The future of Australia’s critical infrastructure rests on collaboration between government and the private sector, writes Marty Edwards.

Last December, the federal government first introduced its Security Legislation Amendment (Critical Infrastructure) Bill 2020, focused on safeguarding the critical infrastructure which delivers essential services.

Such services are crucial to our economic prosperity and way of life, powering everything from our water and electricity supply to public transportation and emergency services. 

The challenge is that more than 85 per cent of the world’s critical infrastructure is owned and operated by private entities.

Yet, the complexity of securing industrial control systems (ICS) and operational technology (OT) – the foundations of our critical infrastructure ecosystem – requires collaboration from both government and industry.

Last month some of the world’s largest technology companies addressed the government’s proposed Critical Infrastructure bill in Parliament.

The concern was that by allowing the government to step in and take control of a business amid a cyberattack, incidents could potentially worsen. A way around this would be for industry to consider installing their own monitoring software that meets government standards instead and share the resulting data with the appropriate government entities.

While critical infrastructure threats aren’t new, the increasing number and sophisticated nature of these is a real cause for alarm. The need for increased legislation, cooperation and collaboration has never been greater, and the solution lies in eliminating any policy vacuums between government and industry. Here’s how. 

An increase in information sharing

In May, the American oil pipeline system, Colonial Pipeline, suffered a ransomware cyberattack causing the firm to shut down its fuel distribution network and sparking widespread fears of a gasoline shortage. 

It was later revealed that the organisation had forked out over $US4.4 million in ransom payments but because the attack was reported to the FBI, the Department of Justice managed to secure over half of this payment in cryptocurrency back from the ransomware group by following the money trail.

This instance highlights how information sharing between government and private entities, and notifying government early can yield positive results. 

Similarly, Australian organisations should report incidents to the Australian Cyber Security Centre (ACSC) as soon as possible after security incidents occur. This helps the ACSC identify trends and maintain an accurate picture of the threat environment to assist in the development of new or updated cybersecurity advice, capabilities and techniques to prevent and respond to cyber threats.

Global law enforcement agencies estimate the number of cybercrimes that go unreported by business is in the millions.

One of the key challenges is that private entities have a tendency not to report attacks for fear of exposure. 

Another challenge is the lack of clear guidance for critical infrastructure operators on which government entities they should notify.

And, if an increase in information sharing is agreed, what also becomes critical is maintaining a measure of secrecy and aligning on how much information is to be publicly disclosed. Finally, critical infrastructure providers are concerned that they don’t get adequate and timely information back from government partners in order to strengthen their posture and prepare for imminent attacks. Each of these challenges needs to be addressed. 

International cooperation and global alliances 

Combating cybercrime is already a core foreign policy issue and a central theme of Australia’s diplomatic efforts. As an example, Australia was a founding member of Five Eyes, the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, which aims to share information. 

As attacks become more global, greater emphasis needs to be placed on international collaboration, assessment of risk and collaborative incident response capabilities to tackle the ever-evolving tactics of cybercriminals. This can go a long way in bolstering the ability of industry and government to prevent the most advanced attacks.

As Australia continues to seek international allies, it’s critical that security requirements are grounded in consensus-based international standards to ensure alignment with global best practices. Only this can advance national security as well as achieve economic development and stability. 

If recent critical infrastructure attacks have taught us anything, it’s that such incidents don’t only impact the business, the implications are felt society-wide. When it comes down to it, neither government nor industry can tackle this challenge alone. It truly takes collaboration and cooperation from both sides. Ultimately, it’s only through this collaboration that we ensure the protection of every Australian. 

Marty Edwards is VP of OT Security at Tenable 

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter