Last year, Australia’s critical infrastructure was hit by a sophisticated cyber attack that infiltrated a range of sectors, including government, industry, political organizations, education, health, and essential services.
“We know it’s a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” Australian Prime Minister Scott Morrison said at a June press conference. “Regrettably, this activity is not new. But the frequency has been increasing.”
2020 saw multiple attacks against Australia’s critical infrastructure. Other malicious activity included a ransomware attack on steel manufacturer BlueScope that caused disruption to some of its operations.
“Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security”
In the months since, Australia has ramped up it’s cybersecurity efforts to better protect it’s critical infrastructure. In August, the Australian government released a new cybersecurity strategy backed by a $1.67 billion investment.
“The 2020 Strategy means that cyber security is a fundamental part of everyday life, so Australians can reap the benefits of the internet and the digital economy safely, and with confidence,” Prime Minister Morrison said in a press release. “The digital economy is the future of Australia’s economy….We will protect our vital infrastructure and services from cyber attacks. We will support businesses to protect themselves so they can succeed in the digital economy.”
Part of Australia’s renewed cybersecurity efforts include the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The legislation, which was introduced in December, gives the Australian government the power to take direct action against cyber attacks and obtain information from critical infrastructure operators if the information is in the national interest.
“Millions of Australians use power, water, banking and health services on a daily basis and do not have to think about the supporting systems and infrastructure that deliver those essential services to our community and across the country,”
, said at a hearing. “Imagine a day without power or water because the systems that reliably deliver these services to our homes and our businesses have been attacked or deliberately disrupted. A prolonged and widespread failure in the energy sector, for example, could have catastrophic and far-reaching consequences. Such an incident may lead to shortages or destruction of essential medical supplies; impact food, groceries, water supply and telecommunications networks; disrupt transport, traffic management systems and fuel; reduce or shutdown banking, finance and retail services; and leave businesses and governments unable to function.”
The new legislation is designed to enhance the existing framework for managing risks relating to critical infrastructure by introducing additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements and mandatory cyber incident reporting. It also includes enhanced cybersecurity obligations for assets of national significance and government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks.
“Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation’s wealth and prosperity, and national security,” Dutton said. “While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few. Internationally, we have seen cyberattacks on critical infrastructure, including water services and airports.”
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 adds additional sectors to the definition of critical infrastructure. These include banking, energy, finance, defense, communications, data, education, research, innovation, food, grocery, health, space, transport, water, and cloud technology.
“While owners and operators of critical infrastructure are best placed to deal with such threats, it takes a team effort to bring about positive change,” Dutton said. “That is why the ongoing security and resilience of critical infrastructure must be a shared responsibility, not only by all governments and the owners and operators of the infrastructure but indeed by all Australians. The cost of inaction is far too great to ignore. This bill signifies an enhanced effort to ensure the ongoing security and resilience of critical infrastructure and the essential services they provide for all Australians.”
After the legislation was introduced, the government welcomed input from community stakeholders. They received feedback from a number of industry organizations and associations like Australian Petroleum Production and Exploration Association, the Australian Pipelines and Gas Association, the Australian Gas Infrastructure Group, the Australian Energy Council, and the Clean Energy Council.