Critical Infrastructure Security in Australia has Become..Critical

20th October 2020

Highlights

  • The Australia Cyber Security Strategy recently released in August has put the spotlight firmly on defence of Australia’s critical infrastructure assets. 
  • Lani Refiti, Advisor, Cybermetrix provides a helicopter view on key issues for the Australian cyber landscape in critical infrastructure.

The Australia Cyber Security Strategy 2020 released in August has shifted Australia’s focus to defence of Australia’s critical infrastructure assets.  Much of the almost $1.7B over 10 years has been set aside to protect critical assets with the Australian Signals Directorate, Australian Cyber Security Centre and associated government bodies receiving a significant funding boost. 

Immediately following the release of the 2020 strategy, the Department of Home Affairs released a consultation paper seeking submissions for a fresh approach to critical infrastructure security including the government taking potentially active intervention to protect or respond to threats to critical infrastructure industries. This intervention alongside a threat sharing platform open to public and private sector companies is a welcome focus to what has been a blurry approach.

Critical infrastructure, which is commonly defined as assets that are essential for the well-functioning of society and the economy has long been an area lacking focus in Australia when it comes to managing cyber risks.

While the European Union (EU), United States and countries in the Middle East have had long established programs and areas of focus, Australia has had a less mature outlook when it came to the protection of these assets and continued availability via-a-vis cyber risks and potential attacks. For example in 2006 the EU established the European Programme for Critical Infrastructure Protection (ECIP) based industries that were identified based on the feedback from each of it’s member states.

Each of the industries are required to have an Operator Security Plan (OSP) which includes risk and threat assessment, vulnerability and a selection of prioritised compensating controls.

The US has had far reaching programs in place since the late 90’s with a detailed definition of critical industries, responsible agencies and guidelines such as the NIST Cybersecurity Framework (NIST CSF) and National Infrastructure Protection Plan (NIPP) to support these initiatives. 

In contrast, Australia has had a somewhat unfocused and disconnected approach with multiple government bodies having a vested interest but no one body leading an orchestrated effort. The industries covered has been narrow, restricted to electricity, gas, water, ports and telecommunications leaving other sectors such as health/hospitals, food/agriculture and transportation untouched.

Cyber risks in critical infrastructure systems which rely on Operational Technology/Industrial Control Systems (OT/ICS) are notoriously difficult to appropriately manage. The reliance on technology that runs dams, turbines, power generators juxtaposed against an increasing digital transformation in sectors that rely on OT/ICS means the attack surface is continuing to grow and attackers are increasingly looking at targets in these sectors. A renewed focus by the government and increased vigilance by organisations will need to be maintained, especially as geopolitical pressures in our region add to the complexity of securing critical infrastructure assets.