Op-Ed: Critical infrastructure security – best practices for a rapidly evolving policy area

Australia has already introduced a global-first set of reforms designed to respond to significant incidents by giving the government a set of escalating powers to respond to cyber incidents. Earlier in 2023, the government also created the Infrastructure Security Group that will bring together the cyber security and infrastructure policy settings, response and coordination as well as regulatory elements in one place to deliver the new Australia Cyber Security Strategy 2023–30 when it is launched later this year. The government has also put in place a Mandatory Cyber Incident Regime.

However, despite these rigorous measures, the exponential rise of pernicious threats, insidious cyber attacks, natural disasters – and the irregular whims of human error – has meant the government is pushing on with further regulatory reforms to better draw together cyber-specific legislative obligations and standards.

Core sectors of critical infrastructure security

The government’s enhanced Security of Critical Infrastructure Act (SOCI) (2018) passed in two tranches – the first in December 2021 and the second in April 2022 – bringing in a framework for prevention and response at a national scale. These amendments expanded the reach of the act from four to 11 industry sectors including data storage or processing; communications; defence; energy; financial services and markets; food and grocery; health care and medical; higher education and research; space; transport; and water and sewerage.

The provisions in the SOCI Act attract significant penalties for non-compliance.

Critical infrastructure security challenges

Securing critical infrastructure is challenging. To begin with, critical infrastructure systems are highly interconnected and interdependent, which means that a disruption in one system can trigger a series of failures across other systems. Second, critical infrastructure systems regularly run on legacy systems, which means vulnerabilities are difficult to detect and remediate, increasing the threat of rapidly changing government obligations – and of surviving in a mutating threat environment. Third, critical infrastructure systems have a huge attack surface so are subject to a wide range of threats, including cyber attacks, physical attacks, natural disasters, and human errors.

Best practices for meeting critical infrastructure security obligations

VIEW ALL

Regardless of the critical infrastructure sector an organisation belongs to, there are a number of common best practices that could and should be adopted to meet the government’s enhanced obligations:

1. Risk assessment: The federal government’s critical infrastructure risk management program, legislated in recent amendments to SOCI, adopted a principles-based approach placing the onus on industry to act on risks “so far as is reasonably practicable”. According to the Australian Strategic Policy Institute, critical infrastructure operators must carry out detailed risk assessments to understand the threats they face and of the capability, intent, and opportunity of an individual, group, or country to carry out those threats. The risk-management program mandates an annual reporting requirement for entities to provide assurances to the government of their management of security risks.
2. Threat intelligence: The government’s enhanced requirements mean gathering and analysing threat intelligence is essential for identifying potential cyber, physical, and natural threats to critical infrastructure systems. Without regular access to threat intelligence, it is difficult to make risk-mitigation assessments or identify vulnerabilities. Without regulation, this will be more challenging for organisations in the future when some government information could be highly classified, impacting sovereignty or national security.
3. Access control: Organisations can use strong access control systems to prevent physical access to sensitive facilities. Other measures include using multi-factor authentication and job- or task-specific access to sensitive areas.
4. Cyber security measures: Implement cyber security measures like firewalls to secure the perimeter. Likewise with strong intrusion prevention systems and encryption protocols. This can help protect critical infrastructure systems from cyber attacks.
5. Physical security measures: The federal government’s critical infrastructure resilience traditionally focused on cyber security but its new approach is more integrated, adopting an “all-hazards” model which covers physical security, cyber, personnel, and supply-chain risks. Things like entry/exit checks, surveillance cameras, security guards, and access control systems can help protect critical infrastructure from physical attacks.
6. Incident response planning: Developing and implementing an incident response plan is crucial for responding to security incidents. For example, mandatory reporting of information security incidents came into effect for 11 critical infrastructure sectors last year. Conducting routine red team exercises will test the effectiveness of incident response plans.

Critical infrastructure security is meticulously governed by a tapestry of stringent regulatory standards, designed to fortify resilience and unyielding reliability. New obligations require responsible entities to consider the hazards they may face as a business and take tangible steps to manage risks to operations of critical infrastructure assets.

Organisations that focus on adopting the six best practices I’ve outlined will be well on the way to meeting their obligations and ensuring the resilience and reliability of these essential systems.

Les Williamson is managing director – ANZ at Check Point Software Technologies.