Australia’s focus on critical infrastructure risk management
Australia is at the forefront of collective cybersecurity regulation. Given its role in Geopolitics and proximity to contested cyber domains, several recent security reforms are raising the expectations of 11 critical infrastructure sectors and 22 categories of critical infrastructure assets. Australia and many other countries around the world continue to bolster cybersecurity initiatives with the goal of increased trust and verification in mind.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has issued sector-specific guidelines while simultaneously building trust with industry to enhance owner and operator input on actions like the rulemaking process for the new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The European Union is pursuing two new mandates that will provide an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure.
As of September 2023, the Australian government has also increased the number of businesses deemed 'Systems of National Significance' (by virtue of their interdependencies across sectors and potential for cascading consequences) to 168, with an overarching goal to maintain near real-time cyber threat awareness. In 2022, the INCONTROLLER incident highlighted the potential risks of cyber-attacks targeting such systems. Thankfully, the attack was identified before any operational incidents occurred, showcasing the potential benefits of investing in cyber security solutions specifically designed for industrial, high-consequence operations.
Securing Critical Infrastructure and Industrial Operations
The Security of Critical Infrastructure (SOCI) Act of 2018, amended in 2021 and 2022, includes "Positive Security Obligations" for entities within each sector. The 11 sectors include Communications, Financial services and markets, Data storage or processing, the Defence industry, Higher education and research, Energy (Electricity, Energy Market Operator, Gas, Liquid Fuel), Food and grocery, Health care and medical, Space technology, Transport (including aviation and maritime assets), and Water and sewerage.
SOCI requires each entity to categorise and register critical infrastructure assets and to notify and share information about cybersecurity incidents – actual or imminent – as well as an estimation of actual or likely relevant impacts. Obligations for reporting on Positive Security Obligations depend on the sector and asset, as determined by the Australian government where existing regulations or compliance measures are deemed insufficient.
In addition, SOCI updates now require compliance with the Security of Critical Infrastructure Risk Management Program (CIRMP) rules that went into effect on February 17, 2023. With the grace period for assessing implications and application of new laws and requirements expiring for organisations on 17 August 2023, entities now have until 18 August 2024 to demonstrate ongoing regulatory compliance.
The CIRMP rule requires board-approved risk management programs that must adopt an all-hazards security approach to cyber and information security hazards. Specifically, responsible entities must first review all critical assets to:
- Identify each hazard where there as a material risk of a "relevant impact" and
· Minimise, mitigate or eliminate any material risk from the hazard (to the extent reasonably practicable)
- Comply with a framework contained in a document (to be enforced)
Entities may choose to adopt and maintain one of the following framework options:
- Australian Standard AS ISO/IEC 27001:2015
- Essential Eight (E8) Maturity Model published by the Australian Signals Directorate (Level 1)
- Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America
- Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America (Level 1)
- The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327) (Security Profile 1)
Planning and framework oversight and incident response preparedness will be enforced by the Australian Signals Directorate (ASD). The ASD also has established and maintains legal authority to directly interfere with and establish control over entities' systems when private owners have been compromised or controlled and cannot regain control.
The Scope of Risk Management
Individuals, teams, businesses, and sectors struggle with competing priorities: Connectivity of critical assets to the internet or accessible networks, insecure remote connections, complex and just-in-time supply chains. Should they focus on data security? Network security? Devices and endpoints? Does security come before, during, or after cloud adoption and increased automation projects? Despite shared goals and recognised dependence on technology in all aspects of daily life, challenges and constraints hamper the use of existing security frameworks, recommendations, and best practices.
The growing number of exploitable vulnerabilities and the great number of potential attack patterns have also revealed three common issues for critical infrastructure:
- The looming threat of highly sophisticated, often nation-state-level attacks narrows the focus to threat hunting at the expense of other indicators worth investigating.
- IT security principles do not map perfectly to operational technology (OT) security requirements where segmentation and context drive prioritisation.
- Companies and security leaders continue to react to security incidents and available intelligence rather than building the capability to limit their severity.
Categories for All-Hazards Risk Management
The biggest difference when we look at risk assessments for OT versus information technology (IT) is tolerance. Risk tolerance quantification looks very different based on system life cycles, available patches, acceptable system downtime, and the sequencing of maintenance. The tactics, techniques, and procedures (TTPs) threat actors use in cyberspace may or may not find a way to escalate privileges and cause mayhem by targeting systems by exploiting vulnerabilities.
Risk tolerance, therefore, is a cycle of entities mapping necessary security components of their organisation, attempting to understand how those components fulfill various portions of existing standards, regulations, suggestions, and best practices while hoping compliance regimes measure the right things as necessary to have – which are ultimately industry-specific and thus recreate the cycle.
Security leaders and teams must map:
- The status of their security program, risk ownership, and visibility gaps.
- Existing management and mitigation tools, resources, and capacity.
- The development environment of third-party products and security management of suppliers.
- Enterprise content management, data security and personally identifiable information (PII).
- Operational products and services, hardware, software, IoT, cloud offerings, and related systems.
- Upstream and downstream supply chain.
- OT and cyber-physical security.
- The sea of available add-on security products.
All sectors continue to reveal cybersecurity gaps, reorient change management, and drive holistic cybersecurity coverage as investments in industrial cybersecurity grow. Focused investments for OT fall into four main categories:
Category 1 – Network Visibility: If network activity is not monitored in real-time, the status of assets is largely unknown, and whether they have vulnerabilities or not, these assets cannot be protected without the necessary visibility into their day-to-day functionality.
Category 2 – Vulnerability Management: Vulnerabilities are not all the same; the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.
Category 3 – Cyber Threat Intelligence: Threat actors targeting OT and (industrial control systems) ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be opportunistic, highly tailored, or a mixture of both, and can be alerted on with proper tuning of monitoring tools.
Category 4 – Gaining Situational Awareness: Components and connections continue to increase with multiple vendor systems and integrations. Simply having and storing reams of data is not useful for any risk mitigation strategy; it must be contextualised for relevance – combining network visibility, vulnerability management, and context-driven cyber threat intelligence.
Effectively, teams need a balance between automation and manual investigation. For under-pressure security teams, automating repetitive, time-consuming, low-level tasks is essential. If a tool can combine this automation with the real-time data and context needed to empower analysts to investigate high-impact, time-sensitive incidents, it is even better.