Australians have been told to conserve energy in the last few weeks as we face potential blackouts. This raises the question – how does a resource-rich, wealthy country get to a position where we potentially cannot supply electricity to a large portion of our population? Recent world events have demonstrated that we cannot take critical infrastructure services for granted. The consequences of complacency could be the destruction of our way of life in this country.
In addition to supply concerns, there is the risk presented by cyber-attacks on the infrastructure that supports the delivery of these critical services – attacks that are becoming more frequent and more advanced every day.
Potential areas which may be impacted include:
- Instability in the supply chain.
- Inability to gain access to essential medical supplies.
- Impacts on critical services such as water supply, sanitation and financial services.
- Disruption to transport, fuel, and traffic management systems.
- The shutdown of retail and the inability of a business to function.
While Australia has not yet suffered from a detrimental attack against our critical infrastructure, we are not immune to such attacks. Threats against our critical infrastructure can take many forms. Cyber threats, espionage, neglect, and incompetence through poor management are examples.
On the 10th of December, 2020, the Australian Government introduced the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2020 (The SLACIP Bill, 2020). After review, this Bill was split into two parts. The first part of the Bill listed the urgent elements that needed to be addressed quickly. This Bill made amendments to the Security of Critical Infrastructure Act, 2018, to incorporate government assistance measures. Legislated in the Bill were enhanced cyber security obligations for organisations in charge of critical infrastructure. Significant enhancements and reforms included:
- The establishment and maintenance of a risk management program. The program manages the material risk of any hazards occurring that impact the availability, integrity or confidentiality of the critical infrastructure asset.
- Enhanced Cyber Security obligations for systems of National Significance. These obligations support a bespoke, outcomes-focused partnership between Government and the organisations managing this critical infrastructure.
- Creation of a mechanism to declare critical infrastructure assets of the highest criticality as systems of national significance. This means that the minister for home affairs would be able to privately declare critical infrastructure assets as a system of national significance.
We have all gained from the efficiencies and economic benefits that come from the interconnection of Critical Infrastructure. How we do business today has simplified our lives, from banking to registering the car to how we are billed for power consumption. But the digital transformation of these systems and services delivering these efficiencies and enhanced customer experience also puts these systems at risk.
It is vital for organisations managing critical infrastructure to understand these potential threats. The Government is introducing legislation to protect Australia’s critical infrastructure, however, the responsibility and means to protect this infrastructure remains with the organisation in control of that infrastructure.
In recent years significant gains have been made in the systems protecting critical infrastructure. However, it is worth stressing that much of Australia’s critical infrastructure still exists on Operational Technology (OT) and Industrial Control Systems (ICS) – systems for which security was once a secondary consideration.
If you’re an organisation that manages OT/ICS, cyber security is now not just a consideration – it is a crucial requirement to maintain your business operations, as well as mitigate the risk of the increased penalties and personal liability this bill introduces.
When considering what those protections should be, it is important to consider how you isolate and monitor your OT/ICS – in order to protect any systems, you must have visibility and appropriate controls, as well as continuous monitoring. With regard to both products and processes, look at aligning your OT/ICS to security frameworks such as NIST and CIS, to ensure that you are putting in place best-practice solutions to give you outcomes that reflect those current frameworks.
Seccom Global has a wealth of expertise in protecting OT/ICS. If you need assistance or advice, give us a call!