Securing northern Australia’s critical infrastructure against cyberattacks

The strategic importance of northern Australia within the broader defence and national security framework has been well articulated and widely acknowledged. Related to this is the significant role critical national infrastructure plays in supporting defence capabilities. However, digital communication technologies have changed the threat landscape in which critical national infrastructure providers operate and, in turn, placed Australia’s national security at risk.

Critical national infrastructure encompasses any capability, network or facility that, if compromised, would threaten Australia’s security. The development of critical national infrastructure across Australia’s north offers the federal government an opportunity to proactively work with private-sector providers of critical national infrastructure on cybersecurity. Such efforts are necessary in ensuring supply-chain relationships and vulnerabilities are well identified, understood and addressed.

The government’s 2020 defence strategic update made clear that Australia’s defence organisation needs to be prepared for conflict in the increasingly contested Indo-Pacific and cannot rely on the luxury of a 10-year warning period. The development of defence capabilities and critical national infrastructure in the north reflects this thinking. Earlier this year, the government announced an additional $2 billion in funding for the Northern Australia Infrastructure Facility, on top of the $5 billion already committed. The increased support is aimed at bolstering the government’s targeted growth plan for the north, which recognises that investment in critical national infrastructure is necessary in the protection of Australia’s national security.

The investment reflects the findings of the government’s 2015 audit of infrastructure in northern Australia, which identified substantial gaps in infrastructure to support sustained regional growth, provide adequate service standards and achieve cost-effective practices—all of which weaken Australia’s overall northern defence posture.

The supply-chain implications of a cyberattack on a critical infrastructure provider are acknowledged in the amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) enacted in December 2021 and March 2022. The first tranche of amendments identifies 11 critical infrastructure sectors that, if subject to a cybersecurity incident, could threaten national security due to relationships with other capabilities critical to national defence.

Northern Australia is home to only 5.6% of Australia’s population, but it is a significant contributor to major critical national infrastructure industries. Around 70% of the nation’s known resources of iron ore, zinc and lead are located in the region, as well as 64% of the nation’s beef cattle herd and approximately 94% of both banana and mango crops. Infrastructure in northern Australia is therefore vital to the nation’s overall economic performance and food security, as well as key in supporting the immediate needs of local communities and defence facilities in the region.

Last year’s cyberattack on meat-processing company JBS Foods demonstrated the supply-chain consequences of a cyberattack on an Australian-based critical national infrastructure provider. The five-day attack disrupted food supply operations across all JBS Foods’ global locations, including Australia, despite the attack occurring offshore. If a similar attack were to occur on northern critical national infrastructure, such as gas providers or water- and sewage-processing plants, the flow-on effects for defence bases reliant on their services could create significant disruption.

While cybersecurity is clearly a necessary protection for northern critical infrastructure providers, challenges exist in its implementation. The amendments to the SOCI Act represent an important attempt to define industries relevant to national security and implement cyber reporting standards. However, private-sector industry providers have expressed concerns about the level of interference the government can exercise. Under the amendments, the government has the power to install its own security software and ‘access, add, restore, copy, alter or delete data’ at its discretion.

Aside from privacy concerns, the SOCI amendments reflect an attempt at a one-size-fits-all approach to cybersecurity for critical national infrastructure. This aspect arguably helps to manage the hard reality that critical infrastructure providers, particularly in northern Australia, face significant skills shortages and a lack of experienced specialists to handle sophisticated cyberattacks.

However, the legislation fundamentally fails to recognise the cyber complexities and nuanced characteristics of different industries, as well as the diversity of cyberattacks they might experience. This remains true despite the announcement of the Security Legislation Amendment (Critical Infrastructure Protection) Bill in April. The proposed legislation builds on the SOCI Act by implementing a risk management program and imposing new cybersecurity obligations for ‘systems of national significance’ in recognition of their critical importance to national security and the unique cyber threats they face.

While these proposed changes are a promising step towards the implementation of cyber threat intelligence and preparedness against known risks to critical infrastructure providers, their effectiveness is unproven. It’s highly likely that further policy action will be required, and opportunities for policy tailored to the unique role of northern Australia’s critical national infrastructure should be sought.

Critical infrastructure providers such as water- and sewage-processing plants, gas supply facilities and electricity providers typically use supervisory control and data acquisition, or SCADA, systems, which were not originally designed to be connected to the internet. However, as technology has evolved, these systems have been integrated with advanced communication technology that enables remote operation and monitoring; essentially, they are no longer closed-circuit systems and are vulnerable to a wide range of cyberattacks.

The process of patching vulnerabilities in these systems is difficult and, if possible, avoided due to the difficulties associated with switching to back-up systems and the risk of disrupting their activities.

The uniqueness of each critical infrastructure provider in both its internal functioning and its relationship with the broader defence system is therefore a considerable challenge when implementing a national cybersecurity strategy. In this light, there are benefits in encouraging the adoption of a ‘security convergent’ approach within each provider. Security convergence is an approach that holistically considers all security domains and creates greater internal awareness about how vulnerabilities are related. Logical integration of security functions, processes and objectives across traditionally separate domains will better protect critical infrastructure supply-chain relationships, thus strengthening Australia’s national security.

With these challenges in mind, the government should seek to incorporate convergent and cybersecurity development, training and practices into its northern infrastructure investment activities. The opportunity to ensure the security standards necessary to protect northern Australia’s critical national infrastructure should not be overlooked, particularly as the increased development efforts create a similar opportunity to understand and review unique relationships between critical infrastructure and Australia’s defence capabilities.

Cyberattacks are likely sources of aggression that could have major physical consequences if not properly accounted for in the development of critical infrastructure in northern Australia. Patchwork security arrangements are not adequate in supporting national defence; however, neither is the carte blanche cybersecurity response in the new legislation. Instead, a hybrid and convergent approach that considers the security network at large is required and deserves further discussion.