There’s been a lot of commentary in the press and from industry pundits about the Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, which was introduced into Parliament on 10 December.
While substantial, this Bill is part of a package of reforms under Australia’s Cyber Security Strategy 2020 that aims to help Australian businesses become more cyber secure. For those organisations operating our critical infrastructure, the need for cyber resilience is now being treated with even more urgency under the proposed updates to this Bill. This is due to the extreme consequences that a cyber incident may have on the provision of essential services, national security, public health and our economic interests.
In the words of the Federal Government, “Critical infrastructure is increasingly interconnected and interdependent. Connectivity without proper safeguards creates significant vulnerabilities. Interconnectedness means that compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across Australia’s economy and national security.”
While the updated Bill may be offering more rigour in a regulatory context, the measures that it poses are fundamentally extensions on the previous SOCI obligations to “embed preparation, prevention and mitigation activities into the business-as-usual operating of critical infrastructure assets.”
More significantly, however, the Bill is seeking to mandate compliance of cyber security requirements for operators of critical infrastructure. The requirements proposed are industry-specific, given the varying risk posture and associated threat profile that different sectors face.
The intention of the Federal Government to mandate compliance is not only a significant step towards uplifting the cyber maturity of our country; it sets us up as world-leaders at the forefront in the defense against cyber adversaries.
Until now, Australia has taken a ‘best effort’ approach to cyber resilience, with no mandatory obligation for operators of critical infrastructure to implement security controls to secure Operational Technology (ICS / SCADA) assets. Boards and executives can be accused of having Ostrich Syndrome – not willing to acknowledge the clear and present cyber risk to their business – for fear of having to heavily invest in a security uplift program.
If proposed changes to this Bill are ratified, executives will be held to account. ‘Best effort’ and continually cutting corners with tactical security quick fixes just won’t cut the mustard. The time is now to start allocating budget and resources, to strengthen your business security posture and cyber resilience, and to come up with a considered cyber security approach.
Not all industry sectors are lagging behind. In recent years, the Australian Energy Market Operator (AEMO) implemented a tailored cyber security framework (the Australian Energy Sector Cyber Security Framework) for energy sector operators. This was developed in consultation with government agencies (ACSC, CIC, CSIWG).
AEMO’s AESCSF can be seen as a proactive approach by the market operator to guide those in the energy sector towards an uplift in security maturity. Defining requirements based on industry standards – such as NIST CSF, ISO 27001 and ES-C2M2 – then tailoring to energy operator needs, is an approach the updated Critical Infrastructure Bill should adopt, so as to be proportionate to the risk profile of individual entities.
The Federal Government states, “As the majority of Australia’s critical infrastructure is owned and operated by private industry or state and territory governments, it is vital that our approach to ensuring the resilience of Australia’s critical infrastructure is clear, effective, consistent and proportionate.”
Over 12 years ago, SIS founder, Dr Christopher Beggs, proposed “the use and practicality of holistic standards that are sector-specific with similar commonalities” as “an attractive option that many organisations could simply follow.” Accordingly, we welcome the Federal Government’s positive steps in collaborating with entities such as AEMO to create sector-specific requirements, along with important regulations that will help us protect the critical infrastructure that provides the essential services upon which we all depend.
The further allocation of funding whereby critical infrastructure operators will be able to access a $66 millionprogram to help assess their networks for vulnerabilities is also complementary to the Federal Government’s recent efforts to secure our national interests.
For the last decade, SIS have been advocating for our clients to adopt a holistic, strategic approach to cyber security that addresses business risk at its core. All too often, we have seen engineers and cyber security personnel within critical infrastructure operators fail to secure the management endorsement and buy-in required to enable that cultural shift in organisational thinking – to, ultimately, prioritise security in the same why safety is treated. This happens largely because, unless the business experiences a cyber breach, there is no appetite to spend money on security, unless there is a regulatory obligation.
There will no doubt be some backlash from those that see the Critical Infrastructure Bill as just more government red tape that will only burden business with extra checks and balances to fund. However, we see it differently – as a significant milestone, which will act as a wake-up call-to-action, that might not only protect our national interests, but potentially safeguard society.
Other defining features of the updated Bill includes the establishment of a Positive Security Obligation (PSO), which is designed to consolidate the “clear, effective, consistent and proportionate” approach that the government stipulates. The PSO consists of three specific aspects:
1. The implementation of a Register of Critical Infrastructure Assets, so the government knows where the control and ownership of assets sit, and also who has access to critical infrastructure;
2. The adoption of an all-hazards Critical Infrastructure Risk Management Program to ensure responsible management and risk mitigation of critical infrastructure (and impose a penalty of $44,400 per breach if an organisation fails to comply); and
3. Mandatory notification of cyber security incidents to the Australian Signals Directorate to enable more proactive, rather than reactive, responses.
The proposals put forward for this Bill amendment are widely supported by industry. Change is coming, so there is no better time than the present for Boards to put their industrial cyber security requirements on the agenda and start allocating budgets to meet the stipulations of the Bill.
At SIS, we are ready to act for our customers on all aspects of the Bill, and we have the know-how and the tools to act now.
Want to get moving on your critical infrastructure compliance? Get the jump on new regulations by engaging with the industrial cyber security specialists at SIS.