Australia's Security Legislation Amendment (Critical Infrastructure) Act 2021, passed in December, extends sectors subject to cybersecurity provisions to include communications, data, finance, water, energy, healthcare, higher education, food, transport, space technology and defence.
The government can now compel organisations in these sectors to provide information on systems needed to operate critical infrastructure. It can also intervene directly, under “government assistance measures”, in handling cybersecurity incidents. A second round of legislation covering risk management programs and reporting obligations is also before parliament.
The full extent of compliance obligations is not yet set in stone. But many organisations – many previously facing minimal cybersecurity compliance obligations – are on notice. With the new government assistance measures, they could face potentially costly interventions during serious cyber incidents.
Critical infrastructure, such as power, water and transport, has long been a cyberattack target for threat actors and nation-states. Research from the Ponemon Institute revealed that nine in ten critical infrastructure providers in the US, UK, Germany, Australia, Mexico and Japan were damaged by a cyberattack over a two-year period.
Critical infrastructure organisations worldwide face increasing regulatory pressure to raise their levels of overall security and network resilience. Implementing preventative measures and having the ability to report incidents rapidly is key to this.
While the detail of compliance obligations varies from country to country, there is one common element. Organisations need to have centralised control and oversight of who can access which systems. This is most easily and effectively achieved by implementing privileged access management (PAM).
Preventing disruptive nation-state cyberattacks
Modern society relies on critical infrastructure to answer people's primary needs, such as clean water, food, power, transport and emergency care. It's no surprise that hostile nation-states are increasingly considering using cyberattacks on this infrastructure to cause widespread disruption.
According to the Ponemon Institute research, nearly a quarter of all critical infrastructure organisations experienced a nation-state attack over two years. Many of these were reconnaissance or capability-readiness missions to get a foot in the door in case an attack would be needed in the future.
Perhaps the most notorious example was very early on in the Ukraine-Russia war. In 2015, three energy firms had their information systems shut down by threat actors using multiple attack vectors, including the malware BlackEnergy.
The attack, believed to have been carried out by the Russia-sponsored advanced persistent threat (APT) group called Sandworm, resulted in some 225,000 Ukrainians being without power for several hours. Attribution in these scenarios can be extremely difficult without nation-state cooperation.
While the full suite of legislative measures is yet to be enacted in Australia, many organisations will need to make urgent cybersecurity investments to comply. At the very least, they will need appropriate structures, policies and processes to understand, assess and manage security risks to the network and information systems supporting essential services.
They will also need to take security measures to protect essential services and systems from cyberattacks, along with the capabilities to detect and report any incidents. In the event of a cybersecurity incident, organisations must be able to minimise their impact on essential services.
Danger of non-compliance with legislation
Without significant investments, many critical infrastructure organisations are in danger of not being able to meet their compliance obligations. A key reason for this in many sectors is that information security staff have limited visibility into operational technology (OT) environments. These include hardware, software and network systems that monitor and control industrial equipment, assets and processes.
According to Fortinet, 78 per cent of chief information security officers (CISOs) have limited centralised visibility into their operational technology. While previously isolated from IT systems, industrial equipment is now mostly connected to the internet and vulnerable to cyber-attacks.
The difficulty of achieving a single view of the various and disparate OT systems on which critical infrastructure relies contributes to limited visibility. Having so many different systems makes implementing role-based access control (RBAC) and multi-factor authentication (MFA) difficult, if not impossible, without a purpose-built tool.
There are also risks associated with third parties, contractors, suppliers or remote employees connected to critical infrastructure organisations. The Fortinet research underscored this, with 65 per cent of CISOs saying that this was a serious concern and increased the risks.
Central role of privileged access management
As with IT, OT environments use credentials like passwords for accessing privileged systems. The main aim of many threat actors will be to get their hands on this information to carry out their attacks more easily. Therefore, having full control and oversight of access to these privileged systems is key for legislative compliance.
Effective privileged access management should enable an organisation to implement and control a robust authentication strategy across all IT, Internet of Things and OT systems such as ICS and SCADA. This includes ensuring a strong password policy, password rotation, RBAC and MFA.
It should also be able to use threat analytics to detect suspicious activity and automatically force suspicious users through re-authentication and verification workflows. This should also extend to third parties, contractors, suppliers and remote employees to limit the risk of threats making their way onto the system.
Further, being able to see all this information – as well as auditing, alerts and analytics – through a single pane of glass dramatically reduces the risks and complexity of monitoring activity across systems. It also facilitates proving compliance and providing information to authorities during a cyberattack. This could be instrumental in avoiding costly government interventions.
Regardless of the details of the final Australian legislation, all critical infrastructure organisations will need to manage privileged access effectively to comply. The quickest, easiest and least disruptive way is with a PAM solution that makes security seamless for the modern, hybrid environments that critical infrastructure organisations use.