Australia’s Cyber and Infrastructure Security Centre (CISC) released guidance on the Vulnerability Assessment Enhanced Cyber Security Obligation (ECSO) for Systems of National Significance (SoNS) on Tuesday. These systems are Australia’s most crucial infrastructure assets. Under the Security of Critical Infrastructure (SOCI) Act, SoNS must adhere to ECSOs, ensuring they have robust, tested plans to counter and reduce the impact of cyber-attacks.
Over time, the ECSOs will support the sharing of near real-time threat information to provide industry and government with a more mature understanding of emerging cyber security threats and the capability to reduce the risks of a significant cyber-attack. In addition to the ECSOs, SoNS remains subject to all obligations that applied to that critical infrastructure asset under the SOCI Act before it was declared a SoNS.
Vulnerability assessments are integral to the security of a SoNS. They can help entities identify where further resources and capabilities are required to improve their preparedness for, and resilience to, cyber incidents. For example, a vulnerability assessment may inform recommendations on how to improve the responsible entity’s incident response plan and future cyber security exercises. They can also assist the government in understanding whether cyber security advice or assistance can be provided to strengthen the security of SoNS and identify patterns of weakness across sectors and assets that could be exploited by malicious actors.
Also, all critical infrastructure entities, particularly those responsible for SoNS, should be conducting regular scans and testing for vulnerabilities in their systems and mitigating identified risks, in addition to regularly reviewing and actioning the Australian Signals Directorate’s (ASD) alerts and advisories.
The CISC guidance identified that the department’s initial approach to the Vulnerability Assessment ECSO is focused on responding to the most critical threats and risks to SoNS. This will include potential or known vulnerabilities in information and operational technology systems that if exploited could have serious consequences to the availability, integrity, and reliability of the SoNS or the confidentiality of its information.
To achieve this, the department may apply this obligation in response to intelligence, such as an ASD critical alert or information from other partners in relation to a known or suspected threat, vulnerability, or incident that represents a significant risk to Australia’s critical infrastructure.
When applying the Vulnerability Assessment ECSO, the Department will apply the obligation on rare and exceptional occasions, where the exploitation of a known or potential vulnerability could lead to a serious cyber security incident and there is information to suggest Australia’s critical infrastructure could be targeted and/or significantly impacted; undertake consultation with responsible entities and relevant Commonwealth regulators, noting that the consultation period may be short and/or verbal and may include briefings from security agencies; where possible, include supporting information at the ‘Official’ or ‘Official’: Sensitive levels to support the entity’s understanding of a known or potential vulnerability; not prescribe, but may recommend, the type of vulnerability assessment or how it must be undertaken; not prescribe, but may recommend remedial or mitigation measures; and not prescribe a specific template for the vulnerability assessment report.
There are currently no requirements specified in SOCI rules regarding the type or manner in which a vulnerability assessment must be undertaken. As the purpose of this obligation is to assist entities in identifying any gaps or weaknesses in their systems that may lead to the SoNS being subject to a cyber security incident, the department will provide as much information as possible to support the entity’s understanding of the known or potential vulnerabilities. While entities will be able to determine the type and format of vulnerability assessment they undertake, entities should ensure it is reasonable based on the circumstances and information provided.
The Department acknowledges that many SoNS entities embed a program of regular vulnerability management and scanning of their critical systems. The Department will not seek to apply this obligation where it is not required. During the consultation period, responsible entities will be able to provide evidence that they have already undertaken a vulnerability assessment that would meet the Vulnerability Assessment ECSO should it be applied, or that the vulnerability does not apply to their SoNS assets (for example, if an organization does not use particular software that is subject to the vulnerability).
Entities will also be consulted on the proposed time frames in which the vulnerability assessment should be undertaken and will have an opportunity to provide feedback on the practicality and feasibility of such timeframes.
The guidance lays down that a report must be provided to the Secretary after the completion of a vulnerability assessment. Entities should provide their vulnerability assessment report and any supporting documents via the Department’s secure upload portal. The purpose of the report is to provide an evaluation of the potential weaknesses or gaps in assets that are of the highest criticality to Australia’s national interests. Vulnerability assessment reports will also provide the government with broader visibility of vulnerabilities and risks across the industry to cyber threats.
The vulnerability assessment report must be a written document that assesses the vulnerability of the system to the type or types of cyber security incidents listed in the notice. The Department has not prescribed a specific template or any other requirements relating to the vulnerability assessment report.
However, to assist in completing the report, the CISC recommends including a high-level summary of the vulnerability to the types of cyber security incidents that were tested for, the parts of the network assessed, any vulnerabilities discovered, the criticality of any vulnerabilities discovered, and a traffic-light assessment of the difficulty/cost of mitigating the vulnerability; testing methodologies and a detailed explanation of the results of the vulnerability assessment; and recommendations and remedial actions that have or will be implemented to address any vulnerabilities discovered.
The Vulnerability Assessment ECSO also enables the Secretary to request that a vulnerability assessment be undertaken by a designated officer. This could occur if the Secretary has reasonable grounds to believe that the responsible entity is incapable of complying with the vulnerability assessment notice or has not complied with a previous vulnerability assessment notice. Incapable of complying may mean an entity does not have the technical ability, resources, or expertise to undertake the vulnerability assessment.
Designated officers are Department of Home Affairs employees or staff members of the ASD appointed by the Secretary to be designated officers under the SOCI.
The department will review the vulnerability assessment report to determine whether it meets the requirements of the Vulnerability Assessment obligation as applied concerning the SoNS and as set out in the written notice; understand the vulnerability assessment maturity of SoNS responsible entities within certain sectors and across the SoNS cohort as a whole; identify opportunities to support cyber security uplift of an entity, a sector or all SoNS; determine if any rules are required to uplift the vulnerability assessment capabilities of an entity, a sector or all SoNS; and inform considerations on the need for the vulnerability assessment to be managed by a designated officer.
Additionally, the department may share vulnerability assessment reports with the ASD which would assist the government to build a collective picture of the nature of threats against specific sectors or particular SoNS assets.
Last month, the CISC announced the designation of 46 additional critical infrastructure assets as SoNS. The initiative is part of the Australian government’s ongoing efforts to enhance the cyber resilience of the nation’s vital infrastructure. With this latest declaration, the total number of such systems now exceeds 200, spanning sectors like energy, communications, transport, financial services, food and grocery, and data storage or processing. This collaboration between the government and businesses aims to strengthen national security.