Security Market Segment LS
Sunday, 11 September 2022 18:45

CyberArk explains what the critical infrastructure protection act means for you


The Australian Parliament passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 earlier this year with mandatory periods for critical infrastructure cyber security incidents to be reported, but what does it mean for you in practice? CyberArk solutions engineering manager Andrew Slavkovic spoke to iTWire to explain.

This new mandate came into existence earlier this year, completing the final package of amendments to the existing Security of the Critical Infrastructure Act 2018 (Cht) (SOCI Act). The Act is designed to improve the cyber security posture of Australia’s critical infrastructure assets and systems of national significance. It takes into consideration the changing threat landscape caused by several global events and accelerated digital transformation activities.

So what's this all about, Andrew?

Slavkovic (pictured) explains that the Australian Cyber Security Centre (ACSC) will play an expanded role within the Act by providing advice and guidance to infrastructure providers on how to best handle and respond to cyber incidents in the early stages. The new mandate is an opportunity to boost Australia’s collective cyber defences as ACSC will work to respond to develop an overall threat picture based on the incident reports it receives.

As set out in the Act, Critical Infrastructure owners and operators are required to report a cyber security incident to the ACSC within the mandated periods which correlates to the severity rating of a given cyber security incident.

When a threat to the critical infrastructure operator passes a predetermined threshold, the ACSC can use intervention powers, such as installing software that reports system information back to the agency or in serious cases taking over the incident response on behalf of the Agency.

What's "significant"?

Slavkovic further explains the Act provides guiding principles regarding what constitutes a significant or critical security incident. It is deliberately non-specific as the severity rating depends on the unique circumstances in which the industry operates and the risk countermeasures in place. This can only be accurately assessed by the operating entity who will then assign an appropriate rating.

An entity should consider the services being provided and the impact on confidentially, integrity and availability of essential services, as well as the nature and extent of the cyber security incident when determining this rating.
Some examples provided within the Act may be able to guide an entity to what significant incident types could be considered “unauthorised access” or “successful ransomware”.  In the context of a ransomware attack, this would have to be successful to the point that it disrupted essential services, like powering your home.


What industries does the mandate relate to, and are other industries off the hook?

A significant change within the Act is the expanding scope of what sector is considered critical infrastructure.  Previously, only four - electricity, gas, water and ports - were recognised, Slavkovic says.

With the increased interconnectivity driven by digital transformation initiatives and the current global cyber threat landscape, the Australian Government has expanded this definition to include an additional 11 sectors:

  • Financial Services and Markets
  • Communications
  • Data Processing and Storage
  • Defence Industry
  • Higher Education and Research
  • Energy
  • Food and Grocery
  • Health Care and Medical Sector
  • Space Technology
  • Transport
  • Water and Sewage

The Act also stresses that third-party suppliers which operate assets on behalf of an in-scope sector must also abide by the Act, such as an entity that may be storing or processing data on behalf of the primary sector.
Other industries are not legally bound by this Act but should follow the legislative obligations regarding cyber security incident reporting relevant to them.

It is always good practice to report security incidents to an organisation’s Chief Information Security Officer (CISO) as soon as possible after they occur or are discovered.

Lastly, if ever in doubt, any organisation can report a security incident and engage the ACSC’s expertise for advice and guidance on dealing with an incident on the ACSC website.


So what happens if you don't report a breach? And will ACSC really know if you don't?

As of 8 July 2022, most Australian critical infrastructure assets are required to comply with the mandatory cyber incident reporting regime as contained in the Act.

Reports can be made through the ACSC "report a cyber security incident" form, or by telephone followed by a written report that follows the stated reporting timeframes given the incident severity.

If an incident is not reported and there is a disruption to essential services, ACSC will know very quickly since something like thousands of homes without power will make it evident that something happened.

Failure to comply with the reporting obligations may result in a penalty of $11,100 (50 penalty units) per breach, or $55,500 (250 penalty units) if the entity is a corporation – Home Affairs would determine this.


Ok, so how does the mandate place Australia concerning cyber breach reporting globally?

Australia has been referenced as leading in the way it manages cybersecurity holistically, and we are taking the right steps forward to be leading in line with other ”5Eyes” countries. Concerning cyber breach reporting, if we look at the US (which is often seen as the global benchmark), we notice a few similarities between their reporting requirements and ours in that owners and operators of critical infrastructure have an obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours, and ransomware payments within 24 hours.

There is much discussion locally that our reporting timelines should mirror that of the US, specifically around 72 hours as opposed to 12 hours. These reporting timelines can then be consistent with the likes of “5Eyes” reporting channels, which would also allow more organisations to focus on the response, rather than contacting ACSC almost immediately.

When it comes to specifically report any ransom payments made as a result of a ransomware attack, the US Act has a specific mandate that requires it to be reported to CISA no later than 24 hours after making the payment.

In Australia, several requirements must be met before a ransom payment is made, and officially the Australian Government does not advocate paying ransomware – although there are no general mandatory reporting obligations applicable to ransomware attacks under Australian law.


Is there still more the government or industry can or should be doing?

The Act is a great starting point and elevates Australia’s thinking to be in line with other mature markets such as the US.

The industry could certainly be playing a greater role by establishing consistent security frameworks and a closer working relationship with the Government, especially when it comes to evaluating the security posture of IT infrastructure, vendors and product solutions.

One such initiative Australia should look at leveraging - as the US already has - would be adopting mandates around providing a software bill of materials as part of securing the software supply chain for greater transparency.


What advice can you give companies on how they can identify, track, manage, and report on cybercrime? In essence – what can a regular old company do to ensure they’re on top of this?

Organisations will need to focus on ensuring they have a cyber security framework and robust Incident Response Plans (IRPs) in place.

Adopting a consistent best practice cyber security framework will help implement security controls, and guide the direction, and definition of the response preparedness, planning and execution by outlining all the stages and steps necessary when responding to an attack.

The IRPs will then provide the detail of how the framework will be implemented and ensure key responsibilities are clear for a given security event.

Some things to consider here are:

  1. The use of automation to pull together events of interest (from multiple toolset sources) to provide the organisation with situational awareness regarding a potential event.
  2. Have an incident ticket created automatically off the predefined best practice categories with all relevant information appended and ready for triage and investigation. This will cut down on manual information gathering and aid in the reporting timelines to ACSC.


How can CyberArk aid companies in these challenges?

Securing identities is becoming the new security paradigm and it is universally recognised as a modern and effective security strategy. This is particularly true as critical infrastructure undergoes modernisation initiatives that look at taking advantage of migrating elements of services to the cloud.

The CyberArk Identity Security Platform can be mapped to organisations’ risk management process to help identify and manage their cybersecurity risks about identity and its capabilities cover each stage of the incident response framework to both defend against attacks as well as provide good practice hygiene tools for keeping the machine and human identities secure.

As the response to any cyberattack threat is time-sensitive, key capabilities must be in place to immediately detect and respond to suspicious actions by a given identity, take automated action to reduce the risk of eventuating and ensure an identity is restored to a known safe state.


Thank you, CyberArk solutions engineering manager Andrew Slavkovic, for making this so much clearer.


Read 1132 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News