Critical infrastructure providers suffered 12 cyber incidents during the three-month grace period that preceded the beginning of a mandatory reporting scheme, new figures from the Home Affairs department reveal.
But none of the incidents had a “significant” impact on the operation of critical infrastructure assets, which would have required owners and operators to notify the Australian Cyber Security Centre (ACSC) within 12 hours.
An annual report on the Security of Critical Infrastructure (SOCI) Act 2018, tabled late last week, provides the first reporting on a spate of new obligations imposed on critical infrastructure assets over the past year.
The reforms came in two waves with passage of the Security Legislation Amendment (Critical Infrastructure) Act in November 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Act in March 2022.
Despite industry calls to refine the new regulations and provide more clarity on requirement, the first bill was pushed through by the Home Affairs department due to what it said was a pressing cyber-attack risk.
The two bills also extended the SOCI Act beyond electricity, water, gas and ports assets to 11 additional sectors, including communications, financial services, data storage and processing, Defence industry, higher education and space technology.
Mandatory reporting of cyber incidents took legal effect on April 8 to provide government with “visibility” over threats, but the regime remained voluntary for asset owners and operators until the grace period expired on July 8.
According to the report, 12 cyber incidents with a “relevant impact” – the lesser of the two types of incidents captured by the reporting scheme – were reported between April 8 and July 1.
Asset owners and operators that experience such incidents, or those that have an “impact on the availability, integrity, reliability or confidentiality of the asset, are required to notify the ACSC within 72 hours of becoming aware.
No cyber security incidents with a “significant impact” were reported during the three-month grace period. Unlike cyber incidents with a relevant impact, significant incidents require reporting within 12 hours of becoming aware.
A significant impact is where “both the critical infrastructure asset used in connection with the provision of essential goods and services, and the incident has materially, disrupted the availability of the essential goods or services delivered by the critical infrastructure asset”, the report said.
The report also reveals there was no use of “last resort” ministerial powers that allow the government to intervene to contain a cyber attack on critical infrastructure owned by the private sector.
One of the more controversial elements of the legislation, the power allows the ACSC to step in and take control of a company’s systems if it is subject to a cyber-attack. It could also install software, gain access to networks, analyse data or direct an entity.
Similarly, the Home Affairs minister gave no directions to an asset owner or operator to “mitigate national security risks, where the risks cannot be managed through existing collaboration… via existing regulatory frameworks” last financial year.
The report also shows “82 critical infrastructure assets across 38 entities in the communications, financial services and markets, energy and transport sectors” were declared Systems of National Significance by the minister last financial year.
Do you know more? Contact James Riley via Email.