Australian Government Invites Feedback on Critical Technologies

The Australian Federal Government will begin consulting businesses, researchers and the community at large to identify critical technologies of national importance.

The List of Critical Technologies in the National Interest will clarify technologies the government considers to be vital to present and future demands.

The 2022 List of Critical Technologies in the National Interest will build on the 2021 List, which featured 63 technologies across seven categories including:

- Advanced materials and manufacturing
- AI, computing and communications
- Biotechnology, gene technology and vaccines
- Energy and environment
- Quantum; Sensing, timing and navigation
- Transportation, robotics and space

The consultation will run until Friday 30 September.

Federal Minister for Industry and Science, Ed Husic, said it is vital for Australia’s continued and future prosperity that emerging and critical technologies are promoted and protected.

“We know the development of critical technologies present enormous potential opportunities as well as risks for Australians,” Mr Husic said.

“It is vital we understand and send a clear signal about what technologies we should be focusing on and where our strengths lie – and that is exactly what this consultation is all about.”

The Federal Government has promised to invest $1 billion into critical technologies through its National Reconstruction Fund and will aim to reach 1.2 million tech industry jobs by 2030.

“This work is also part of our goal to reach 1.2 million tech jobs by 2030, as well as securing our supply chains and promoting Australia as a secure destination of excellence for investment, development and adoption of critical technologies,” Mr Husic said.

“The Government is also investing $1 billion in critical technologies as part of the National Reconstruction Fund, to build our strategic capability and power the economic growth we need to create jobs.”

Fujitsu Leverages World's Fastest Supercomputer and AI to Predict Tsunami Flooding

A new AI model that harnesses the power of the world's fastest supercomputer, Fugaku, can rapidly predict tsunami flooding in coastal areas before the tsunami reaches land.
The development of the new technology was announced as part of a joint project between the International Research Institute of Disaster Science (IREDeS) at Tohoku University, the Earthquake Research Institute at the University of Tokyo, and Fujitsu Laboratories.
The 2011 Great East Japan Earthquake and subsequent tsunami highlighted the shortcomings in disaster mitigation and the need to utilize information for efficient and safe evacuations.
While tsunami observation networks in Japanese coastal waters have been strengthened since then, using the data produced from those networks to predict a tsunami's path once it hits land has gained greater urgency. This is especially true since a major earthquake is likely to hit Japan's densely populated east coast sometime in the near future.
Tsunami prediction technologies will allow authorities to obtain accurate information quickly and aid them in effectively directing evacuation orders.
Fujitsu, Tohoku University, and The University of Tokyo leveraged the power of Fugaku to generate training data for 20,000 possible tsunami scenarios based on high-resolution simulations. These scenarios were used to streamline an AI model that uses offshore waveform data generated by the tsunami to predict flooding before landfall at high spatial resolution.
Conventional prediction technologies require the use of supercomputers and make rapid prediction systems difficult to implement. The current AI model, however, can be run in seconds on ordinary PCs.
When the model was applied to a simulation of tsunami flooding in Tokyo Bay following a large earthquake, it achieved highly accurate predictions with a regular PC within seconds. The results matched tsunami flooding of the tsunami source models released by the Cabinet Office of Japan.
The research team will continue to make use of Fugaku's high-speed performance in the future by training the system with additional tsunami scenarios. Doing so will help realize AI that can predict tsunami flooding over even wider areas.

Global Resiliency Dialogue Releases Report Detailing Consideration of Climate Risk in Building Codes

The Global Resiliency Dialogue published findings of its first international survey in the report, The Use of Climate Data and Assessment of Extreme Weather Event Risks in Building Codes around the World.
The Global Resiliency Dialogue was established in 2019 by The International Code Council, the Australian Building Codes Board, the National Research Council of Canada, and the New Zealand Ministry of Business, Innovation and Employment, to foster global collaboration in addressing evolving climate risks in codes and standards. The aim is to create an international resiliency guideline and enable collaborative research efforts that will aid jurisdictions across the globe to better prepare the building stock to withstand the more extreme weather events, including high wind, flooding, and wildfire, that the evidence and science tells us have been and will continue to increase in frequency and duration.
The report is the first deliverable of the Global Resiliency Dialogue and provides valuable context about the current level of integration of climate science in the provisions of advanced building codes around the world. The report shows that, while many countries are actively considering the integration of models and methodologies that would more accurately predict the risk to buildings during their anticipated life cycle, the vast majority of advanced building codes implemented globally still rely on historical data to assess the risk to buildings from extreme weather events.
“There is great value in building code development and research organizations around the world collectively considering how building safety codes and standards can best adapt to address existential challenges like climate change,” said International Code Council Chief Executive Officer Dominic Sims, CBO. , “There is a demand in many jurisdictions in the United States and around the world that have already experienced devastating impacts of more frequent and intense weather-related hazards for buildings that are safe and durable even in these changing conditions. The International Code Council is committed to playing a leading role in working with stakeholders in the government and standards community, as well as with our global partners, to develop tools and solutions that effectively address these concerns.”

Africa’s Infrastructure Ministers Validate Africa’s Infrastructure Priorities for 2021-2030

Africa’s infrastructure Ministers convened virtually to discuss the Continent’s infrastructure priorities for 2021-2030 and to validate the outcome of the first extraordinary expert group meeting of the African Union Specialized Technical Committee on Transport, Intercontinental and Interregional Infrastructures, Energy and Tourism (STC-TTIIET) held on December 14, 2021. A large number of African Ministers and institutions actively participated. The AU High Representative for Infrastructure Development, Rt. Hon. Raila Odinga, also addressed the audience.
The Ministerial meeting has looked into the reports of the STCTTIIET experts’ meeting and the bureau of the STC TTIIET, the priority list of projects for PIDA PAP2, the roadmap, policy, and governance structure of the African Single Electricity Market (AfSEM), the implementation of the COVID-19 Emergency Action Plan for Resilience and Recovery and the African Road Safety Action plan of the Decade 2021-2030.
In his opening remarks, Minister of Electricity & Renewable Energy of the Arab Republic of Egypt, Chair of the STC TTIIET, H.E. Dr. Mohamed Shaker El Markabi acknowledged that the determination of the African Union Commission and stakeholders to move Africa’s infrastructure development agenda forward despite the challenges posed by the ongoing COVID-19 pandemic.
The Chair further highlighted that infrastructure development is key for the attainment of Africa’s development aspirations captured by Agenda 2063 and the Sustainable Development Goals (SDGs) and the priorities lined up for the next decade speak to these continental and global goals.
H.E. Dr. Amani Abou-Zeid, African Union Commissioner for Infrastructure and Energy, emphasised the importance of infrastructure in Africa in the next decade as the backbone to the realisation of the much-needed integration and trade facilitation in the continent.
According to AU Commissioner, post-COVID-19 recovery requires the fast-tracking of Africa’s infrastructure development to improve resilience and improve livelihoods and economies. “The COVID-19 pandemic also accelerated digitalisation, exposed the gaps in energy in rural areas and highlighted the need to develop infrastructure that is smart, inclusive and sustainable”, said Dr. Abou-Zeid.
The AU Commissioner seized the opportunity to remind the Committee of the bottomup participatory approach and regional consultations conducted leading to preparation of the PIDA PAP2 and the AfSEM, calling on the AU Member States, Regional Economic Communities and Stakeholders to synergize efforts towards the realizationsof Africa’s infrastructure development ambitions.
“Annually, we have an infrastructure financing gap of between $60 -$90 billion. We need effective and efficient plans to mobilize resources to fund the identified PIDA projects.The long-term solution in my view is the creation of an Africa Continental Infrastructure Fund under the auspices of the AU to pool resources. Such a fund would focus on a combination of domestic sources and private sector financiers”, said the Rt. Hon. Raila Odinga, the AU High Representative for Infrastructure Development.
Infrastructure & Partnerships Division Manager at the African Development Bank(AfDB), Mike Salawou recalled that the bank has been the major financier of infrastructure projects in Africa by availing 7bln USD in the past ten years. “We have been actively supporting the first phase of PIDA and we will continue to support PIDA PAP2, recognizing the long-term effect it will have to spur economic advancement for the continent”.
Mr. William Lugemwa, Director of Private Sector Development and Finance Division at the UNECA, also appeals for ownership of the PIDA PAP2 projects, saying “African leadership from the highest political level is critical for the successful implementation of PIDA PAP2”.
In her closing remarks, AU Commissioner Dr Abou-Zeid thanked Member States, Regional Economic Communities, PIDA Institutions, and partners for their active participation and relentless efforts exerted throughout the processes of PIDA PAP2, the PIDA PAP2 guiding documents, and AfSEM policy documents.
The recommendations and declarations validated by the Ministerial meeting of the STC-TTIIET will be presented to the Assembly of the African Union Heads of States and Government for adoption at the African Union Summit in February 2021.

ENISA publish report for cyberecurity measures in Railway Transport Sector

Representing 472 billion passenger-kilometres, 216,000 km of active railways3 and 430 billion tonne-kilometres for freight transport, the railway sector plays an important and fast-growing role. Railway infrastructure and systems are key assets, crucial to developing and protecting the European Union.
The railway sector enables goods and passengers to be transported within countries and across borders, and is key to the development of the European Union. The main players within this sector are the railway undertakings (RU), in charge of providing services for the transport of goods and/or passengers by rail; and the infrastructure managers (IM), in charge of establishing, managing and maintaining railway infrastructure and fixed installation, including traffic management, control-command and signalling, but also station operation and train power supply. Both are in the scope of the NIS Directive, and their identification as operator of essential service (OES) respects the transposition of laws to the majority of member states.
Challenges
The study also identifies the main challenges faced by the sector to enforce the NIS Directive:
- Railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity, while the sector is undergoing digital transformation which increases the need for cybersecurity.
- Railway stakeholders depend on suppliers with disparate technical standards and cybersecurity capabilities, especially for operational technology.
- OT systems for railways have been based on systems that were at a point in time secure according to the state-of-the art but due to the long lifetime of systems they eventually become outdated or obsolete. This makes it difficult to keep them up-to-date with current cybersecurity requirements. Furthermore, these systems are usually spread across the network (stations, track, etc.), making it difficult to comprehensively control cybersecurity.
- Railway operators report issues of low cybersecurity awareness and differences in culture, especially among safety and operations personnel.
- Existing rail specific regulation doesn’t include cybersecurity provisions. OES often have to comply with non-harmonized cybersecurity requirements deriving from different regulations.
ERTMS is also covered in this study as a separate infrastructure due to its special requirements and its cross-European nature.

What was learned while developing Bhutan’s first National Cybersecurity Strategy

While the introduction of information and communication technologies (ICTs) brings undeniable benefits in terms of speed and efficiency of digital transformation, it can also significantly expand the cybersecurity risk landscape or “attack surface.”
Adopting and implementing an NCS can be particularly challenging for developing countries as it requires significant economic, human, and organizational resources. Committed to supporting governments by building capacity and transferring knowledge, ITU hosted a webinar on NCS development and implementation where international experts discussed key actions to build cybersecurity resilience and readiness.
A critical contribution came from the Bhutan Computer Incident Response Team (BtCIRT). We decided to share lessons learned while developing our NCS since Bhutan’s experience not only demonstrates the typical cybersecurity challenges faced by developing countries, but also how developing an NCS can turn these challenges into opportunities for stronger cybersecurity.
Embarking on a journey
Bhutan’s journey toward the definition of its first NCS began in 2012 with a readiness assessment conducted by ITU to measure not only the cybersecurity maturity level of the Kingdom of Bhutan, but also its cyberthreat landscape.
Following the assessment, the Bhutan Computer Incident Response Team (BtCIRT) was formally established in April 2016. The BtCIRT operates under the Department of IT & Telecom (DITT) of the Ministry of Information & Communications. Our formal mandate is to provide both reactive and proactive cybersecurity services to the entire nation, including guiding the development of a national strategy.
After a number of iterations, the first version of the NCS was finalized in October 2020 through two rounds of task-force workshops. At the time of writing, the NCS is awaiting public consultation after which it will be submitted to the Cabinet of Bhutan for approval.
Overcoming hurdles
Explaining the importance of cybersecurity and the necessity for a strategy was one of the most significant initial challenges. Despite the great engagement of the Kingdom of Bhutan in ICT development, many government and private sector leaders are from non-technical backgrounds. In a country where digital transformation is a work in progress, awareness of the importance of cybersecurity remains a big challenge. Senior management perceived cybersecurity as a purely technological problem with limited impact on other domains. In reality, cybersecurity is a shared responsibility that needs multidisciplinary and structured solutions from top management.
Another key challenge was gaining support and buy-in from stakeholders. As the NCS is a national endeavour and roadmap to achieving a safer online environment, it needs to cater to the whole country to ensure that it is comprehensive and inclusive through the involvement and collaboration of all stakeholders.
Not all perceived cybersecurity as a priority, and others held different views on how to implement it. It was challenging to bring everyone together in the first place, and even more difficult to achieve consensus on strategic direction and specific areas of concern.
Visibility, funding and partnerships key
Given this was the first time developing a National Cyber Security Strategy for Bhutan, all challenges constituted an important learning experience and an opportunity to enhance the country’s cybersecurity maturity.
First, developing the NCS spread cybersecurity awareness and visibility throughout the institutional apparatus. In Bhutan, the government accords the highest importance to digital transformation and information and communication technologies. The high-level ICT steering committee, with members representing top management from every sector (government, public and private), drives and monitors the implementation of ICT projects.
In terms of funding, the Department of IT & Telecom secured a dedicated budget projected over 5 years for the implementation of the NCS. Identifying critical information infrastructure, conducting cybersecurity awareness training and cybersecurity capacity building are among the initial activities to be carried out. The Strategy also clearly identifies stakeholders and their responsibilities.
After the approval of NCS, three working groups will be formed. The legal group will carry out the assessment on cybersecurity legislation, the Child Online Protection group will develop guidelines, and the Technical group will develop relevant security requirements and guidelines. All activities will be monitored monthly by BtCIRT and issues will be escalated to the High-Level ICT steering committee.
Finally, the public-private partnership model presents a potential opportunity to further build cybersecurity awareness in Bhutan. As the BtCIRT is limited in terms of human resources and capacity, it could improve incident reporting and handling, as well as enhance knowledge sharing. To that end, the implementation strategy includes a plan to set up sectoral Security Operation Centers to improve cybersecurity in critical sectors.
Looking ahead
The last two decades have seen the Kingdom of Bhutan undergo a far-reaching digital transformation, especially in terms of delivery and adoption of digital services.
Another recent trend is that many Bhutanese people have embraced cardless transactions. More recently, due to the COVID-19 pandemic, the health and education sectors have adopted innovative measures for service delivery.
As Bhutan continues its digital transformation work, global and national capacity building in this field remains a necessity for the successful development of National Cybersecurity Strategies. The result is not only the betterment of countries’ cybersecurity posture, but an opening of opportunities that will enable the benefits of digitalization to reach more citizens, for an altogether more sustainable digital future.

IoT Security: ENISA Publishes Guidelines on Securing the IoT Supply Chain

The European Union Agency for Cybersecurity (ENISA) is releasing its Guidelines for Securing the IoT – Secure Supply Chain for IoT, which covers the entire Internet of Things (IoT) supply chain – hardware, software and services – and builds on the 2019 Good Practices for Security of IoT - Secure Software Development Lifecycle publication by focusing on the actual processes of the supply chain used to develop IoT products. This report complements the Agency’s seminal study on Baseline Security Recommendations for IoT, a highly cited and referenced work that aims to serve as a reference point for IoT security.
Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties. As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.
In the context of the development of the Guidelines for Securing the IoT – Secure Supply Chain for IoT, the EU Agency for Cybersecurity has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.
As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The Agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices. These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.

NCSC Update Guidance on Principles for the design and build of in-house Public Key Infrastructure (PKI)

A private Public Key Infrastructure (PKI) is used to confirm the identity of users, devices and services hosted or connected to privately owned infrastructure.
This is an essential component of any system that uses a private PKI for authentication, as such it must be designed and built with great care.
This guidance provides a set of high level architectural design principles which can be used to design, scope or review a private PKI architecture.
Fur further details visit NCSC >> 

Australia targeted of 'sophisticated state-sponsored' cyber attack

Scott Morrison, the country's prime minister, says the attacks have targeted all levels of the government - as well as political organisations, essential service providers and operators of other critical infrastructure.

"We know it is a sophisticated state-sponsored cyber actor because of the scale and nature of the targeting," he said at a news conference.

Mr Morrison has stopped short of naming the country responsible for this "malicious" activity, but warned: "There are not a large number of state-based actors that can engage in this type of activity."

This has been interpreted as a coded reference to China, which the Australian government reportedly suspects of being behind the attacks.

An advisory note posted on the government’s Australian Cyber Security Centre website describes the attack as a “cyber campaign targeting Australian networks”.

The advisory says the attackers are primarily using “remote code execution vulnerability” to target Australian networks and systems. Remote code execution is a common type of cyber attack in which an attacker attempts to insert their own software codes into a vulnerable system such as a server or database.

The attackers would not only try to steal information but also attempt to run malicious codes that could damage or disable the systems under attack.

Detecting this is hard, and would require advanced defensive measures such as penetration testing, in which trained security professionals known as “ethical hackers” try to hack into a system in an attempt to find potential vulnerabilities.

Advisory 2020-008: Copy-paste compromises - tactics, techniques and procedures used to target multiple Australian networks

Overview
This advisory details the tactics, techniques and procedures (TTPs) identified during the Australian Cyber Security Centre’s (ACSC) investigation of a cyber campaign targeting Australian networks. These TTPs are captured in the frame of tactics and techniques outlined in the MITRE ATT&CK framework.

Campaign summary
The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.

The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.

The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.

When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:

  • links to credential harvesting websites
  • emails with links to malicious files, or with the malicious file directly attached
  • links prompting users to grant Office 365 OAuth tokens to the actor
  • use of email tracking services to identify the email opening and lure click-through events.

Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.

In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.

During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.

EU grants €38 million for protection of critical infrastructure against cyber threats

The Commission announced today that it is committing more than €38 million, through Horizon 2020, the EU's research and innovation programme, to support several innovative projects in the field of protection of critical infrastructure against cyber and physical threats and making cities smarter and safer.

Mariya Gabriel, Commissioner for Innovation, Research, Culture, Education and Youth, said, "Over the past years we have offered our support to research and innovation actions in the area of cybersecurity that contribute to better protecting key infrastructure and the people living in European smart cities. I am pleased that today we are able to offer yet another significant amount of funding through Horizon 2020 towards security, privacy and threat mitigating solutions.”

Thierry Breton, Commissioner for Internal Market, added, "Securing network and information systems and enhancing cyber resilience are key for shaping Europe's digital future. As we are faced with a diverse array of cybersecurity threats, the EU is taking concrete measures to protect critical infrastructures, cities and citizens. More investments at EU and national level in innovative cybersecurity technologies and solutions are of paramount importance to strengthen EU's resilience to cyberattacks.

Three projects (SAFETY4RAILS, 7SHIELD and ENSURESEC) will work to improve prevention, detection, response and mitigation of cyber and physical threatsfor metro and railway networks, ground space infrastructure and satellites, as well as e-commerce and delivery services. Two additional projects (IMPETUS and S4ALLCITIES) aim at enhancing the resilience of cities' infrastructures and services and protecting citizens in case of security incidents in public spaces.

The projects are expected to start between June and October 2020 and will run for two years. The Research Executive Agency will manage the five selected projects and has finalised the preparation and signature of grant agreements with the beneficiaries.

The EU's financial contribution is provided in the form of grants that can be up to 100% of the project’s total budget. All projects were selected for funding under a competitive call for proposals Protecting the infrastructure of Europe and the people in the European smart cities, under the Societal Challenge 7 ‘Secure societies’ launched on 14 March 2019.

The support is part of the EU's commitment to build a strong cybersecurity culture and enhanced capabilities to resist and respond effectively to potential cyber threats and attacks.