We are living in turbulent times. War in Ukraine, the conflict between East (Russia, China) and West (NATO, and to some degree even Australia), and the conflict going on in the South China Sea, Australian businesses might fall under the crossfire or fall as collateral damage in cyber conflicts among any of the parties mentioned above.
The threats to Australia’s critical infrastructure have never been that many and severe. Cybersecurity has become a crucial concern for businesses across industries, as the Security of Critical Infrastructure Act 2018 (the Act) imposes stringent regulations to protect the nation’s assets. This article delves into the Act’s key components, offering valuable insights for Australian businesses looking to fortify their cybersecurity defenses and maintain compliance.
Understanding the Scope of the Act
The Security of Critical Infrastructure Act 2018 provides a framework for safeguarding Australia’s most vital assets. The Act defines critical infrastructure as physical facilities, supply chains, information technologies, and communication networks that, if disrupted, could significantly affect the nation’s security, economy, or social well-being. Industries affected by the Act include energy, water, transportation, and telecommunications.
Does it apply to you?
If your business is a:
- Part of the the critical infrastructure sector
- A critical infrastructure sector asset
- A critical electricity asset
- A critical port
- A critical gas asset
- A critical liquid fuel asset
- A critical freight infrastructure asset
- A critical freight services asset
- A critical financial market infrastructure asset
- A critical broadcasting asset
- Critical data storage or processing asset
- A critical banking asset
- A critical insurance asset
- A critical superannuation asset
- A critical food and grocery asset
Then yes, the Act applies to your business. If you searched the Internet and found this article, then you probably already know that. What should you do next?
The Act’s objectives are to identify critical assets, manage security risks, and facilitate information sharing between industry and government. By establishing a comprehensive risk management approach, the Act helps to ensure the resilience of Australia’s critical infrastructure against various threats, including cyberattacks, terrorism, and natural disasters.
Breaking Down the Act’s Regulatory Framework
Under the Act, critical infrastructure operators are assigned several key responsibilities. These include:
- Conducting risk assessments: Operators must identify and assess potential vulnerabilities, threat actors, and attack vectors in their systems. This process should be systematic, evidence-based, and tailored to each organization’s unique risk profile.
- Developing security plans: Based on their risk assessments, operators must create and implement detailed security plans that outline the protective measures, response strategies, and recovery procedures necessary to mitigate identified risks.
- Reporting incidents: In the event of a security incident, operators must promptly notify relevant authorities and provide information about the nature of the incident, the affected assets, and the actions taken in response.
If we break down these responsibilities, it would look like this:
Conducting Risk Assessments
Risks assessments can happen annually or every six months, but their underlying tasks must happen as often as possible. For example, vulnerability assessments could happen automatically, 24 hours a day, 7 days a week, using a vulnerability scanner which could feed your vulnerability management program.
Identifying threat actors could happen both theoretically and practically via your Incident Response program.
Attack vectors could be identified via logical interpretation of your critical systems, critical paths of communication between them, the present and potential vulnerabilities and authentication methods.
Finally, it should all be governed by your business risk profile. If you operate a critical gas port your risks are different from the risks of a critical insurance company.
Developing Security Plans
Developing your own Security Plan could be the one key action leading you to successfully comply with the Security of Critical Infrastructure Act.
The best way to develop such a Security Plan is to first run a comprehensive Information Security Audit, or Risk Assessment, to audit your entire IT infrastructure, the practices of managing it, your processes and procedures.
The result of the Assessment or Audit would feed into your Security Plan.
Your Security Plan should contain tasks for your various IT teams and individual functions, for your cybersecurity team, even for executive management.
The Plan should be split month by month and should contain tasks split by criticality, ideally, by High, Medium and Low risk and priority.
The Australian government also has powers to intervene in emergencies or when operators fail to meet their obligations under the Act. The Australian government regulatory authorities play a central role in enforcing the Act and providing support to industry partners.
Practical Steps for Compliance and Risk Management
To achieve compliance with the Act and strengthen their cybersecurity defenses, critical infrastructure operators should consider the following strategies:
- Conduct thorough risk assessments: Utilize frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Australian Signals Directorate’s Essential Eight to guide risk assessment and mitigation efforts.
- Develop robust security plans: Establish clear policies and procedures for incident detection, response, and recovery. Ensure that security plans are regularly reviewed and updated to account for changes in the threat landscape.
- Foster a culture of cybersecurity awareness: Encourage employees to take responsibility for security by providing ongoing training, promoting best practices, and rewarding proactive behavior.
Leveraging Advanced Cybersecurity Technologies
To enhance their cybersecurity posture, critical infrastructure operators can adopt cutting-edge technologies and methodologies, such as:
- Artificial intelligence (AI) and machine learning (ML): These technologies can analyze vast amounts of data, detect anomalies, and identify patterns that may indicate potential threats. At the very minimum, these are to be used in your Security Monitoring as part of your SIEM/EDR/XDR/NDR systems.
- Blockchain technology: By providing a decentralized and tamper-proof ledger, blockchain can help ensure the integrity of critical data and transactions.
- Zero-trust security model: This approach assumes that no user, device, or network is inherently trustworthy and requires continuous validation of access requests. We recommend that you focus significant efforts and resources in the zero-trust security model for your whole IT, as it is one of the most effective modern security controls. You can implement it with the help of InTune as part of Microsoft 365’s offering, with the help of Google or other vendors.
- Threat intelligence and information sharing: Collaborate with industry partners, regulators, and government agencies to share threat intelligence and best practices, enhancing collective defenses against cyber threats.
Navigating the Challenges of Compliance and Evolving Threats
Compliance with the Security of Critical Infrastructure Act 2018 can be challenging due to various factors, such as resource constraints, technical expertise, and the dynamic nature of cybersecurity risks. To overcome these challenges, businesses should consider the following strategies:
- Allocate appropriate resources: Invest in technology, personnel, and training to ensure that cybersecurity efforts are adequately supported and maintained. This may include hiring dedicated cybersecurity staff or partnering with third-party providers for specialized services.
- Stay informed on emerging threats: Regularly review threat intelligence reports, subscribe to cybersecurity news outlets, and participate in industry forums to stay informed about the latest threats and mitigation techniques.
- Engage with regulators and industry partners: Establish open lines of communication with relevant government agencies and industry partners to facilitate information sharing and collaboration.
- Continuously improve and adapt: Implement a process of continuous improvement that includes periodic reviews of security plans, risk assessments, and protective measures. This will help ensure that organizations are well-prepared to address new and evolving threats as they emerge.
As always, you can contact us to have a short virtual meeting to discuss your compliance journey and how Kloudwerk could help you on it.