The Australian Government’s recent decision to expand coverage of the Security of Critical Infrastructure (SOCI) Act 2018 has profound ramifications for the country’s business community. To improve the security and resilience of critical infrastructure, the updated Act imposes obligations on entities in a range of industries: electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology and defence industry.
The SOCI Act update means to ensure compliance, businesses in these industries need to understand the data they have and how they manage it. Directors and companies need to meet more stringent reporting requirements around reporting incidents–based on their severity–to the government.
The consequences of failing to address the security requirements associated with critical infrastructure are potentially severe. The Australian Government can now, through the Australian Signals Directorate (ASD), step in to effectively run businesses covered under the SOCI Act 2018 in the event of a serious compromise that impacts critical infrastructure or systems of national significance if the companies themselves are unwilling or incapable of mitigating an event.
No other government worldwide has given itself that ability.
Directors need to understand the critical infrastructure companies they are responsible for may need to report more and different information to different regulators than previously. They need to understand that they need to operate to different standards than previously. Furthermore, it is in their interests to grasp what the Australian Government considers best practice so they can ensure their business makes the required changes to existing processes and technologies. If an incident does occur, they can then demonstrate compliance with best practice to avoid intervention.
Many of these best practices are encapsulated in the ASD Essential Eight–a series of mitigation strategies designed to impede adversaries’ attempts to compromise systems. These strategies range from ensuring key data is understood and protected to implementing application whitelisting to prevent malicious or unwanted applications from running in an environment.
The Australian Government also applies a series of risk mitigation strategies, including understanding the entities that own and control companies that run data centres and cloud platforms that provide services to its departments, agencies and other organisations. That assessment is undertaken by the Digital Transformation Agency through a hosting certification framework.
Government agencies–and critical infrastructure businesses–may align with these requirements by working with an Australian-owned company, or a company from a ‘Five Eyes’ partner, whose directors have secured the required clearances.
The other dimension agencies and critical infrastructure businesses need to address is capability. The Australian Cyber Security Centre applies a cloud authorisation assessment framework that incorporates a range of requirements from information security manual controls through to the Infosec Registered Assessors Program (IRAP) assessment to continuous monitoring.
For critical infrastructure businesses looking to minimise risk to help comply with the updated Act, or simply to apply more rigorous protection to key systems and data, AUCloud–a sovereign cloud Infrastructure as a Service provider–is certified Strategic, the highest level of ownership and control certification available. The provider also delivers services to Protected level, the highest security level available beneath those required for defence and national intelligence.
With AUCloud, businesses such as tier 2 and below industries such as banking, utilities and retail can address short- and long-term deficiencies in Essential 8 compliance. For example, they may use AUCloud to back up data to a different provider or environment than their primary cloud or data centre, achieving a ‘quick win’. Longer-term, they may choose to work with AUCloud to deliver a longer-term uplift in their cyber-security maturity.
As a sovereign cloud provider, AUCloud’s ownership and operational position ensures that no data–including monitoring and metadata as well as sensitive customer and corporate data–leaves Australia, and that only security-cleared personnel living in the country manage that data. This mitigates potential risks around international data transit and foreign government access to data held by providers headquartered outside Australia.
Critical infrastructure data compromise has potentially severe consequences for Australia. It can stop essential services such as gas, electricity, healthcare and transport from operating, imposing massive immediate consequences and causing severe long-term damage to the country’s economy, national security and indeed its national sovereignty. Turning to a sovereign cloud in Australia can help businesses address the gaps in compliance with the updated SOC legislation and help protect the nation’s critical infrastructure at a time of extensive geopolitical disruption.