Why strengthening cybersecurity posture in Australia is key to secure its critical infrastructures

• The Australian Government passed its final tranche of amendments to the Security of Critical Infrastructure Act 2018
• Palo Alto Networks blocks a staggering 224 billion threats to their customer base per day

2022 proved to be a difficult year for business leaders worldwide as high-profile attacks caused supply chains to get disrupted, created headlines, and triggered new cybersecurity regulations. These well-publicized hacks had significant financial and security ramifications. They once again demonstrated to the entire world how susceptible critical infrastructure and supply chains can be when they are targeted by cybercriminals, highlighting the need to improve cybersecurity posture – especially in Australia.

Australia is currently seeing an increasing number of cybersecurity threats aimed at its critical infrastructure and some business leaders aren’t prepared. The majority of 14 countries, and up 21% from 2021, chief information security officers (CISOs) from Australia indicated their organizations are unprepared to detect, deter, and recover from a cyber attack.

The cyber threat landscape is growing more automated, intelligent, and dangerous. The Australian government has, however, stated that it is committed to strengthening the nation’s cybersecurity posture.

​

Tech Wire Asia had the pleasure of speaking with Sarah Sloan, Palo Alto Networks’ Head of Government Affairs, on the threat landscape in the region and the implications of Australia’s crucial infrastructure enhancements.

How has Australia’s threat landscape evolved in comparison to the rest of the world?

Globally,  cyber security threats are only set to increase – particularly as technology and connectivity become more pervasive and underpin our critical infrastructure services, economy and national security.  By way of illustrating the scale of the threat – Palo Alto Networks blocks a staggering 224 billion threats to our customer base per day.

Today, cybercriminals are increasingly sophisticated – operating much like businesses and making significant profits from their operations. We have monitored the growth of one cybercriminal actor “silver terrier” from their humble beginnings of just a few individuals experimenting with malware purchased online in 2014, to an organization that encompasses over 480 different actors, producing more than 81,000 samples of malware, linked to 2.1 million attacks worldwide. We have watched groups like this indiscriminately target all industry segments, including small to large businesses, healthcare organizations, and even local, state, and federal government institutions.

We see these same global trends play out in the Australian context.

Australians are early adopters of technology. In 2021, there was an average of 20.5 internet-connected devices per household in Australia. This number is forecast to reach 33.8 by 2025.  Today technology underpins almost every aspect of the lives of Australians – from keeping in touch with friends, keeping the lights on, driving economic growth and protecting our national interests. However, as we embrace the benefits technology brings, we need to be mindful of the cyber security risks that it can create.  This widespread internet connectivity alongside Australia’s relatively high wealth, makes us an attractive target for a range of cyber adversaries.

According to the ACSC 2020-21 Annual Cyber Threat Report, over the 2020–21 financial year, the center received over 67,500 cybercrime reports, an increase of nearly 13 percent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of cyber attack every 8 minutes compared to one every 10 minutes last financial year. Approximately one quarter of cyber incidents reported to the ACSC during the reporting period were associated with Australia’s critical infrastructure or essential services.

(Relating to the APT actor “Gallium” attacking governments) How did the APT actor “Gallium” come to be, and why are they targeting Australian governments and critical infrastructures?

Palo Alto Networks Threat Intelligence Team,Unit 42, actively monitors advanced persistent threat (APT) groups. Earlier this year, they identified a new, difficult-to-detect remote access trojan named PingPull being used by one APT group, named GALLIUM (also known as Softcell). This APT, established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa. The group’s geographic targeting, sector-specific focus and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs), has led to the assessment that GALLIUM is likely a Chinese state-sponsored group.

The group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities. During this period, we identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. Two major vendors linked gallium to China. However, we see a range of actors targeting the Australian government and critical infrastructure – including both state-based actors and cybercriminals. Their motivations are often mixed – in some cases they may be financially motivated, in other cases they may be looking to acquire information or to disrupt operations.

Could you briefly discuss the Australian government’s recent announcement to strengthen its critical infrastructure and cybersecurity posture?

In 2022, the Australian Government passed its final tranche of amendments to the Security of Critical Infrastructure Act 2018 to complete a series of reforms aimed at enhancing Australia’s critical infrastructure resilience. These reforms increase the number of Australia’s Regulated Critical Infrastructure Sectors from the previous four sectors (electricity, gas, water and ports) to 11 sectors.  This expanded scope recognizes and reflects the range of sectors critical to Australia’s national security.

We support the Australian Government’s commitment to enhancing the cyber security posture of its critical infrastructure sectors.  Around the world we have seen a growing range of cyber security threats levelled against critical infrastructure, including the recent high-profile SolarWinds, Exchange, and Colonial Pipeline attacks in the United States. In our increasingly interconnected world, improving the security and resilience of critical infrastructure entities is essential to protecting Australia’s economy and national security. Australia is wise to proactively take increased action, even though it has not to date had a catastrophic cyber security incident against its critical infrastructure. We look forward to partnering with the Australian Government as it continues to implement these new reforms.

What does this announcement entail for Australia and its organizations?

Under the legislation there now are effectively two tiers of critical infrastructure – the first being a “Critical Infrastructure Asset” and the second being a “System of National Significance”. Organizations that are deemed “Critical Infrastructure Assets” have to meet “positive security obligations” such as providing the Government with information for its register of critical infrastructure assets, developing a risk management plan across cyber, supply chain, physical and personal risks,  and adhering to mandatory cyber incident reporting requirements.

Organizations deemed to be “Systems of National Significance” are a smaller subset of critical infrastructure assets, most crucial to the nation by virtue of their interdependencies across sectors and potential for cascading consequences if disrupted. These entities may be subject to enhanced cyber security obligations, such as adoption of incident response (IR) plans, undertaking cyber security exercises and vulnerability assessments, and providing system information to the Government.

Finally, the Act provides the Australian Government with information gathering, action direction and intervention powers to be exercised as a “last resort” in circumstances where a cyber security incident has, or is likely to impact a critical infrastructure sector.  While we understand the intent behind this power, we remain concerned by the lack of clear legislated appeal rights which may set a global precedent counter to Australia’s interest and values.

How has the nation’s approach to improving the security and resilience of critical infrastructure entities changed in order to protect Australia’s economy and national security?

Over the past few years, the Australian Government has increasingly sought to achieve cyber uplift across the economy through a range of mechanisms including policy and regulation. We welcome the Australian Government efforts to partner and consult with Industry in developing many of these policies and regulations. We look forward to continuing this partnership into the future. Ongoing collaboration with industry can help to ensure that the Australian Government’s priorities and activities remain in line with the private sector.

Given that it’s frequently overlooked, what role does cybersecurity play in the mergers and acquisitions process? (In reference to the recent acquisition of Digicel by Telstra’s cyber security sweep)

Today almost all companies can be seen as technology companies – highly interconnected and dependent on technology for their core operations, services and brand.  So when it comes to merger and acquisitions, it is important to understand the cyber security posture of any company you are looking to acquire – including whether there is a malicious actor sitting dormant on the network.  Despite this, less than 10% of deals globally contain cyber security due diligence.  Cyber due diligence can ensure that a range of cyber issues, costs and operational risks are surfaced before investing in a business. In the modern digital era, it is important that organizations perform cyber due diligence as part of their merger and acquisitions processes.

---

---

---