Cybersecurity for Australia’s Critical Infrastructure
In response to growing cyber security risks, the Australian government passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), to increase the security of our critical infrastructure. These latest amendments introduce new and enhanced obligations for risk management programs and security respectively.1
This is a first for many sectors; and organisations will need to move quickly to achieve the legislated protocols and systems.
Critical Infrastructure is Facing a Multi-Pronged Cyber Threat
Critical infrastructure now encompasses our energy, financial, electricity, liquid fuel, gas, water, broadcasting, hospitals, defence and electricity assets. Our daily life depends on these vital systems and these systems depend on secure digital networks.
Securing these systems from cyber-attacks is top of mind across the globe in the wake of highly publicised ransomware attacks on critical infrastructure. The attack surface has broadened even further because many providers rolled out IoT devices during the pandemic.
Geo-political Tensions are Increasing Threat of Cyber Attacks
The cybersecurity agencies of the United States, Britain, Australia, Canada and New Zealand—who have joined to create the Five Eyes Intelligence-Sharing Alliance—believe there is an increased threat of malicious cyber activity against critical infrastructure globally as a response to sanctions imposed in recent geo-political conflicts.2
According to PwC’s Digital Trust Insights Survey 2022, 69% of Australian executives expect an increase in state-sponsored attacks on critical infrastructure.3
Efforts to undermine adversaries through attacks on critical infrastructure represent a far less costly and almost invisible way to create chaos instead of deploying military force. Proxies, amateurs and organised criminal networks add layers of ambiguity to hide aggressors.
SonicWall’s Cyber Threat Report found in the first half of 2022, there were 236.1 million ransomware attacks, allowing criminals to lock up the data of a target organisation, demand payment or else face consequences such as energy loss to important economic centres, triggering real-world impact.4
Cyber-Attacks are Increasing and Focusing on Critical Infrastructure
According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report of 2021, cyber-attacks are escalating in severity and frequency at a rate of one reported attack every eight minutes. And one quarter of cyber incidents reported to the ACSC in the 2020-21 were associated with Australia’s critical infrastructure or essential services.5
Operators on the frontline of these attacks have seen their annual cybersecurity spend increase by 500% in some instances. And organisations are spending up to $20 million to reduce their risk rating to an acceptable level.6
In addition to an increase in cyber security spend, there is also an upward trend in the value of ransom demands.
“In 2021, the highest demand we’ve seen is $US50 million – up from $15 million in 2019 and $30 million in 2020,” says Sam Rubin, vice-president of an intelligence threat team at US cyber security group Palo Alto Networks.7
PwC’s 2022 Global Digital Trust Insights Survey found regulatory compliance rates are the second highest priority for Australian CEOs in the design of their cyber strategies.8
New Government Legislation introduces fines
In new legislation, Australia’s largest organisations face enormous fines if they are subject to a major cyber attack or repeatedly hacked.
The Privacy Legislation Amendment Bill 2022 increases maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million;
- Three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.9
Attorney-general Mark Dreyfuss warned companies could be subject to hundreds of millions of dollars in penalties for serious or repeated hacks, depending on company turnover and the estimated value of the stolen data.10
Yet most of this legislation focuses on improving the technology aspects of cyber security.
The Human Dimension of Cyber Resilience
Although teams and executives complete ongoing cyber awareness training, cyber specialists say human error is still the cause of 99% of cyber breaches.11 The investment now needs to shift into further developing the human dimension of cyber resilience.
To prevent cyber security breaches, organisations need to focus on how organisations detect, manage and recover from cyber-attacks. Individuals and teams need to develop the same critical thinking capability cyber criminals employ to hack large and complex information systems containing personal customer data. To combat the ever-present threat of cyber-criminal activity, organisations need to build and demonstrate their critical thinking skills at every level from the individual to the team, to executive leadership teams, all the way up to the board level.
What are the New Risk Management Program Obligations?
The new legislation introduces an enhanced regulatory framework. The aim is to uplift core security practices in the management of eleven critical infrastructure assets:
|1. Critical broadcasting assets
|7. Critical electricity assets
|2. Critical domain name system
|8. Critical liquid fuel assets
|3. Critical data storage or processing assets
|9. Critical gas assets
|4. Critical hospitals
|10. Critical water assets
|5. Critical energy market operator assets
|11. Specified critical defence industry assets
|6. Critical financial market infrastructure assets
Critical Infrastructure entities are now required to establish, maintain and comply with a Risk Management Program that meets the following principle-based outcomes:
- Identify material risks. Entities will have a responsibility to take an all-hazards approach when identifying hazards that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset.
- Minimise risks to prevent incidents. Entities will be required to consider risks to their critical infrastructure asset and establish appropriate strategies to minimise or eliminate the risk of hazards occurring.
- Mitigate the impact of realised incidents. Entities will be required to have robust procedures in place to mitigate, so far as is reasonably practicable, the impacts of a hazard, as well as work to recover as quickly as possible.
- Effective governance. Through the risk management program and risk management program rules, entities will be required to have appropriate risk management oversight arrangements in place, including evaluation and testing.
Preparing your Organisation to Ensure Compliance
Infrastructure entities must prepare an annual Risk Management Plan and submit it to the Commonwealth regulator or the Secretary of the Department of Home Affairs. They must submit this report within 90 days of the end of the financial year and it must be approved by their board, council or other governing body.12
To be successful, organisations will need to meaningfully engage with the reforms to give boards and relevant regulators the assurance they require.
Engaging the right representatives from your company will ensure the plan is practical, implementable and considers your organisation’s perspectives and operating context.
The Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high-risk industries both nationally and internationally, Janellis’ Enterprise Resilience Framework is based on the International Benchmarking on Organisational Resilience.
Download our Organisational Resilience Framework Harvard Business Review submission containing case study examples such as NSW State Emergency Service; Qantas; Lendlease Group, Transfield Services and Westpac Banking Corporation. Or access the technical version of the framework here.
Organisations use our International Organisational Resilience Framework as a roadmap to start their resilience journey as well as an assurance tool for organisations that already have the capability.
Building organisational resilience requires organisations to take an ‘all risks strategy’ in developing their capability. This approach allows teams to use the same frameworks and skills to pivot and response to any types of risks as well as cyber threats.
Organisational Resilience brings together all elements of capability under one enterprise-wide framework. It allows organisations to visually and virtually connect all aspects of resilience including: Risk Management, Cyber Security, Incident and Emergency Management, Crisis Management, Business Continuity and Disaster Recovery.
The Janellis Organisational Resilience Framework
The framework is aligned with International and Australian standards including:
Complying with Infrastructure Reforms can Deliver Competitive Advantage
Critical infrastructure is vital to our nation’s economy and security and yet Australian operators face a diverse range of ever-increasing cyber threats.
Ensuring your organisation is prepared to meet the core requirements of the new Critical Infrastructure Reform is essential. If executed well, organisations will obtain additional benefits such as operational resilience and excellence. When Australia develops a reputation as a cyber resilient nation, we will be sought after as exceptional service providers by organisations across the globe.
 Australian Government, Department of Home Affairs. 2022. Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. [ONLINE] Available at: https://www.homeaffairs.gov.au/. [Accessed 2 November 2022].
 Reuters. 2022. West warns of Russian cyberattacks on critical infrastructure | Reuters. [ONLINE] Available at: https://www.reuters.com/world/europe/west-warns-russian-cyberattacks-critical-infrastructure-2022-04-20/. [Accessed 03 May 2022].
 PricewaterhouseCoopers. 2022. Digital Trust Insights Survey 2023 | C-Suite guide to cyber readiness | PwC Australia . [ONLINE] Available at: https://www.pwc.com.au/important-problems/cyber-security-digital-trust/global-digital-trust-insights.html. [Accessed 02 November 2022].
 SonicWall. 2022. SonicWall Mid-Year 2022 Cyber Threat Report. [ONLINE] Available at: https://www.sonicwall.com. [Accessed 2 November 2022].
 ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au. 2022. ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au. [ONLINE] Available at: https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21. [Accessed 03 May 2022].
 PricewaterhouseCoopers. 2022. The new equation to protect Australia’s critical infrastructure . [ONLINE] Available at: https://www.pwc.com.au/important-problems/cyber-security-digital-trust/critical-infrastructure/protect-australias-critical-infrastructure.html. [Accessed 02 November 2022].
 Australian Financial Review. 2022. How big beef became cyber crime’s latest victim. [ONLINE] Available at: https://www.afr.com/policy/foreign-affairs/how-big-beef-became-cyber-crime-s-latest-victim-20210609-p57zhl. [Accessed 02 November 2022].
 PricewaterhouseCoopers. 2022. The new equation to protect Australia’s critical infrastructure.
 Australian Government Attorney General. 2022. Tougher penalties for serious data breaches. [ONLINE] Available at: https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022. [Accessed 31 October 2022].
 Breaking Australian and World News Headlines – 9News. 2022. Companies face ‘hundreds of millions of dollars’ in fines for serious data breaches. [ONLINE] Available at: https://www.9news.com.au/national/massive-penalties-australian-companies-repeatedly-cyber-attacked-federal-government-legislation/11a8b4c2-d146-4912-a655-edf72f0cdddf. [Accessed 31 October 2022].
 Australian Financial Review. 2022. Medibank, Optus hacks: ‘Human stupidity’ the likely cause, says top cybersecurity expert. [ONLINE] Available at: https://www.afr.com/technology/human-stupidity-likely-cause-of-medibank-optus-breaches-20221025-p5bsqu. [Accessed 27 October 2022].
 Australian Government, Department of Home Affairs. Cyber and Infrastructure Security Centre. [ONLINE] Available at: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-risk-management-program.pdf. [Accessed 02 November 2022].
Janellis is a Management Consulting firm specialising in helping organisations execute their strategy and build resilience through three key practice areas of Project Delivery, Capability Uplift and Organisational Resilience.
Janellis helps organisations build resilience and deliver complex programs by uplifting capabilities in areas such as team-based critical thinking. Uplifting critical thinking skills relies on experiential and ‘learning by doing’ activities using scenarios. In response to COVID, Janellis has combined online learning and experiential learning through our Digital War Rooms and Virtual Labs. Our Master Facilitators enable experiential learning both in real-time and online using virtual tools where teams put into practice our tools and frameworks.