Share this article on:
Critical infrastructure providers have reported 47 incidents over the last nine months, according to a new government mandatory reporting scheme.
The Cyber and Infrastructure Security Centre (CISC) introduced the mandatory reporting of cyber events for 11 different areas of critical infrastructure on 1 April last year. Mandatory reporting came into full effect following a three-month grace period ending on 8 July.
In the event of a cyber incident with an impact deemed critical or relevant, providers are required to report it within a window ranging from 12 to 72 hours to submit a report.
“There’s been a steady number of mandatory cyber incident reports tabled into both the ACSC but also given to us as well, to get a true understanding of the nature of successful cyber incidents occurring on critical infrastructure,” said CISC head Hamish Hansford.
“Forty-seven reports have been provided that we say meet the criteria of the mandatory cyber incident report between the period of April 1, 2022, and December 31, 2022.”
The mandatory reporting scheme came as a result of change to security of critical infrastructure (SOCI) legislation.
Alongside the mandatory reporting, Hansford has said that SOCI implementation from government bodies is being invested in, with a variety of other programs being rolled out.
Operators of critical infrastructure will soon be required to “develop [risk management programs] that are endorsed by their board council or other governing body.”
“I think for the first time in Australia’s history, we’ll have a critical infrastructure baseline set of security obligations for all critical infrastructure providers, if there’s not otherwise already regulatory obligations in place,” said Hansford.
He also says that the CISC has been investing in communities surrounding critical infrastructure sectors, primarily those whose cyber security is of national importance, such as power networks.
“Over the last seven months, we’ve been doing a lot of work with those systems to create a community of the most highly interdependent critical infrastructure in Australia to really look at how do we do exercises, so we’ve done a number of planning exercises, including in the last couple of weeks with a major financial entity, as well as state and territory governments,” he said.
“We’ve put in place incident response planning obligations for the majority of those systems of national significance.”