{"id":82386,"date":"2023-09-20T10:00:25","date_gmt":"2023-09-20T00:00:25","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=82386"},"modified":"2023-09-20T07:15:45","modified_gmt":"2023-09-19T21:15:45","slug":"critical-infrastructure-national-security-and-business-continuity","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/","title":{"rendered":"Critical infrastructure, national security and business continuity"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"681\" class=\"alignnone size-full wp-image-82388\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg 1024w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3-205x136.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3-768x511.jpg 768w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3-332x221.jpg 332w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<p>Security weaknesses and cyber \u2018doors left open\u2019, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management.<\/p>\n<p>Examples of how vulnerabilities will be exploited were highlighted in August when ASPI and Providence Consulting Group hosted a workshop with around 30 senior executives from <a href=\"https:\/\/www.cisc.gov.au\/stakeholders\/critical-infrastructure-sectors\" target=\"_blank\" rel=\"noopener\">nine critical infrastructure sectors<\/a>. The workshop was also attended by senior executive officers from the Departments of Home Affairs, Infrastructure, Transport, Regional Development, Communication and the Arts, and the Australian Security Intelligence Organisation and Australian Institute of Company Directors.<\/p>\n<p>It covered the <a href=\"https:\/\/www.cisc.gov.au\/legislative-information-and-reforms\/critical-infrastructure\" target=\"_blank\" rel=\"noopener\"><em>Security of Critical Infrastructure Act 2018 (SOCI Act),<\/em><\/a> obligations of critical infrastructure boards and strategies for developing cost-effective critical infrastructure risk management programs (CIRMPs) in the current threat environment. CIRMPs provide assurance to regulators that the entity is taking steps to manage material risks posed by hazards to the critical infrastructure asset. The risks fall across five key hazard vectors: cyber and information, personnel, physical, natural and supply chain.<\/p>\n<p>The workshop\u2019s timing marked the initiation of the countdown towards the September 2024 deadline for owners and operators of critical infrastructure assets in Australia to report to the Department of Home Affairs or other Commonwealth regulator on the effectiveness and maturity of their risk mitigations as set out in their CIRMP. The annual CIRMP report must be approved by the entity\u2019s board, council, or other governing body.<\/p>\n<p>What does the SOCI Act mean for national security? The threats not only endanger critical infrastructure but also have far-reaching implications for national security. They can compromise the integrity, availability, and continuity of essential services, potentially impacting the safety and wellbeing of the nation. They also present significant risks to Australia\u2019s ability to defend itself.<\/p>\n<p>Some entities have well-established security programs and experience in managing risks while others, including newly classified SOCI entities, may be new to this formal process. However, all entities are dedicated to resilience and business continuity. The key question isn\u2019t just about the cost of achieving CIRMP compliance, which can be significant for some, but rather the potential consequences of not being adequately prepared or compliant.<\/p>\n<p>Examples illustrate challenges encountered by SOCI entities, some of which may have had well-established risk management, security, or business continuity strategies in operation that did not protect them.<\/p>\n<p>In <a href=\"https:\/\/www.afr.com\/technology\/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm\" target=\"_blank\" rel=\"noopener\">September 2022<\/a>, an unknown threat source breached Optus\u2019 security measures by taking advantage of an Application Programming Interface (API) that had no security measures surrounding it. Nor did it have access control policies. This situation provided an obstacle-free entryway into the company\u2019s systems. To prevent that happening, Optus chould have routinely assessed its systems and addressed critical vulnerabilities.<\/p>\n<p>Stolen data, reportedly involving up to 11 million individuals, included customer names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver\u2019s licence numbers and Medicare numbers.<\/p>\n<p>Whilst Optus did not pay the $1.5 million ransom, the breach resulted in its parent company, Singtel, setting aside <a href=\"https:\/\/www.computerweekly.com\/news\/252527126\/Optus-earmarks-A140m-to-cover-cost-of-data-breach\" target=\"_blank\" rel=\"noopener\">$140 million<\/a> for customer remediation. Further, Optus faced significant costs (reportedly up to <a href=\"https:\/\/hallandwilcox.com.au\/thinking\/no-optus-australias-largest-data-breach\/\" target=\"_blank\" rel=\"noopener\">$2 billion<\/a>) in investigating the incident, upgrading security systems, legal fees and compensation. The harm to the company\u2019s reputation is incalculable.<\/p>\n<p>The first example demonstrates the impact on supply lines. In 2021, a cyberattack on the 8,850km United States East Coast Colonial Pipeline, which carries gasoline and jet fuel, forced its closure for almost a week. The shutdown reduced the short-term availability of fuel and forced up prices. With no ways to distribute the fuel, refiners had to reduce production. That triggered consumer \u2018panic buying\u2019 which exacerbated shortages and drove up costs further.<\/p>\n<p>Within two hours of the attack, over 100GB of data was stolen. Colonial paid the hackers nearly $5 million in ransom for a decryption key. That reportedly pushed up Bitcoin ransom payments by 311% compared to 2019 to around <a href=\"https:\/\/www.chainalysis.com\/blog\/ransomware-ecosystem-crypto-crime-2021\/\" target=\"_blank\" rel=\"noopener\">$350 million<\/a>.<\/p>\n<p>The attack underscored the importance of keeping up with evolving malware and fortifying the last line of defence. Inadequate protection and neglect of system updates can lead to compromises. It also emphasizes the need to safeguard not only critical fuel assets but also related services.<\/p>\n<p>The need for thorough and ongoing vetting of personnel was illustrated by the situation Connected Solutions Group (CSG), a company with significant NT Government contracts, found itself in in 2008 when \u00a0former employee David Anthony McIntosh, a computer engineer, <a href=\"https:\/\/www.databreaches.net\/australian-hacker-sentenced-for-3-years\/\">disrupted government services<\/a> at Berrimah Prison, Royal Darwin Hospital, and the Supreme Court. McIntosh also deleted over 10,000 public servants\u2019 records using a former coworker\u2019s laptop and password. This disruption lasted five days, causing chaos at courts and hospitals and leading to prisoners at Berrimah jail being discharged without their belongings. Restoring the system required 130 experts and took five days and $1.25 million.<\/p>\n<p>McIntosh, who received a three-year jail sentence, claimed to have a \u2018high-level clearance\u2019 for maintaining the government\u2019s entire IT system. This case illustrates the importance of initial and ongoing suitability assessments and staying vigilant about potential threats from current and former employees with access to critical data. Limited availability of ICT personnel in certain settings raises risks associated with rehiring convicted cyber felons.<\/p>\n<p>The intervention of natural hazards was demonstrated during the 2020 NSW south coast bushfires when the region\u2019s main broadcast transmitter used by the ABC melted, causing widespread devastation and communication issues. Repairing the equipment took months and cost between $1.5 million and $2 million. The ABC\u2019s managing director emphasized the importance of AM radio technology and the need for backup generators during disasters. Analysts have been adamant that it is crucial that future infrastructure is as resilient as possible as broadcast towers remain the weakest link during emergency broadcasts.<\/p>\n<p>These case studies shed light on the challenges faced by SOCI entities, even those with established risk management, security, or business continuity strategies in place. They highlight that no entity is immune to vulnerability, emphasising the importance of vigilance and preparedness in safeguarding critical infrastructure and, by extension, national security. The continual growth and enhancement of enterprise security maturity and achieving compliance with the SOCI Act will be a critical step in ensuring national security.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security weaknesses and cyber \u2018doors left open\u2019, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management. Examples of how vulnerabilities will be exploited were highlighted in &#8230;<\/p>\n","protected":false},"author":1779,"featured_media":82388,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[1060,169,95,713],"class_list":["post-82386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-australian-cyber-security-centre","tag-cyber-crime","tag-cyber-security","tag-cyberattack"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Critical infrastructure, national security and business continuity | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Critical infrastructure, national security and business continuity | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Security weaknesses and cyber \u2018doors left open\u2019, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management. Examples of how vulnerabilities will be exploited were highlighted in ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-20T00:00:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-19T21:15:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"681\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Raelene Lockhorst\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Raelene Lockhorst\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg\",\"width\":1024,\"height\":681,\"caption\":\"Computer hacker silhouette. Green binary code background\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/\",\"name\":\"Critical infrastructure, national security and business continuity | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#primaryimage\"},\"datePublished\":\"2023-09-20T00:00:25+00:00\",\"dateModified\":\"2023-09-19T21:15:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/eba4ecb802883ea21a6061dcf2356b48\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Critical infrastructure, national security and business continuity\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/eba4ecb802883ea21a6061dcf2356b48\",\"name\":\"Raelene Lockhorst\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/aa4d32630aad84a85ccbb09fa16057a7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/aa4d32630aad84a85ccbb09fa16057a7?s=96&d=mm&r=g\",\"caption\":\"Raelene Lockhorst\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/raelene-lockhorst\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Critical infrastructure, national security and business continuity | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/","og_locale":"en_US","og_type":"article","og_title":"Critical infrastructure, national security and business continuity | The Strategist","og_description":"Security weaknesses and cyber \u2018doors left open\u2019, employees turned rogue, and hackers demanding ransom, all demonstrate dramatically the need for strong critical infrastructure risk management. Examples of how vulnerabilities will be exploited were highlighted in ...","og_url":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2023-09-20T00:00:25+00:00","article_modified_time":"2023-09-19T21:15:45+00:00","og_image":[{"width":1024,"height":681,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg","type":"image\/jpeg"}],"author":"Raelene Lockhorst","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Raelene Lockhorst","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2023\/09\/GettyImages-527099783-3.jpg","width":1024,"height":681,"caption":"Computer hacker silhouette. Green binary code background"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/","url":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/","name":"Critical infrastructure, national security and business continuity | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#primaryimage"},"datePublished":"2023-09-20T00:00:25+00:00","dateModified":"2023-09-19T21:15:45+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/eba4ecb802883ea21a6061dcf2356b48"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/critical-infrastructure-national-security-and-business-continuity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Critical infrastructure, national security and business continuity"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/eba4ecb802883ea21a6061dcf2356b48","name":"Raelene Lockhorst","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/aa4d32630aad84a85ccbb09fa16057a7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/aa4d32630aad84a85ccbb09fa16057a7?s=96&d=mm&r=g","caption":"Raelene Lockhorst"},"url":"https:\/\/www.aspistrategist.ru\/author\/raelene-lockhorst\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/82386"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1779"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=82386"}],"version-history":[{"count":6,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/82386\/revisions"}],"predecessor-version":[{"id":82390,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/82386\/revisions\/82390"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/82388"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=82386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=82386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=82386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}