Breach Notification , Critical Infrastructure Security , Endpoint Security
Aussie Energy Giant Fears Losing Billions to Cyberattacks
Critical Infrastructure Firms Wary of Mandatory Ransomware Reporting RulesAustralian east coast electricity provider Ausgrid says it could lose up to US$2 billion a day if a major cybersecurity incident causes a complete shutdown of its infrastructure and disrupts people's livelihood.
See Also: Definitive Guide to Navigate Your Enterprise Browser Landscape
The electricity distribution company, part-owned by the New South Wales government, said even a brief but successful cyberattack on its network could have a cascading effect on the Australian economy, considering the volume of households, organizations and businesses that rely on its services at all times.
The electricity distributor supplies power and maintains and operates the electrical networks that supply millions of people in Sydney, the Central Coast and Hunter regions of New South Wales, Australia. Entities that rely on the company's services include 105 hospitals, four major universities, Australia's lone radiopharmaceuticals production facility, three major ports and 37% of Australia's financial services industry.
"This means that a cyberattack on our network, even for a few hours, would severely disrupt lives and livelihoods," said Murray Chandler, Ausgrid's head of network strategy. "In the worst possible case, the economic impact from a complete shutdown of our infrastructure may be as high as $120 million per hour or over $2.9 billion per day."
Ausgrid's alarming comments, published by the Department of Home Affairs, came in response to the Australian government's ambitious AU$587 million cybersecurity strategy that aims to make the country a "world leader in cybersecurity" by the end of this decade (see: Australia Unveils AU$587M Strategy to Defeat Cybercrime).
Through the proposed strategy, the government aims to make it easier for businesses to report and recover from cyber incidents, impose new incident reporting requirements on the telecommunications sector in line with other critical infrastructure sectors, and apply mandatory cybersecurity standards on IoT and smart device manufacturers.
Ausgrid stressed the importance of applying a mandatory cybersecurity standard across the entire smart device supply chain, including component manufacturers, compilers and product vendors. "These obligations should gradually increase to ensure continuous improvement over a defined timeline, without imposing an extensive regulatory burden," Chandler said.
But the company warned against applying a blanket cybersecurity standard on industrial smart devices, considering the huge diversity of devices connected to industrial networks and their unique applications. Regulators must conduct a risk-based evaluation to define IIoT devices and also make room to exempt certain devices from complying with the standard if they pass a detailed risk assessment process aligned to the Critical Infrastructure Risk Management Program.
Regulators also can provide exemptions to IIoT devices in which applications are limited to trials, stand-alone projects or isolated systems; do not affect critical asset processes; are cost-efficient, provide increased efficiency; or are only needed to help the utility adopt modern technology in a timely manner, Ausgrid said.
"Ausgrid recommends a five-year time frame is sufficient for industry to adjust to new cybersecurity requirements for smart devices. This is a reasonable timeframe given the life cycle for these types of technologies and devices," it added.
Critical Infrastructure Firms Wary of Ransomware Reporting Rules
The government's proposed cybersecurity strategy also mandates a "no-fault, no liability" ransomware reporting requirement on organizations, giving businesses the opportunity to disclose significant ransomware attacks without facing the prospect of regulatory fines or prosecution.
Welcoming the move, Ausgrid said the no-fault and no liability principles are a way forward, but the government must not impose a time frame for detailed reporting of ransomware attacks, considering that it will depend on the complexity of each attack. It recommended that the government can require affected organizations to provide a preliminary report within 72 hours.
Australian telecommunications giant Optus, which suffered a significant cyberattack in September 2022 that compromised the personal information of up to 10 million current and former customers, severely criticized the government's move to make companies report cyberattacks during the investigation stage.
In a response to the government's proposed cybersecurity strategy, the telecommunications company said a critical infrastructure organization's first and foremost priority is to effectively respond to an incident and is more time-critical compared to sharing incident information with regulators.
"Having numerous information requests from regulatory bodies while simultaneously managing the incident itself places an unnecessary and counterproductive burden on the entity," Optus said. "To use an analogy, it is akin to asking firefighters to explain their firefighting procedures and identify the cause of a blaze whilst in the middle of extinguishing a bush fire."
"Optus recommends that one legislative amendment under the strategy be a change in regulatory reporting timeframes to allow for an initial period where the entity can solely focus on the operational incident response and does not receive any formal information requests from regulatory bodies (beyond basic notification requirements).
"While each incident response time will vary, we suggest a useful time period should be at least one month," it said.
Origin Energy, a major electricity and natural gas retailer, said the government needs to provide further clarity on its ransomware reporting requirements to ensure affected organizations do not face unwarranted public scrutiny due to the exposure of sensitive data associated with a cyber event.
"The [Department of Home Affairs] should have regard to whether sensitive, commercial or confidential information can be genuinely anonymized through this process; and whether there could be unintended consequences from publishing ransomware information," Origin said. "It is not clear if the sample size for these types of events would be large enough to allow for information to be anonymized or published in such a way that the public would not be able to infer sensitive details from the reports or use the information to assign fault."
The energy company said the government also needs to provide greater clarity on the "no-liability" principle to assure organizations that they will not face prosecution for making ransom payments.
"There could be a situation whereby a payment is made to a cybercriminal from a country subject to the sanctions regime. It is unclear if the entity making the payment could be subject to penalties or prosecution under that regime, or whether entities would be shielded from this due to the 'no-liability' principle," the company said.