Share this article on:
When the federal government set the ambitious challenge of making Australia the most cyber-secure nation in the world by 2030, it also moved to overhaul legislation to protect critical infrastructure assets by adopting an all-hands approach to resilience that includes an enhanced security posture in response to the heightened security threats that the nation now faces.
Australia has already introduced a global-first set of reforms designed to respond to significant incidents by giving the government a set of escalating powers to respond to cyber incidents. Earlier in 2023, the government also created the Infrastructure Security Group that will bring together the cyber security and infrastructure policy settings, response and coordination as well as regulatory elements in one place to deliver the new Australia Cyber Security Strategy 2023–30 when it is launched later this year. The government has also put in place a Mandatory Cyber Incident Regime.
However, despite these rigorous measures, the exponential rise of pernicious threats, insidious cyber attacks, natural disasters – and the irregular whims of human error – has meant the government is pushing on with further regulatory reforms to better draw together cyber-specific legislative obligations and standards.
Core sectors of critical infrastructure security
The government’s enhanced Security of Critical Infrastructure Act (SOCI) (2018) passed in two tranches – the first in December 2021 and the second in April 2022 – bringing in a framework for prevention and response at a national scale. These amendments expanded the reach of the act from four to 11 industry sectors including data storage or processing; communications; defence; energy; financial services and markets; food and grocery; health care and medical; higher education and research; space; transport; and water and sewerage.
The provisions in the SOCI Act attract significant penalties for non-compliance.
Critical infrastructure security challenges
Securing critical infrastructure is challenging. To begin with, critical infrastructure systems are highly interconnected and interdependent, which means that a disruption in one system can trigger a series of failures across other systems. Second, critical infrastructure systems regularly run on legacy systems, which means vulnerabilities are difficult to detect and remediate, increasing the threat of rapidly changing government obligations – and of surviving in a mutating threat environment. Third, critical infrastructure systems have a huge attack surface so are subject to a wide range of threats, including cyber attacks, physical attacks, natural disasters, and human errors.
Best practices for meeting critical infrastructure security obligations
Regardless of the critical infrastructure sector an organisation belongs to, there are a number of common best practices that could and should be adopted to meet the government’s enhanced obligations:
Critical infrastructure security is meticulously governed by a tapestry of stringent regulatory standards, designed to fortify resilience and unyielding reliability. New obligations require responsible entities to consider the hazards they may face as a business and take tangible steps to manage risks to operations of critical infrastructure assets.
Organisations that focus on adopting the six best practices I’ve outlined will be well on the way to meeting their obligations and ensuring the resilience and reliability of these essential systems.
Les Williamson is managing director – ANZ at Check Point Software Technologies.