Australian Cyber Security Centre boss Rachel Noble has said there is a "very real possibility" Australia will face a "cyber Pearl Harbour" attack.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
Telstra's global chief information security officer Craig Hancock also revealed he had been "war gaming" with the centre about how to protect the power grid in the event of such an attack.
The pair were speaking at an Institute of Public Administration Australia event on cybersecurity in Canberra on Thursday.
Ms Noble said she'd been asked repeatedly in the past week whether Australia was at risk from massive cyber attacks on critical infrastructure.
"The short answer is yes. It's a very real possibility ... It is real and growing," Ms Noble said.
The questions were sparked by evidence from Home Affairs secretary Mike Pezzullo last week, who warned of gaps in laws to protect infrastructure maintained by the private sector, including the electricity grid, water and gas networks, and even traffic lights.
"Hopefully we can close this gap in sufficient time before that day, the equivalent of a cyber Pearl Harbor, comes," Mr Pezzullo said at the time.
The Morrison government is canvassing laws to allow the Australian Signals Directorate to step in and defend critical infrastructure providers against cyber attacks from overseas.
Ms Noble said most critical pieces of national infrastructure were held by the private sector "for economic reasons".
"Quite properly, a CEO will rightly make risk judgement about the protection of their efforts in the context of the resources that they have and the other risks they might also address," Ms Noble said.
"They do this appropriately in the context of their commercial interests, and their service to their customers.
"Even in a perfect world where all private companies are mitigating their cyber security risk perfectly, there's still potentially a gap where those risks need to be addressed in our national interest."
It may not take a state actor to disrupt critical services either, given how cheap and readily available malicious tools are nowadays, Ms Noble said.
She gave the example of the Emotet ransomware attack, which last month crippled major hospitals and health services across south-west Victoria.
"The initiating virus Emotet is called a worm because what it does is then worms its way into other computers which integrate with the infected computer," Ms Noble said.
"So the overall effect in this instance is that the health sector across Australia has been impacted the most because they are doing what us patients are doing what we expect and hope they do - they're communicating with each other.
"Worryingly in this instance large hospitals and organisations have better firewalls and gateways which can pick up the virus and block it so it's the smaller regional providers that are more likely to be vulnerable in and impacted."
Mr Hancock said Telstra had been working with the cyber security centre in the aftermath of the attack.
He said Telstra was a big target itself for hackers and used machine learning to help sift through 3.4 billion potential issues per month.
"We advertise 15 million IP addresses on the internet, we've got hundred of thousand of computers, hundreds of thousands of routers and they're all targets, so we have about 1000 events a month that we handle," Mr Hancock said.
But Mr Hancock said government and industry needed to work together to better protect critical services.
"Rachel and I have been speaking and even war gaming already just on the events we spoke about, or Rachel spoke about, in terms of what happens if the power grid or what happens when those sort of critical infrastructure elements, how would you go about trying to solve that and we'll have a pretty good way to deal with that in the future," Mr Hancock said.
Meanwhile Home Affairs deputy secretary Marc Ablong also told the event Australia could use its purchasing power to improve the cybersecurity of products in the market.
He was responding to concerns that even medical devices like pacemakers were vulnerable to cyber attacks.
"We've got to make sure those device manufacturers are thinking about the security of those devices as they are designing them, not as a second or third order thing ... after they've put them inside a patient, [like "maybe we should have thought about the ability for someone to hack the pace maker before we installed them in people, so we are doing a lot of work with industry across Australia as well as internationally to start to describe what we think that standard needs to be," Mr Ablong said.
"One of the things that has worked impressively well in the United States is what they call 'comply to compete', in other words you have to comply with a set of cyber security strategies if you want to be able to compete for business."