The promise of the Security Legislation Amendment (critical infrastructure) Bill 2020Recently, the government drew up an updated legislation to protect Australia’s critical infrastructure, the Security Legislation Amendment (critical infrastructure) Bill 2020. It extends the scope of what is considered critical infrastructure, including organisations responsible for communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology, and the defence industry.
The bill will significantly impact Australia’s 537 local councils, many of which provide critical and essential services like water and sewage. The legislation will require them to adopt and comply with a risk management program that ensures critical infrastructure assets are protected from cyber-attacks.
The growing state of risk for today’s local councilsMaintaining adequate protection against cyber-attacks will present a considerable challenge for councils, many of whom are suffering budget constraints. Back in 2018, the Australian Local Government Association advised that local councils required an investment of $30 billion to renew and replace ageing infrastructure, a figure which greatly exceeds the funding capacity of the local government sector under current revenue arrangements. They also advised that this figure will likely to grow in the coming years to meet evolving productivity and safety requirements.
Budgetary constraints aside, smaller councils are also likely to struggle to gain access to the high-level expertise needed to achieve and maintain robust protections against cyber threats, especially those in rural and remote areas.
The NSW Auditor General’s Report on Local Government 2020 stated 58 councils in the state had yet to implement basic governance and internal controls to manage cybersecurity. It listed these controls as: a cybersecurity framework, policy and procedure, a register for cyber incidents, penetration testing, and staff training.
Other states are unlikely to fare much better. The WA Auditor General’s May 2021 Report on Local Government General Computer Controls found 328 control weaknesses in 50 local government entities, all of which could significantly compromise the confidentiality, integrity, and availability of IT systems.
The increasing digitalisation of council services and operations poses another challenge. Every initiative to improve services for citizens, or to digitise internal council operations, potentially increases the attack surface and the volume of data at risk of a breach.
A particular risk is the digitisation of infrastructure, the implementation of IoT, and the integration of operational technology and information technology.
Cyber risk has risen rapidly in the ranking of issues facing local councils. Some recent cases of councils who have been victims of cyber-attacks demonstrate how challenging achieving and maintaining robust cyber security will be.
In August, Stonnington Council in Victoria was hit by a cyber-attack. Following the attack, Stonnington CEO Jacqui Weatherill told 7 News that the council was trying to ascertain if sensitive data had been exfiltrated, and that some council staff working from home had been forced to take annual leave as a result of the incident.
Stonnington was not the first council in Australia to have suffered a significant cyber-attack, and certainly will not be the last. In December 2020, the City of Onkaparinga council in Adelaide was hit by the Ryuk ransomware (which first emerged in 2018), forcing staff to start their holidays early. Mayor Erin Thompson told the ABC IT staff had to restore every server and every different device manually across the council network.
In October 2020, insurer LGIS reported a large metropolitan local government in WA was infiltrated by a high impact ransomware attack in which hackers had gained admin privileges causing days of near total shutdown.
Demonstrating the challenge councils face to counter ransomware, the report said the council had invested in data-protection, firewalls, anti-malware, anti-spam, and anti-virus products, but none-of these had been able to protect it from the highly-disruptive sophisticated attacks. Attackers were able to easily bypass these traditional endpoint detection security tools.
Countering ransomware requires a new approach to security
Local councils need to take a new approach to securing their critical applications as ransomware attacks continue to proliferate and become more sophisticated.
Applications require advanced security tools, which offer deeper layers of protection.
One of the best ways to achieve this advanced level of security is through deterministic protection that fully protects the software workload in runtime, wherever it is running. Within milliseconds of being installed, this technology establishes a “map” of normal behaviour within each application, by monitoring and mapping all activity including files, processes, libraries, memory usage, and web inputs.
Any deviation from the norm is instantly detected, treated as a threat, and blocked in real-time, reducing the likelihood of damage ever occurring, reducing attacker dwell time and reducing operational costs.
Adversaries will continue to wreak havoc on local councils who remain a key target due to limited awareness of cyber security threats and budgetary constraints. But with the right security tools deployed, councils can have peace of mind knowing their critical services will remain operational should they ever be targeted.