A 12-hour reporting requirement for all security attacks on organisations responsible for assets defined as critical under the critical infrastructure bill came into force on Friday.
Companies operating 22 assets within 11 sectors must report to the Australian Cyber Security Centre, a branch of the Australian Signals Directorate, or face fines beginning at $11,100.
A three-month grace period, which started when the second half of the two-part bill gained royal assent in April this year, has expired.
Only critical incidents, such as unauthorised access or a ransomware lock, must be reported within 12 hours. A less significant incident can be reported over the phone within 72 hours and followed by a written report within 48 hours.
A less significant incident may be an impact on a critical asset’s availability, integrity, reliability or confidentiality that does not threaten to significantly alter or take down the asset in the immediate future. For example, an individual’s personal details being exposed would fall under this category.
If you detect a cyber security incident at or beyond the exploitation phase of malicious activity – irrespective of any prevention or mitigation action taken – you are required to submit a report,” Home Affairs reporting manual reads.
“The exploitation phase represents the phase at which the availability, confidentiality and integrity of networks and network data has or could be impacted. This is also the phase where organisations will typically commence incident response processes.”
Critical assets now required to report security incidents include broadcasting, domain name system, data storage or processing, banking, superannuation, insurance, financial market infrastructure, food and grocery, hospital, education, freight infrastructure, freight services, public transport, liquid fuel, energy market operator, aviation, ports, electricity gas and water.
When a threat or attack on the critical infrastructure operator passes relevant thresholds, the Australian Signals Directorate can use intervention powers, such as installing software that reports system information back to the agency,
Cytrack Intelligence managing director Nick Milan told CRN last week that he expected that the new obligations would significantly alter the relationship between IT partners and their clients within the channel.
“The sophisticated IT reseller will increasingly be able to advise customers on their IT security exposures from a risk management perspective and use best practice frameworks.”
“Engaging with the customer will elevate to discussing aspects such as their risk appetite and the appropriate calibration of systems to mitigate those risks in line with the business appetite… The harsh reality of underestimating risk, or failing to mitigate against it adequately, can have substantial financial and reputational consequences for both the reseller and the customer."
Last month, the Australian National Audit Office found that the Department of Home Affairs' enforcement of the critical infrastructure bill was only “partly effective”, and several managed security services providers agreed that the regulator needed to up its game.