Critical infrastructure: Beyond just cyber security
The effective protection and security of Australia’s critical infrastructure assets are a vital part of Australia’s national competitiveness - as well as an essential part of both the Federal and State Government’s duty to ensure the delivery of essential services to the country and community at large. Australia’s modern critical infrastructure security regime was established by the passage 2018 of the Security of Critical Infrastructure Act 2018 (SOCI) and two sets of amendments in December 2021 and April 2022, respectively. This Act of the Federal Parliament established, for the first time, the overall national framework to manage the complex and evolving national security risks of sabotage, espionage, cyber security, ransomware and other threats to the “critical infrastructure” of the country.
Importantly, the SOCI places obligations on boards and management teams running and operating critical infrastructure assets - to deploy a critical infrastructure risk management program (CIRMP).
What is Critical Infrastructure?
The Act defines critical infrastructure as a host of organizations and systems, which together make up the assets that provide for the normal functioning of our society. This includes things like rail and roads, telecommunications, critical data centres, financial market infrastructure, critical electricity and gas assets, critical education assets, food, water, grocery and freight systems, healthcare and major hospitals, and more.
Of important note, the Act’s amendments in 2021 and 2022 sought to further enhance cybersecurity preparedness by critical infrastructure providers and, in some instances, obligates providers to comply with mandatory cyber breach reporting, as well as to undertake cybersecurity threat and vulnerability exercises, along with some forms of reporting to the Australian Signals Directorate. Many of the provisions of these amendments come into effect this year.
Securing critical infrastructure is a major undertaking in Australia. Many of our critical infrastructure systems are interdependent and connected to each other – especially in areas like telecommunications and energy. This can mean that when an incident impacts one provider, there can often be a cascading effect, causing failure or reduced performance in other areas of the system.
Additionally, many critical infrastructure systems run on older legacy systems, which can mean that faults and vulnerabilities can be more difficult to detect and fix. Finally, critical infrastructure systems can be seen as a “huge target” by bad actors – subjecting providers to a wide range of threats, including cyber-attacks or more physical attacks.
Service providers and their equipment and software providers, like Ribbon, have been working diligently to help service providers and other critical infrastructure operators come into compliance with the increased obligations of SOCI.
What should businesses and critical infrastructure providers do?
First and foremost, critical infrastructure providers need to understand their obligations under the amended Act and consider the following:
- Does the Act apply to our organization?
- How prepared are we for the compliance and reporting obligations of the Act?
- Have we developed and completed a plan and conducted a current threats assessment that includes cyber security, physical security, and natural disasters - are our IT systems current, and are they best practices?
- Do we have the right partners in place to assist us in our obligations?
- Have we involved the whole organization, including IT, HR, security, facilities, and other groups within the organization that are needed to ensure a robust framework to meet our compliance obligations?
Critical infrastructure security is now a heavily regulated area in the Australian economy - designed to enhance resilience, reliability and continuity of operations. Following the steps above is a good start for major organizations to understand and comply with their new obligations under the Security of Critical Infrastructure Act and to take meaningful steps to minimize risks to the operation of critical infrastructure assets nationwide.