27 Mar Critical infrastructure protections, Australia, and the energy sector

Author: Helaine Leggat

Last month’s article looked at similarities in the increasing protection afforded to critical infrastructure in Europe and Australia, specifically in relation to communications.

In this article, we consider further developments in the Australian eco-system and look at the energy sector.

The Cyber and Infrastructure Security Centre of the Department of Home Affairs hosted the CIS (Cyber and Infrastructure Security) Conference in Sydney on 24 March 2023. We are fortunate to have the observations of Gary Waters, Strategic Advisor to the CI-ISAC Australia, who cited Home Affairs Secretary Mike Pezzullo’s comments to share with readers.

The Department of Home Affairs in 2023 is highly focussed on cyber security and critical infrastructure protection, national security and resilience at home, including in relation to climate change and geo-political risks, strengthening our democracy and combatting new and emerging forms of violent extremism, as well as reform of the immigration system, while still being focused on delivery in areas such as the facilitation of trade and travel, visa processing, migrant settlement services and more.

Turning to cyber security, Minister O’Neil, (Home Affairs and Cyber Security) has set us the ambitious challenge of making Australia the most cyber-secure nation in the world by 2030. Later this year, the Government will launch Australia’s Cyber Security Strategy 2023-2030. The Minister is being assisted in this task by an Expert Advisory Board, which is led by the former Telstra Chief Executive Officer Andy Penn. The Board released a public Discussion Paper seeking feedback on the development of the 2023-2030 Australian Cyber Security Strategy, and all are encouraged to contribute and be a part of building a more secure Australia.

Marc Ablong PSM will be moving from his role as Deputy Secretary Strategic Initiatives to undertake a secondment to the Australian Strategic Policy Institute, commencing on 1 May 2023, contributing to dedicated research on Australia’s national security.

A new Cyber and Infrastructure Security Group will be created on 1 May 2023, under the leadership of Mr Hamish Hansford in a new Deputy Secretary position. This new Group will bring together the cyber security and infrastructure policy settings, response and coordination as well as regulatory elements. This will enable an integrated response to support the Minister for Home Affairs, as Minister for Cyber Security, as well as the recently advertised role of the National Cyber Security Coordinator.

Specifically, the Group will be responsible for supporting the Minister and the Coordinator, once appointed, to deliver and implement Australia’s Cyber Security Strategy 2023-2030. An enduring function of the new Group will be cyber and infrastructure security partnerships, ensuring that Government and industry work together on hardening Australian infrastructure and our economy from cyberattacks and from other hazards.

The National Cyber Security Coordinator will perform a key role in supporting the Minister to deliver on a raft of major reforms in the area of cyber security. The Coordinator will deliver a centrally coordinated approach to the Government’s cyber security responsibilities and initiatives, and will be instrumental in driving leadership in the Australian Government to develop strategic national security capability that underpins our future prosperity.

The Coordinator will be supported by the National Office for Cyber Security, a function housed in the Home Affairs Department. The Office will work closely with other arms of the Department and the National Security Community. The Office will consist of employees from the Department of Home Affairs as well as secondees from partner agencies. The Coordinator and the Office will work in collaboration with the Australian Federal Police, the Australian Signals Directorate, the Office of National Intelligence, the Department of Foreign Affairs and Trade, and other key agencies across Government, as they respond to these incidents, while providing the Government with a rapid capability to manage the consequences as they start to emerge.

A new group, National Security and Resilience Group, staffed by officials with deep national security expertise, will be formed to focus on national security and resilience at home – with an emphasis on counter terrorism, countering violent extremism, counter foreign interference, national resilience (both in terms of climate and security risks) and strengthening democracy. This Group will also be stood up from 1 May 2023.

Finally, amendments to the Security of Critical Infrastructure Act 2018 (SOCI) saw two major legislative changes pass through Parliament in 2021 and again in 2022. These were world-leading reforms, bringing in a framework for prevention and response at a national scale. We now have a legislated definition for what we define to be critical infrastructure. The Minister for Home Affairs has exercised her power to declare 82 Systems of National Significance, or SoNS, and she is consulting (as the Act requires) on another 90 at the moment. We now also have a Mandatory Cyber Incident Regime in place.

Australia has also introduced a global first set of reforms designed to respond to significant incidents. We have, in extraordinary circumstances, ‘government assistance measures’ in the Act; we have at our disposal a set of escalating powers to respond to a cyber-incident. These include information gathering (s 35AK of SOCI) and an action direction (s 35AQ of SOCI). They also, on approval from the Prime Minister, the Minister for Home Affairs, Minister for Defence and the Prime Minister, authorise the Government’s intervention request (s 35AX of SOCI) into critical infrastructure in order to respond to a cyber-incident. These are powerful authorities that are available if and when required.

Minister O’Neil recently commented on some areas of deficiency concerning the Act. This principally goes to areas of consequence management as well as definitions. The Act was always conceived as being concerned with the protection of critical infrastructure assets. But given recent data breaches, the question that arises is, ‘do we have the powers we need to respond to the incident, as well as the cascading set of harms that might arise from such an incident?’ These secondary harms could include fraud or credential misuse. The Act was not designed to deal with these types of scenarios. As the Minister’s Expert Advisory Board has noted in the Discussion Paper for the new Cyber Security Strategy, it is clear that a package of regulatory reforms is further necessary, which includes the need to address response requirements following a major incident which deals with consequence.

A new Cyber Security Act to draw together cyber-specific legislative obligations and standards across both industry and government could be potentially considered.

Critical infrastructure protection is a material area of national security risk.

Please consider your role in keeping Australia safe.

For further information, we will share some of CI-ISAC’s sector overviews, this month, looking at the energy sector:
ci-isac.com.au/pdf/intel/CI-ISAC+Energy+overview.pdf.