. Review

  • lessons learned
  • update plans and cyber strategy

Further assistance on dealing with or preparing for cyber security incidents

If you would like any assistance with preparing for, or responding to, a cyber incident, or further advice about your organisation's cyber-related regulatory obligations, please don't hesitate to contact our team.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIwMDBlMjE1MS0zNzAzLTQ2ZDMtYjY1Yi04MjE4YjViZTU1YjIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTgzNTA5MiwiZXhwIjoxNzM5ODM2MjkyLCJpYXQiOjE3Mzk4MzUwOTIsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2luY3JlYXNlZC1wb3RlbnRpYWwtZm9yLWN5YmVyLWF0dGFja3MtdXJnZW50LXN0ZXBzLXRvLW1pdGlnYXRlLXJpc2siLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9pbmNyZWFzZWQtcG90ZW50aWFsLWZvci1jeWJlci1hdHRhY2tzLXVyZ2VudC1zdGVwcy10by1taXRpZ2F0ZS1yaXNrIn0.5P91DrPuVyxdHLDFt9d6kVJkACGL2fuBrq6rZvS-Qyo
https://www.minterellison.com/articles/increased-potential-for-cyber-attacks-urgent-steps-to-mitigate-risk

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.