This year, new Australian legislation (Security Legislation Amendment (Critical Infrastructure Protection) Act 2022) imposed new requirements in the cyber security domain for any provider of critical infrastructure. This included an expanded list of services like health and hospital systems, fuel and gas systems, energy and water systems, broadcasting assets, financial systems, the defence industry, and more.
In addition to new legislation, a regime of mandatory cyber incident reporting has also been introduced, as well as government assistance and intervention to respond to cyber attacks on critical infrastructure providers. The enhanced cyber security obligations imposed on these assets have now been described as systems of national significance and any entity responsible for a critical infrastructure asset MUST report cyber incidents to the Australian Signals Directorate (ASD).
For critical cyber security incidents, a responsible entity must report (orally or in writing) that a “critical cyber security incident” has occurred or is occurring within 12 hours of the entity becoming aware that the incident has had, or is having, a “significant impact” (whether direct or indirect) on the availability of the asset. Where the report is given orally, the entity must provide a written report of the incident within a further 84 hours after the oral report was given.
For other cyber security incidents, a responsible entity must also report (orally or in writing) any other cyber incidents that have occurred, are occurring or are imminent within 72 hours of the entity becoming aware that the incident has had, is having, or is likely to have, a “relevant impact on the asset”. In this case, where the report is given orally, the entity must provide a written report of the incident within a further 48 hours after the oral report was given. What will constitute a “relevant impact” is defined broadly, but it covers all circumstances where the incident would impact the availability, reliability, confidentiality, or integrity of the asset.
Importantly, the ASD has been empowered to intervene and obtain monitoring data from systems including system logs. This means that those operators must have a comprehensive security monitoring system capable of capturing security event data, analysing it and “forwarding” critical event data to the ASD.