In late 2021, the Australian Government passed the Security Legislation Amendment (Critical Infrastructure) Bill 2021.
In their article ‘An overview of the Critical Infrastructure Bill’, BDO said: “The program intends to increase resilience across critical infrastructure assets, address vulnerabilities across physical, cyber, supply chain, and personnel domains, provide a wholesale uplift in critical infrastructure security, and reassure the Government that critical infrastructure assets are appropriately safeguarded against all risks.”
The Critical Infrastructure Bill was followed by The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, which came into effect on 2 April 2022.
Between them, these new pieces of legislation raise the security obligations bar and seek to make risk management, preparedness, prevention and resilience, business-as-usual for the owners and operators of critical infrastructure assets.
The Australian Government says that “These reforms will give Australians reassurance that our essential services are resilient and protected.”
Our critical infrastructure sector is under serious attack
The Australian Government has solid grounds for making changes, and few would dispute the need for more exacting legalisation.
Over the 2020–21 financial year, the ACSC (Australian Cyber Security Centre) received more than 67,500 cybercrime reports. This was an increase of nearly 13% over the previous financial year and equated to a cyberattack reported every eight minutes, compared with every ten minutes the year prior.
Worryingly, ACSC reported that approximately 25% of these reported cyber incidents were associated with Australia’s critical infrastructure or essential services, saying that “significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.”
And given that ACSC (alongside the equivalent bodies in the US, UK, Canada, and New Zealand) also issued official warnings about Russian state-sponsored and criminal cyber threats to critical infrastructure in April 2022, these legislation changes couldn’t have been more timely.
Protecting what Australia runs on
Unless you opt to live entirely off the grid, Critical Infrastructure makes your (and everyone else’s) world go around.
In their Critical Infrastructure Resilience Strategy, the Australian Government defines critical infrastructure (CI) as ‘‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.’
In short, CI includes all the things that make our everyday lives, society, and businesses run smoothly and safely, including:
- Electricity, gas, water and maritime ports sectors
- Financial services and markets
- Data storage and processing
- Defence industry
- Higher education and research
- Food and grocery
- Health care and medical
- Space technology
- Water and sewerage
Why the Australian Government is driving cyber resilience and data sovereignty
Not only does the CI Bill seek to protect, but in case of a cyberattack (now a certainty, not a possibility) to enable rapid recovery through the cyber resiliency of both CI organisations and the data centre and cloud service providers they depend on.
As a reminder, cyber resiliency refers to an organisation’s ability to ready themselves for, respond to, and recover from a cyberattack – and in the case of CI – without missing a beat. When cyber resilient, the owners and operators of critical infrastructure assets are better equipped to defend their organisations from attack, limit the impact on their systems and data, and, most importantly for the rest of the country, continue to work during and after an attack. So, healthcare is delivered, power is on, personal data is safe, bank transactions continue, and there’s food on supermarket shelves due to an uninterrupted supply chain.
Then, there’s data sovereignty. This is the concept of making data subject to the laws and governance of the geographic location where the data is collected and processed – and is regarded as central to data privacy and data security.
In early June 2021, in recognition of the emerging risks to the sovereignty of data held in Australian Government data centres, the Government announced that all relevant government data under their Digital Transformation Agency (DTA) hosting certification framework needed to be stored only in either Certified Assured or Certified Strategic data centres.
What else is on the Government’s horizon to safeguard our way of life?
The Australian Government’s Digital Government Strategy (DGS) outlines its vision to be a leading digital government. And its whole-of-government Hosting Strategy (developed to ensure that government data and digital infrastructure enables the DGS) provides a defined approach to hosting arrangements that meet the needs of Australian Government agencies as they deliver the DGS.
While that sounds convoluted, it simply means that they are ensuring a hosting strategy that supports their vision for 2025. One that addresses the issues of the risks to data sovereignty, data centre ownership and the supply chain. The scope of the hosting strategy comprises data centre facilities, infrastructure, data storage and transmission.
As part of the work done on DGS, the government plans to establish a new Digital Infrastructure Service. One of its primary tasks will be to reduce the risks already mentioned by certifying facilities suitable for placing government data up to the PROTECTED classification.
Strategic protection, guaranteed
In September 2021, iseek (in partnership with Canberra-based high-security cloud specialist Vault Cloud) introduced Queensland’s first locally hosted PROTECTED Cloud service. Historically, Queensland organisations have needed to source their PROTECTED Cloud services from providers hosted outside the State, so this was a ground-breaking achievement.
The iseek-Vault partnership’s PROTECTED Cloud was IRAP-assessed and met all the relevant security controls of the Australian Government Information Security Manual (ISM), ranging from the thickness and sturdiness of doors to how data is managed and encrypted on disks. It complied with the rigorous standards required by government agencies and other enterprises with highly sensitive data — such as defence, aviation, banking, mining, healthcare, aged care and various other sectors — as they looked to expand critical digital infrastructure in response to demand driven by the COVID-19 pandemic.
And now, iseek’s LDR2 Data Centre facility has been certified STRATEGIC by the DTA.
The ‘Certified Strategic’ designation is the highest level of data centre assurance attainable under the DTA’s Hosting Certification Framework and offers the most secure storage solutions for government-held data. The Framework strengthens the controls in place for hosting providers by increasing security provisions to protect privacy and improve the resilience of data infrastructure. Under the Framework, all high-value government data, whole-of-Government systems and systems rated at the classification level of PROTECTED should be hosted using a certified service provider.
And the ‘Strategic’ certification is hard won – it’s only available to data centre providers that satisfy key Government requirements and undertakings. Our locally hosted Strategic rated facility offers a better secure, sovereign cloud service that enables classified, critical and sensitive data to be held closer to our clients and end users across the State. It supports innovation with a high-performance, hyperscale open stack Cloud, and of course, it’s hosted locally to ensure data sovereignty and backed by our Australian-based support team.
And while it’s been hard and investment-heavy work meeting the Strategic Certification requirements, we know that we’re playing our part in keeping Australia’s critical infrastructure running through thick and thin.