Cyber Hazards And The Transport Security Bill 2022
New draft legislation focusing on the Aviation and Maritime transport sectors is being proposed in-line with other amendments to the Security of Critical Infrastructure Act 2018 (SoCI Act). These amendments aim to bolster the cyber security of Australia's critical national infrastructure and assets of national significance.
Share This Article:
Additional draft legislation focusing on aviation and maritime transport sectors is being proposed as part of the overall Commonwealth program of reforms to uplift the 11 critical infrastructure categories.
These reforms are being progressed through amendments to the Security of Critical Infrastructure Act 2018 (SoCI Act) in line with other amendments, namely:
- The Security Legislation Amendment (Critical Infrastructure) Bill 2021 (SLACI Bill One), passing Parliament on 22 November 2021, and
- A planned second Bill (SLACI Bill Two) is being currently developed.
The amendments to the aviation and maritime sectors as part of the critical infrastructure reforms will amend the Aviation Transport Security Act 2004 (Aviation Act) and the Maritime Transport and Offshore Facilities Security Act 2003 (Maritime Act).
These amendments will be captured in the Transport Security Amendment (Critical Infrastructure) Bill 2022 (Transport Security Bill) and will uplift the Acts, forming a focus on unlawful interference to encompass an all-hazards risk management framework.
The Transport Security Bill will apply to all regulated aviation and maritime industry participants and will deliver the following changes:
- Amend the definition of unlawful interference to explicitly include cyber security incidents
- Introduce a new purpose into both Acts of safeguarding against operational interference, which includes all hazards beyond those already captured under unlawful interference
- Introduce powers for the Minister for Home Affairs (the Minister) to declare select industry participants as ‘critical industry participants’
- Critical industry participants will be required to identify, and mitigate against, acts of unlawful interference and operational interference
- Amend security plans and programs, to include a security assessment to be undertaken as part of a plan or program for aviation industry participants
- Modernise compliance powers for aviation and maritime security inspectors, including triggering Part 3 of the Regulatory Powers (Standard Provisions) Act 2014
- Amend several existing requirements under the Acts to encompass the new purpose of operational interference.
What is operational interference?
Under the new Act a smaller subset of industry participants will be required to identify and take reasonable steps to mitigate against all forms of interference that could impact the confidentiality, availability, integrity, and/or reliability of their operations and assets.
Operational interference can be human-induced or natural hazards that could impact the industry participant’s business, such as personnel threats or supply chain security.
When defining these hazards, those that meet the threshold of both unlawful interference and operational interference will only be considered as unlawful interference. However, operational interference will not include lawful protest, advocacy, dissent, or industrial action.
What is unlawful interference?
Unlawful interference safeguards against something done, without lawful authority, that interferes with the security of passengers, goods or infrastructure. The Bill will expand the definition of unlawful interference to explicitly include cyber security incidents and to capture additional trusted insider threats.
The proposed amendments will remove the requirement that information being communicated needs to be ‘false’ or ‘false or misleading’ to be an act of unlawful interference.
This will support capturing cyber security and trusted insider threats when an action taken may be done without lawful authority but is not false or misleading. Information that is communicated lawfully and in good faith is not an act of unlawful interference.
What do these cyber hazards look like?
Many cyber-attacks use common tools such as ransomware. A notable attack in the Maritime sector was aimed at Maersk shipping, which suffered losses calculated at $USD300 million dollars in the worst known attack on the maritime sector.
This ransomware attack led to Maersk’s systems being greatly impacted with long wait times and congestion in both shipping and container unloading at many seaports globally.
More specifically, for Maritime fleet operational issues there have been notable attempts to impact Global Navigation Satellite Systems (GNSS), perhaps more than any other sector.
GNSS receivers are carried by most vessels and are relied on to establish position, speed, and direction. There are events where even unintentional and experimental attacks have shown to hold potential to impact the navigation capabilities of vessels.
The impact of a disruption to navigation may force crew to rely on traditional navigation, which may not be well-practiced or taught – how many captains and crew can remember their celestial navigation skills?
In the Aviation sector there are many concerns around cyber-attacks impacting critical systems. With the tragic loss of MH370 there were initial fears and theories about the flight’s sudden disappearance, including hacking of the plane’s autopilot systems, although these were eventually dismissed.
In August 2016 GPS guidance was impacted on a Cathay Pacific flight to the Philippines, where crew members had to land a Boeing 777-300 using only their eyes.
Many of these GPS attacks require a high level of sophistication and are generally thought to be state sponsored. These attacks are noticeable occurring across Maritime and Aviation sectors with events occurring globally since 2010 in locales such as Korea, Israel, The Arctic Circle, The Black Sea and Norway, amongst others.
Where to from here?
Finding an experienced team who can provide advice, ways to address these significant threats to the Aviation and Maritime sectors can prove difficult.
Trusted partners that understand the operations of these critical industries and has experience in sectors where these types of hazards are relevant (i.e. Defence, Government) are very rare.
As specialists in Defence, security technology, and critical infrastructures, Anchoram is well-placed to provide organisations with deep experience and flexible approaches to any concerns related to the management of these operational and unlawful hazards within the Aviation and Maritime sectors. Our teams have deep experience in protective, cyber and risk related advisory and assurance across these critical industries.
We thrive on helping our customers realise a secure and safe operation, so for more information please reach out to our team for a no-obligation chat about your challenges.
New draft legislation focusing on the Aviation and Maritime transport sectors is being proposed in-line with other amendments to the Security of Critical Infrastructure Act 2018 (SoCI Act). These amendments aim to bolster the cyber security of Australia's critical national infrastructure and assets of national significance.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.