critical infrastructure

In recent years, things have been changing quickly when it comes to data sovereignty in Australia—especially in the Critical Infrastructure (CI) sector. More and more corporations are realizing that the use of sovereign cloud providers is not a luxury, but a necessity.

During the pandemic especially, it became apparent that several essential services and even the Australian government have faced hundreds of cyber threats from nefarious foreign actors. As such, the Australian government has taken matters into its own hands and announced changes to the Security of Critical Infrastructure Act 2018 (SOCI Act).

Two recent amendments have been made to the SOCI Act. The first amendment, Security Legislation Amendment CI Act 2021, was passed last year. The second, Security Legislation Amendment CI Infrastructure Protection Act 2022, went through just this year.

Both of these bills have major impacts on the CI sector and their current cybersecurity measures. For everything from Australian mines to local energy companies, these bills mean it’s time to take a hard look at how they can meet the new standards and how they can do their part to protect key infrastructure from outside attack and control.

But first, let’s understand what sparked these legislative changes.

Why is the Australian Government passing new Critical Infrastructure legislation?

Cyber-attacks by foreign powers have been increasing at an alarming rate in Australia and around the world. In fact, the Australian Cyber Security Centre (ACSC) reported that the severity and frequency of these attacks have increased excessively in just the last few years.

According to their Annual Cyber Threat Report, there is now a cyber-attack reported every 8 minutes in Australia. And criminals are targeting not just the Australian government, they’re also targeting our key infrastructure and basic utilities. In that same report, the ACSC found about a quarter of reported cyber-attacks are associated with essential services and other critical infrastructure.

And these aren’t the kind of phishing scams anyone can fall prey to. No, these cyberattacks put our country’s most important assets at risk—and our daily lives as well. Letting foreign powers – or their proxies – have the ability to control power plants could very well result in power outages and worse problems, jeopardizing the safety of millions of citizens.

The strategy behind these changes is to identify and protect the infrastructure critical to Australia’s security, which is increasingly the target of cyber-attacks by foreign powers. To that end, the Act expands from 4 to 11 the number of defined Critical Infrastructure (CI) sectors subject to the Act’s provisions.

What has changed for CIs?

The biggest change for CIs is the requirement of a Risk Management Program (RMP). This means that businesses with critical infrastructure assets must reevaluate their organisational processes to ensure they are compliant with the new regulations.

Additionally, there are 7 new sectors that are now defined as critical. That means more businesses are impacted by these amendments than before. Clearly, it’s a sign of what’s to come, as many more industries will need to strengthen their cybersecurity measures.

And for those that fail to properly strengthen their cybersecurity measures and create an RMP, they can face financial penalties from $44,400 up to $222,000.

What is the critical infrastructure Risk Management Program?

To better protect Australia from meddling foreign powers, CIs need to adopt and maintain their own RMP. The RMP requires that CI firms identify their critical assets, identify risks to each asset, develop a risk management and mitigation process, as well as enable regular reviews.

Additionally, 4 rules have been introduced with different categories that the CI industry will need to address. These rules under the RMP are as follows:

  • Rule 1: Cyber and Information Security Hazards
  • Rule 2: Personnel Hazards
  • Rule 3: Supply Chain Hazards
  • Rule 4: Physical and Natural Hazards

In order to meet these requirements, businesses operating in the CI sector will need to focus on data sovereignty among other protective measures. The problem is that many businesses are reliant on cloud technology to operate and there are few sovereign cloud providers out there addressing this issue.

How does AUCloud define sovereign resilience?

At AUCloud, data sovereignty is our DNA. As a company, we are owned, managed, and operated in Australia because that’s the only way to ensure genuine data sovereignty.

To achieve this, all the data hosted by AUCloud is secured in Australia. That means it will never leave the country at any stage. From sensitive customer records and support data to metadata, analytics, and monitoring—you can be confident all your private information is secured within Australian facilities.

Unlike global cloud providers, AUCloud is also designed specially to meet the exact standards of Australian legislation. This is vital for government and CI clients who strive to prevent foreign entities from accessing their data.

How can AUCloud’s sovereign resilience solutions support CIs?

All of our infrastructure has been built to meet the exact standard of the Australian government. We also provide the means for CIs to use our cloud service and meet RMP risk management requirements.

More specifically, the data hosted by AUCloud adheres to Digital Transformation Agency (DTA) standards. This means AUCloud functions as a DTA Certified Strategic Cloud provider, following the DTA’s Hosting Certification Framework.

In addition, all the data we host is in DTA Certified Strategic Data Centres, with this framework integral to the protection of Australian Government systems and records. In essence, we meet the requirements to hold protected public sector-data as specified by its new Hosting Certification Framework.

We are also IRAP assessed to the PROTECTED controls of ACSC’s Cloud Assessment and Authorisation Framework (CAAF). Importantly we are ISO 27001 Certified across all our services, allowing us to maintain the international quality standard for information security for all our clients.

One thing is certain, the future of data sovereignty in the Australian CI sector will rely on a collaborative approach taken by businesses and the government – something which the Home Affairs Minister herself recently pointed out.

“The best approach to protecting our critical infrastructure from attack is a partnership between business and government to ensure the businesses that provide essential services to Australians can be resilient and respond to evolving threats.”
Karen Andrew
Home Affairs Minister (10 February 2022)

Our guarantee is protection of your data in Australia by Australians to Australian security standards. As the complexities and sophistication of the cyber landscape changes – we respond. You can be sure that our services will be continuously enhanced to meet the standards set by the Australian government and expected by industry. That means you can be confident your systems are compliant, no matter what legislative changes take place in the future and your data is always secure.

Take the next step

As a VMware Sovereign Cloud Partner, AUCloud provides a range of sovereign Infrastructure-as-a-Service that customers and third-party service providers can easily access and use – and with the same scale, automation, elasticity, and lower costs associated with hyperscale public cloud offerings. Get in touch to see how we can support your digital transformation journey today.