Skip to content Skip to footer

Loading Results

Defending Australia’s critical infrastructure

As the cyber threat faced by critical infrastructure operators rapidly evolves and increases, and as the Government’s expectations expand, critical infrastructure providers in Australia have an opportunity to lead the world in how they are putting resilience at the heart of their operations.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced to better secure the industries that are essential to our national interest – and our Australian way of life.

Introducing the Security Legislation Amendment (Critical Infrastructure) Bill 2020

The Security Legislation Amendment (Critical Infrastructure) Bill is an important marker for Australian businesses highlighting that the economy is changing and CEOs need to take action now to protect businesses and the economy against cyber threats and disruption. 

The Bill will give effect to an “enhanced regulatory framework” for critical infrastructure and systems of national significance, building on the Security of Critical Infrastructure Act (SOCI) passed back in 2018.

The legislation includes “enhanced cyber security obligations” for operators of systems of national significance that could see companies directed to undertake certain defensive activities such as developing cyber security incident response plans, cyber security exercises, and vulnerability assessments.

If an organisation is unwilling or unable to take responsible steps to resolve the cyber security incident, the legislation allows the government to step in.

The extension of the broad-ranging Bill to include a much wider range of industries creates much needed incentives to make sure that as we push ahead with recovery, we do so while putting in place the defences needed to protect ourselves from potentially devastating attacks. 

It is expected that the government will begin nominating organisations as critical infrastructure or systems of national significance this year. PwC continues to advise government on the implementation of these reforms to drive clarity around  expectations and responsibilities being placed on critical infrastructure operators, and we continue to  work with the operators themselves to strengthen their cyber resilience in the face of growing threats.

Why the threat to critical infrastructure is rising

56% of cyber and business execs say state sponsored attacks on critical infrastructure are likely

PwC’s Digital Trust Insights

The shift in the nature of the cyber threat faced by critical infrastructure is two-pronged. 

Beyond Australia’s borders, conventional forms of competition between nation states are taking on a new and worrying shape. Efforts to undermine adversaries via attacks on critical infrastructure represent a far less costly and more deniable way to wreak havoc than through traditional warfare.

Within critical infrastructure organisations, technological innovation has accelerated faster than our ability to secure it, introducing significant risks and vulnerabilities even as it brings greater efficiencies and productivity.

Legacy operational technology (OT) systems, such as Industrial Control Systems (ICS), are becoming closely integrated with corporate IT systems. This increases their appeal as high value targets for cyber attackers looking for insecure entry points into critical infrastructure.

Human safety in the IT / OT Threat Nexus

In 2017, one of world’s largest integrated refinery and petrochemical projects located in Saudi Arabia suffered an attack of the likes never seen before. A piece of malware, since dubbed "Triton" (often referred to as "Trisis") was discovered that could take over the plant's safety instrumented systems. These systems are designed to protect OT environments from potentially life-threatening situations. In other words, this was the first type of cyber attack discovered in OT systems that was deliberately intended to harm human life.

The attack originated from the company's corporate IT network, highlighting the importance of managing cyber risk holistically across IT and OT environments. Triton is a stark reminder of the challenges in defending critical infrastructure against increasingly sophisticated cyber adversaries in today's digital age.

Norsk Hydro: a harbinger of things to come

A ransomware attack in 2019 on Norsk Hydro, a Norwegian aluminium producer, was a harbinger of the kinds of threats that businesses and governments alike are now facing. The cyber attack stopped production lines across 170 countries and locked thousands of servers and PCs, ultimately costing the business close to $71 million.

As seen in the 2019 with Mexican oil giant, Pemex, the stakes involved in cyberattacks are becoming even greater for critical infrastructure providers today, moving beyond simple attacks and demands for small payments in return for decrypted files to threats that infrastructure such as oil refineries will be crippled if ransoms are not paid.

Building cyber resilience in critical infrastructure

As cyber threats become more sophisticated and increasingly target operators of critical infrastructure, industries and organisations must urgently assess and uplift their cyber resilience.

Read more

critical infrastructure resilience report

A critically important problem that we are committed to solve

For a firm whose purpose is to build trust in society and solve important problems, ensuring the critical services Australians rely on every day remain available, secure and stable is among the most fundamental. 

PwC works with partners to understand their specific threats and valued assets. We develop tailored recommendations on how to strengthen resilience and increase readiness to comply with obligations under the legislation. 

This is possible because our team includes both deep technical experts and specialists in specific industries who ensure that security recommendations align with broader business needs and take account of sector specific nuances. 

Our teams effectively enable resilience by connecting the dots within organisations, getting buy-in and collaboration between IT teams, engineering teams, and the boardroom, and speaking the right language to the right people.

Contact us

Robert Di Pietro

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 418 533 346

Mike Younger

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 490 093 981

Zoe Thompson

Senior Manager, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 472 675 510

Follow PwC Australia