Protecting Critical Infrastructure

In modern economies around the world, the risks to the foundations of civilisation have become obvious through attacks both real and hypothesized, cyber and kinetic. After several high-profile cyber incidents like the colonial pipeline attack, it has become clear that major infrastructure providers of power, water, energy, and more can no longer simply be classified as private companies or government agencies – they are the foundations of the modern world, and they are critical for keeping cities, economies, and societies running. 

In countries like the USA, Australia, and the United Kingdom, these services have been defined by governments as critical infrastructure and to protect them, new regulations have been imposed to mitigate the risk of cyber attack and to minimise the impact of a cyber incident. There are a handful of countries that have put risk mitigation strategies and regulations in place, and those regulations will most certainly expand to other geographies and regions across the world as state-sponsored cyber-attacks and sophisticated hacking organisations continue to target these services.  

The United States

In the USA, the Cybersecurity & Infrastructure Security Agency (CISA) defines critical infrastructure as whole sectors that are important to the safety and security of the nation.  

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. 

CISA

The recent rise in significant cyber incidents coupled with the heightened risk of an attack on one or any combination of these services resulted in the passing of the Cyber Incident Reporting for Critical Infrastructure Act that requires operators of critical infrastructure to report breaches to CISA within 72 hours of the incident occurring. This will demand a more sophisticated level of event monitoring and forensic analysis than many operators currently use today. It will also require providers to monitor a broader range of systems than ever before. 

Australia

This year, new Australian legislation (Security Legislation Amendment (Critical Infrastructure Protection) Act 2022) imposed new requirements in the cyber security domain for any provider of critical infrastructure. This included an expanded list of services like health and hospital systems, fuel and gas systems, energy and water systems, broadcasting assets, financial systems, the defence industry, and more. 

In addition to new legislation, a regime of mandatory cyber incident reporting has also been introduced, as well as government assistance and intervention to respond to cyber attacks on critical infrastructure providers. The enhanced cyber security obligations imposed on these assets have now been described as systems of national significance and any entity responsible for a critical infrastructure asset MUST report cyber incidents to the Australian Signals Directorate (ASD). 

For critical cyber security incidents, a responsible entity must report (orally or in writing) that a “critical cyber security incident” has occurred or is occurring within 12 hours of the entity becoming aware that the incident has had, or is having, a “significant impact” (whether direct or indirect) on the availability of the asset. Where the report is given orally, the entity must provide a written report of the incident within a further 84 hours after the oral report was given. 

For other cyber security incidents, a responsible entity must also report (orally or in writing) any other cyber incidents that have occurred, are occurring or are imminent within 72 hours of the entity becoming aware that the incident has had, is having, or is likely to have, a “relevant impact on the asset”. In this case, where the report is given orally, the entity must provide a written report of the incident within a further 48 hours after the oral report was given. What will constitute a “relevant impact” is defined broadly, but it covers all circumstances where the incident would impact the availability, reliability, confidentiality, or integrity of the asset. 

Importantly, the ASD has been empowered to intervene and obtain monitoring data from systems including system logs. This means that those operators must have a comprehensive security monitoring system capable of capturing security event data, analysing it and “forwarding” critical event data to the ASD. 

The United Kingdom

In the United Kingdom, critical national infrastructure systems are defined by the CPNI (Centre for the Protection of National Infrastructure) and Cyber protection of these National Assets falls to the National Cyber Security Centre (NCSC) 

In the UK, the requirement is for a Protective Security Management System (PSeMS) that is a framework which helps coordinate processes and procedures covering governance, legal requirements, operating procedures, delivery, monitoring, review, and audit for security. The guide for PSeMS also refences the ISO27001 Standard and HMG Security Policy Framework. 

New regulation requires UK operators to notify any breaches within 72 hours or face potential fines of up to £17M. 

The NCSC states in the Cyber Assessment Framework (CAF) principles and guidance, “having the correct visibility of your systems is critical to detect potentially malicious activities. It is possible to detect cyber-attacks at an early stage by collecting and aggregating the following non-exhaustive list of log sources and then comparing them against known indicators of compromise.” 

Legislation to Protect Critical Infrastructure

In the USA we see an interplay between the directives for protecting critical infrastructure and the usual stands from ISO27001 and NIST, with other directives including the Executive Order on cyber security and the subsequent memorandum on Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents. 

This follow-up memorandum outlines a comprehensive maturity model for system monitoring and logging requirements from section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.  

The Australian legislation also references the NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. 

The NIST Framework is based on the ability to identify, protect, detect, respond, and recover. 

For the purposes of this discussion, we will focus on detection and the requirement for continuous security monitoring, anomalies and events and the detection process and how that plays into the critical infrastructure legislation in the US, UK, and Australia. 

  • Collection and analysis of security events for anomalies is a key requirement for many security frameworks from the ISO27001 standard to NIST 800-171, NIST 800-92 and NIST 800-53 and the Australian Government Information Security Management Framework.  

  • These industries and operators may also have liability under other regulatory frameworks and compliance mandates like HIPAA, PCI DSS, NERC, and others. 

It is this requirement for the collection and analysis of security event data, and in the case of the Australian critical infrastructure legislation, the sharing of that event data with the regulator, that brings commonality to these requirements from across the UK, USA, and Australia. 

All these pieces of legislation and regulation require the ability to collect important and relevant data from systems that are delivering critical services to Government, Society, and the Economy. A critical infrastructure operator must be able to analyze this data effectively to identify anomalies and incidence of compromise and then secure that data away from the systems that generated it and share it with the relevant authorities, to both mitigate current incidents, and share threat data to mitigate future attacks using the same methods. 

The requirement of notification to the appropriate authority within 12 to 72 hours is a critical capability for operators going forward and significant penalties apply in some jurisdictions if these reporting requirements are not met. In other geographies the laws do not limit legal action from breaches and legal liability may be extensive.  

Having the ability to cover all systems with data collection tools that can collect, correlate, and analyse systems and security event data, to be able to confirm a data breach, and to advise the respective governments in the USA, UK, and Australia, has become critical to enable operators to meet the legislative and regulatory requirements imposed by these governments to protect citizens and society from hostile cyber attack. 

Can You Meet Your Country’s Current Reporting Requirements?

Get in touch with our regional teams to learn how Snare’s centralised logging capabilities can help with speed-to-detection and the level of reporting required to meet existing and proposed reporting mandates in your country.

Contact Us
London Tech Week 2022London Tech WeekMaturity Model Memorandum M-21-31U.S. Presidential Executive Order on Cybersecurity: Maturity Model Memorandum...
Snare Solutions
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.