The Security of Critical Infrastructure Act 2018 (the Act) protects Australia’s most crucial assets from many threats, including cyberattacks. Here we explore the Act’s requirements, providing businesses with technical and to-the-point suggestions, step-by-step instructions, and practical insights to help ensure compliance and strengthen their cybersecurity posture.
Understanding the Act’s Objectives and Scope
The Act’s primary objectives are identifying critical assets, managing security risks, and facilitating information sharing between industry and government. It covers various sectors, including energy, water, transportation, and telecommunications. The Act seeks to protect physical facilities, supply chains, information technologies, and communication networks that, if disrupted, could significantly impact Australia’s security, economy, or social well-being.
The Regulatory Framework of the Act
The Act establishes a robust regulatory framework that assigns key responsibilities to critical infrastructure operators. These responsibilities include conducting risk assessments, developing security plans, and reporting incidents to the relevant authorities. The Australian government also retains powers to intervene in emergencies or when operators fail to meet their obligations under the Act.
Step 1: Risk Assessment and Management
To comply with the Act, critical infrastructure operators must perform comprehensive risk assessments to identify vulnerabilities, threat actors, and potential attack vectors within their systems. The following technical steps can guide organizations through this process:
1.1. Map your critical assets: Identify all essential components of infrastructure within your organization, including physical facilities, IT systems, and communication networks.
1.2. Assess threats: Determine the potential threat actors and their capabilities, including nation-state adversaries, cyber criminals, or insider threats.
1.3. Identify vulnerabilities: Examine your infrastructure for weaknesses that attackers, such as outdated software, misconfigurations, or unpatched systems could exploit.
1.4. Analyze potential attack vectors: Evaluate how an attacker could infiltrate or disrupt your infrastructure, such as phishing attacks, malware, or Distributed Denial of Service (DDoS) attacks.
1.5. Prioritize risks: Rank the identified risks based on their likelihood and potential impact on your organization, allowing you to focus on addressing the most critical vulnerabilities.
1.6. Adopt an established risk assessment framework: Utilize a proven framework such as the NIST Cybersecurity Framework or the Australian Signals Directorate’s Essential Eight to guide your risk assessment and mitigation efforts.
Developing and Implementing Security Plans
Based on the results of your risk assessments, develop detailed security plans that outline the necessary protective measures, response strategies, and recovery procedures to mitigate identified risks. Here are some step-by-step instructions to create and implement robust security plans:
2.1. Define security objectives: Establish clear objectives for your security plan, such as ensuring the confidentiality, integrity, and availability of your critical assets.
2.2. Develop policies and procedures: Create comprehensive policies and procedures that address access control, data protection, incident response, and disaster recovery.
2.3. Assign responsibilities: Clearly define the roles and responsibilities of your security team members and the expectations for employees across your organization.
2.4. Implement security controls: Deploy technical, administrative, and physical security controls to mitigate the identified risks. This may include firewalls, intrusion detection systems, security awareness training, and secure facility design.
2.5. Test and evaluate: Regularly test your security controls to ensure they function as intended and assess their effectiveness in mitigating the identified risks. This may involve penetration testing, vulnerability scanning, or tabletop exercises.
2.6. Review and update: every 3 to 6 months, review and update your Security Plan. It is best if you start using something like a kanban board along with your documents – in our practice, we’ve seen that people work much better with kanban boards than with plans in document format. Periodically review and update your security plan to account for changes in the threat landscape, new vulnerabilities, and lessons learned from security incidents. This process should involve reassessing risks and adjusting security controls as necessary.
Reporting Incidents and Collaborating with Authorities
Under the Act, critical infrastructure operators must promptly report security incidents to the relevant authorities, providing information about the nature of the incident, the affected assets, and the actions taken in response. The following steps outline how to manage incident reporting and collaboration with authorities effectively:
3.1. Establish an incident reporting process: Develop a straightforward and efficient strategy for reporting security incidents to the appropriate authorities, ensuring that all necessary information is accurately and promptly communicated.
3.2. Train employees on reporting procedures: Ensure that employees understand their responsibilities during a security incident, including the process for reporting incidents and the importance of timely communication.
3.3. Engage with regulators and government agencies: Maintain open lines of communication with the Centre for Critical Infrastructure Protection (CCIP), relevant government agencies, and industry partners to facilitate information sharing and collaboration on security matters.
Adopting Advanced Cybersecurity Technologies and Methodologies
Critical infrastructure operators can adopt cutting-edge technologies and methodologies that help detect, prevent, and respond to threats more effectively to enhance their cybersecurity posture. These technologies include:
Step 4: Implementing Advanced Technologies
4.1. Artificial Intelligence (AI) and Machine Learning (ML): Deploy AI and ML technologies to analyze large volumes of data, identify patterns indicating potential threats, and enable rapid response to emerging risks.
4.2. Blockchain technology: Utilize blockchain to create a decentralized and tamper-proof ledger for critical data and transactions, ensuring the integrity of information and reducing the risk of unauthorized access. Note: utilizing blockchain technologies for cybersecurity is the only point from the entire ACT that we do not agree with. Blockchain adds almost zero benefits and we have yet to see any hacker worrying about someone using blockchain to defend against them.
4.3. Zero-trust security model: Adopt a zero-trust approach that requires continuous validation of access requests and assumes no user, device, or network is inherently trustworthy.
4.4. Advanced threat detection and response tools: Implement advanced tools such as Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) systems to monitor and analyze network activity, detect potential threats, and automate response actions.
4.5. Threat intelligence and information sharing: Collaborate with industry partners, regulators, and government agencies to share threat intelligence and best practices, enhancing collective defenses against cyber threats.
Fostering a Culture of Cybersecurity Awareness and Training
Creating a culture of cybersecurity awareness is essential for maintaining compliance with the Act and protecting your organization’s critical infrastructure. The following steps outline how to establish and maintain a strong cybersecurity culture:
5.1. Provide ongoing training: Deliver regular cybersecurity training to employees, covering topics such as phishing attacks, password security, and incident reporting procedures.
5.2. Communicate the importance of security: Emphasize the significance of cybersecurity to your organization’s overall success and the potential consequences of security breaches.
5.3. Encourage proactive behavior: Recognize and reward employees who demonstrate proactive security practices or identify potential vulnerabilities.
5.4. Conduct awareness campaigns: Implement periodic cybersecurity awareness campaigns that highlight emerging threats, share best practices, and reinforce the importance of vigilance.
5.5. Perform regular security drills: Conduct security drills to test employees’ preparedness and understanding of security policies and procedures, providing valuable insights for improvement.
Continuously Monitoring and Improving Security Measures
Continuous monitoring and improvement are crucial for maintaining compliance with the Act and staying ahead of evolving threats. The following steps offer guidance on how to implement a process of continuous improvement:
6.1. Monitor and analyze network activity: Regularly analyze network traffic, logs, and user behavior
6.2. Utilize threat intelligence feeds: Subscribe to threat intelligence feeds and integrate them into your security monitoring and analysis tools, enabling your organization to stay informed about emerging threats and attack trends.
6.3. Conduct periodic audits and assessments: Perform regular audits and assessments of your security controls to ensure they effectively mitigate identified risks and are aligned with the Act’s requirements.
6.4. Review and update security plans: Periodically review and update your security plans, considering any changes in the threat landscape, emerging technologies, or lessons learned from security incidents.
6.5. Evaluate and adjust security training: Assess the effectiveness of your cybersecurity training programs and adjust them as needed to address any gaps or weaknesses identified.
6.6. Share lessons learned: Collaborate with industry partners, regulators, and government agencies to share lessons learned from security incidents and best practices for mitigating risks.