Newsflash Edition 18: October - December 2024

From the Cyber and Infrastructure Security Centre

Welcome to the last edition of the CISC Newsflash for 2024!

The final sprint to the end of the year has been a busy one for the CISC. We hosted Critical Infrastructure Security Month (CISM), wrapped up the Critical Infrastructure Security Excellence Workshop series, launched season two of our Critical Conversations podcast, released new guidance material and much more! Catch up on all of it below.

Critical Infrastructure Security Month 2024

Held every year in November, Critical Infrastructure Security Month – more commonly known as CISM - is a national month of action dedicated to boosting the security and resilience of critical infrastructure across Australia.

To highlight how we all rely on critical infrastructure and have the responsibility to protect it, the theme for 2024 was ‘Critical Infrastructure Risk Management: A Shared Responsibility’.

The risk and threats to Australia’s critical infrastructure are constantly changing, and we must be prepared to respond. Critical infrastructure security doesn’t end with CISM. We all have a shared responsibility for critical infrastructure risk management, all year round.

Thank you for joining us as we marked Australia’s second CISM. Look back at some of the key events, guidance material published and collaboration that took place during CISM.

Critical Infrastructure Security Excellence Workshops Wrap-up

Our Critical Infrastructure Security Excellence Workshop series concluded in November in Sydney.

We held workshops in Adelaide, Darwin, Melbourne, Perth, Canberra, Hobart, Brisbane and finished in Sydney. In each workshop, we heard from industry, academia and all levels of government on the importance of working collaboratively to understand the risk environment and how to collectively uplift the security and resilience of Australia?– for the shared benefit of all Australians. Watch the lookback of our Melbourne workshop!

Critical Conversations take place in season two

We kicked off season two of our Critical Conversations podcast!

In episode one, listen as First Assistant Secretary Sally Pfeiffer of the Critical Infrastructure Partnerships and Policy Division sits down with Dawn Cappelli, CISSP from Dragos, Inc. .

They cover the business challenges associated with OT cyber security and the national level implications in the opening episode of season two of Critical Conversations.

In episode two, Rosemary Sinclair AM , the departing CEO of auDA - .au Domain Administration Ltd. and Deputy Secretary Hamish Hansford discuss effective approaches to uplifting critical infrastructure and the importance of .au domain name system.

Subscribe to be the first to know when we release episodes. Access all seasons here.

Guidance material published

We published the second edition of the Critical Infrastructure Annual Risk Review, which outlines the emerging and persistent risks to Australia’s critical infrastructure throughout the last 12 months. The latest Annual Risk Review examines all-hazards affecting our national critical infrastructure, including from persistent and frequent cyber incidents, instability in global supply chains, ongoing workplace skills shortages and disruption from severe weather events. Access the 2024 Critical Infrastructure Annual Risk Review.

We have developed guidance material for the Vulnerability Assessment Enhanced Cyber Security Obligation (ECSO) for Systems of National Significance (SoNS). Even if you’re not a SoNS, you will find the guidance material useful. This guidance material joins the Incident Response Planning and Cyber Security Exercise guidance materials that were released earlier in the year.

Read the Vulnerability Assessment guidance here.

Read the Incident Response Planning guidance here.

Read the Cyber Security Exercise guidance here.

We’ve also released a new factsheet on positioning, navigation and timing (PNT) services. Australia’s critical infrastructure increasingly relies on the delivery of PNT services, which are largely delivered from space. While space-based PNT services are ubiquitous, inexpensive and effective, they are vulnerable to intentional and unintentional interference, which expose organisations to risks from denial, disruption or degradation to service. Access the factsheet to learn more.

Cyber Security Legislative Package

On 29 November, the Cyber Security Legislative Package received Royal Assent, which means that parts of the?Cyber Security Act 2024,?Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024, and the?Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024?(ERP Act) are now law and will implement certain measures proposed by the 2023-2030 Australian Cyber Security Strategy. Schedules 1, 2, 3, 4 and 6 of the ERP Bill are expected to commence by proclamation on 20 December 2024.? We have released a factsheet for each one of these Schedules to provide information on new measures, find below:

• Schedule 1 - Data storage systems that hold business critical data
• Schedule 2 – Managing consequences of impacts of incidents on critical infrastructure assets
• Schedule 3 – Use and disclosure of protected information
• Schedule 4 – Direction to vary critical infrastructure risk management program
• Schedule 5 – Security regulation for critical telecommunication assets
• Schedule 6 – Notification of declaration of Systems of National Significance.

The Department is committed to working closely with industry to develop the associated Rules and implement these legislative changes, and we invite you to participate in continued industry consultation to support the security and uplift of Australia’s critical infrastructure.

Read the Cyber Security Legislative Package news article for more information.

Cyber Security Awareness Month!

This October we marked Cyber Security Awareness Month! The theme for 2024 was - 'cyber security is everyone’s business' - but we encourage you to prioritise cyber security all year round by taking these actions:

• Enable multi-factor authentication?
• Install software updates whenever available?
• Use strong & unique passphrases
• Recognise & report phishing

Improve your cyber security today!

The first MoU for SOCI

In an important step to strengthen the security of critical infrastructure, the Department of Home Affairs (the Department) and the Reserve Bank of Australia (RBA) have co-signed a Memorandum of Understanding (MoU). This MoU formalises collaboration between the Department and the RBA for regulating entities who have obligations under the Security of Critical Infrastructure (SOCI) Act 2018. The MoU marks a significant step in the journey to increase the resilience of critical infrastructure for Critical Payment System Assets. The MoU has been designed to promote transparency, prevent unnecessary duplication of effort, and to minimise regulatory burden on responsible entities for Critical Payment System Assets. We released a news article with more information.

Expansion of Australia’s most vital critical infrastructure assets

A further 46 critical infrastructure assets have been declared as SoNS. SoNS are infrastructure assets that are most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted. By declaring an asset as a SoNS, the Australian Government can apply a robust set of enhanced cyber security obligations on owners and operators to uplift cyber resilience to better protect Australians.

SOCI compliance results shared in town hall

The 2023-24 financial year was the first mandatory reporting cycle for the Critical Infrastructure Risk Management Program. Responsible entities were required to submit an annual report by 28th September 2024.

We held a town hall during CISM to discuss the breakdown of annual report submissions, insights into the nature of the significant impact reports, cyber security frameworks and lessons learned through the annual reporting process. In addition, we also provided the results of the trial compliance audits conducted earlier this year and discussed the next phase in our regulatory work including the commencement of a formal audit program in November 2024. Watch the recording if you missed it or need a recap.

Collaborating through CIAC

The Critical Infrastructure Advisory Council (CIAC) met during CISM to advance Australia’s critical infrastructure security and resilience agenda.

CIAC provides leadership and strategic direction for the Trusted Information Sharing Network (TISN) on matters of critical infrastructure resilience.

CIAC is comprised of TISN Sector Group chairs (industry representatives), along with Commonwealth, state and territory government representatives. Learn more about CIAC and TISN and how your sector can get involved.

Happy holidays

The CISC social media accounts will be taking a short break over the holiday period, returning January 2025.

For those critical infrastructure owners and operators who are working hard over the festive season to keep us connected to our loved ones, to get our presents delivered on time and to keep us cool in the heat and other critical and essential services running, we say thank you!?

If you are interested in collaborating with industry, consider joining the TISN, you can do this by emailing?[email protected].

To stay up to date with the latest news and advice, follow us on X, Instagram and LinkedIn.