When news broke this week that Australia’s number two telecommunications carrier Optus had suffered a major data breach after a cyber security attack, it reinforced the vulnerability of the country’s critical infrastructure.
Optus operates in one of the most technically sophisticated sectors covered by critical infrastructure laws. Other sectors such as transport, or food and grocery, while technically well equipped, lag behind the IT&T sector. Today's news will have given them pause.
Media reports suggested that the records of as many as 2.8 million customers were exposed during the attack, although Optus, which was still investigating the extent of the breach this afternoon, had not officially commented on the numbers.
At a press conference on Friday morning CEO Kelly Bayer Rosmarin confirmed the basic details, telling the media, “As soon as we knew, we took action to block the attack and began an immediate investigation.”
Under the new critical infrastructure, Optus had little choice but to front up. The legislation required mandatory reporting.
Pass earlier this year, Security Legislative Amendment (Critical Infrastructure Protection) Bill follows the passage of the first half of the government’s critical infrastructure legislation, which passed “swiftly” last November.
The bill requires critical infrastructure owners and operators to have an industry-designed risk management program which, where possible, builds on existing regulatory frameworks.
There are a wide set of industries covered under the legislation including:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage
The government argues the legislation is necessary because, “national security, economy and general wellbeing can be negatively impacted if any of our critical infrastructure is damaged and unavailable, owing to, for example, a natural disaster, terrorist attack or interference from a foreign actor.”
Over the next five weeks, iTnews will interview 10 information technology and information security leaders from Australia’s critical infrastructure community about their approaches to securing their systems, networks and data, and how the new regulatory regime for critical infrastructure impacts how they work.
This inaugural iTnews Executive Insights program will culminate in a round table discussion featuring CIOs and CTOs discussing the issues raised by the executives in our interview series.
