Last month the Australian National Audit Office slammed the Department of Home Affairs' enforcement of the critical infrastructure bill as only “partly effective”, and made the following findings:
The Auditor General found that Home Affairs’ enforcement of the bill:
- Did not reflect existing compliance requirements
- Provided limited support to other critical infrastructure regulators
- Only finalised 32 percent of its critical infrastructure-related policy and procedural compliance documents
- Failed to align 28 of its 36 measures of control effectiveness with reporting and rating requirements for enterprise-level risks to critical infrastructure
- Lacked approved procedures, systems controls and a risk‐based decision framework for achieving compliance outcomes
What is the Critical Infrastructure Bill?
In November last year, the first tranche of the two-part bill passed, giving 13 sectors such as transport, sewerage and data storage, strict obligations such as reporting security incidents to Home Affairs within 12 hours.
The Bill also granted the Australian Signals Directorate far-reaching intervention powers, such as installing software that reports system information back to the agency if a threat or attack on the organisation passes relevant thresholds.
The second tranche of the bill was given royal ascent this April, requiring critical infrastructure operators to have industry-designed risk management programs, which, where possible, build on existing regulatory frameworks.
CRN reached out to managed security services providers Cytrack Intelligence Systems, Sekuro and StickmanCyber to reflect on the watchdog’s review:
Cytrack Intelligence managing director Nick Milan said that “what's apparent from this report is that Home Affairs' enforcement of critical infrastructure protection is deficient, and that appears to be an issue with governance from the top.”
“The audit picked up that 77 percent of measures of control effectiveness indicators did not align with enterprise-level critical infrastructure risk reporting, and 68 percent of policy and procedural documents to support critical infrastructure-related compliance activities were not finalised and approved.”
“Certain fundamental aspects of the governance framework appear to not be in place, including risk assessments and reporting, and critical information flows to the policy and regulation functions on performance statements, regulatory performance assessment, and use of internal measures.”
“The report is a result of the significant expansion developed by Home Affairs for Australia's critical infrastructure protection laws…The new laws protecting critical infrastructure grew from 4 to 22 asset classes across 11 sectors. The department estimates that the 168 assets currently registered as critical infrastructure will increase ten-fold because of the legislative changes in 2021.”
Milan said that the critical infrastructure operators’ new obligations would alter the relationship between IT partners and their clients within the channel.
“The sophisticated IT reseller will increasingly be able to advise customers on their IT security exposures from a risk management perspective and use best practice frameworks. Engaging with the customer will elevate to discussing aspects such as their risk appetite and the appropriate calibration of systems to mitigate those risks in line with the business appetite… The harsh reality of underestimating risk, or failing to mitigate against it adequately, can have substantial financial and reputational consequences for both the reseller and the customer."
StickmanCyber chief executive and founder Ajay Unni said that the latest instalment of the bill was in April and “expecting any department to have all the protections in place in such a short period of time is unrealistic.”
Unni said that he supported the auditor general’s seven recommendations, which the department has accepted.
These included recommendations such as “establishing an engagement strategy; having appropriate performance measurement; improving the department’s existing framework to manage compliance” and “the use of risk management to inform decision-making.”
However, Unni said that the recommendations could do with more clarity and that ratings of different security risks had been left to organisations instead of standardised.
“The issue I have is that not all the risk-management protocols are accurate and are left open to interpretation.”
“Some companies may define a ransomware attack as a critical risk but will rate its likelihood as low, resulting in a low-risk score and limited need for mitigation.”
“This ambiguity in risk assessment is where a lot of problems arise. What’s needed is ongoing resilient security controls including 24x7x365 days surveillance, threat hunting, incident response, monitoring the dark web while also being on top of user education, training and awareness and implementing stringent policies and procedures.”
“I like the emphasis on engagement strategy and performance measurement, however people are always going to be our weakest link. As long as humans continue to be the custodians of critical infrastructure, there needs to be a strong emphasis on education, training, testing and surveillance, with emergency incident responses in place to deal with any unforeseen attacks.”
Sekuro chief information and security officer Prashant Haldankar said that the damage a hack of critical infrastructure assets could wreak on Australia in the current climate was significant and “effective enforcement” of the bill was "crucial".
“Operations Technology (OT) systems are becoming closely integrated with corporate IT systems to achieve efficiency and centralised management across IT and OT. Where most of the OT systems are unprotected legacy systems, this elevates the risk of high-value targets for cyber attackers into the critical infrastructure.”
"Attacks targeting critical infrastructure are prevalent and historically adversaries have always required to use critical infrastructure attacks against opponents, albeit physical attacks.
“Wider digital technology adoption and international warfare have elevated the threats to critical infrastructure making potentially a dangerous weapon leveraging modern-day attack vectors.”
"The recently concluded audit on Department of Home Affairs, the lead Australian Government agency responsible for the administration of critical infrastructure policy regulation, highlights the importance of having an effective governance and risk management framework to inform decision-making.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
