The government is reportedly crafting minimum cybersecurity standards for industries that manage critical infrastructure following a highly-publicised attack warning late last week.
Citing “industry sources”, The Australian Financial Review said standards could be set “industry-by-industry”, with banks, healthcare and utilities high on the list.
The prospect of tighter regulation of cybersecurity protections and practices for critical infrastructure was also raised to iTnews by several industry sources.
Any new regulations are expected to be laid out in the government's forthcoming cyber security strategy, due to be released "in the coming months".
The mechanics of how such regulations would work, and how enforceable the standards might be, were unclear at the time of writing.
A Home Affairs spokesperson was contacted by iTnews for comment, but did not address specific questions.
"The government is continuing to develop the 2020 cyber security strategy and will consider advice from the industry advisory panel prior to finalisation," the spokesperson said.
"The 2020 cyber security strategy will build on the strong foundations established by its predecessor and will take into account the rapidly evolving cyber security landscape, including the impact of COVID-19."
The advisory panel's make-up is heavily weighted towards telecommunications, leading to some concerns about how representative it is of broader business interests.
Technical details examined
Debate over the purpose of Prime Minister Scott Morrison’s cyber security warning last Friday continued into this week, as did analysis of the indicators of compromise (IOCs) released by the Australian Cyber Security Centre (ACSC) in support of the government warning.
Though much talk has centred on attribution, Mercury Information Security Services cast doubt that a Chinese APT [advanced persistent threat] - “at the very least one from within the government” - was behind the campaign described by the ACSC.
“Whilst the ACSC report and artefacts suggest operational sophistication, the lack of technical sophistication and operational security indicate that this may have been more of a ‘hit and run’ style event that is more consistent with criminal elements,” Mercury ISS said.
“Having stated this, the absence of disruptive or destructive activities may suggest the usual criminal action of ransoming networks was not the intent, and this could be an information grab over an extended period of time, albeit from a low tier government, or a third party in support of a government.”
Security vendor Mimecast also said separately that its threat intelligence team “conducted a grid signal and trend analysis that did not reveal any of the email-related IOCs published by the ACSC.”
“Our assessment ... is that there wasn’t a specific attack campaign – but rather that the frequency of broad attacks from a particular state-based actor has increased,” it said in a statement.
“This is an acknowledgement of what we have been raising awareness about for some time.”
Long-running infrastructure focus
The government, together with the ACSC, has been warning about the threat to critical infrastructure for some time.
Last month, the ACSC issued advice to critical infrastructure providers following a jump in cyber activity that had hit corporates and government entities alike.
It urged the operators of Australia's mission-critical electricity, water and telco infrastructure to double check security controls for staff accessing control systems remotely during COVID-19.
Last year, the government ran a cybersecurity exercise with the electricity sector aimed at strengthening end-to-end security protections in the sector.
Operators of Australia's electricity, water, gas and port infrastructure must also detail their IT environments to the government under legislation passed in 2018.
Justin Hendry contributed to this report.
.jpg&h=140&w=231&c=1&s=0)
