Preparing for Critical Infrastructure Changes: Clues From Australia
In light of the recent May 2021 Federal Budget, which puts focus on Cybersecurity, the Australian Government’s increased emphasis on protecting critical infrastructure from cyberattacks is an important step in strengthening our ability to defend the Australian economy and society at large.
For MSPs and channel partners worldwide, the Australian Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 may provide some clues about how governments worldwide plan to mitigate cyber risk. Those government plans, in turn, may influence MSP and channel partner cyber strategies worldwide.
For context, the Australia legislation introduces an expanded and enhanced framework for protecting critical infrastructure and systems of national significance (CISONS), building on 2018’s Security of Critical Infrastructure (SOCI) Act. Notable within this new Bill is the expansion of the entities it covers, beyond the utilities and ports covered under the SOCI 2018 Act to now include communication and data facilities as well as industries such as higher education, research, food and grocery, healthcare, transport, and many others. All in all, 11 industries are now included.
There is much work to be done for affected entities, starting with the need to understand the obligations that will be placed on them and then to ensure they can meet these expectations. At Cisco, we have been actively involved in the consultative approach the Australian government is taking, not only as a key player in an industry that is covered by this legislation, but also as an advocate for our customers in all sectors. Our initial input can be found here and comments on the exposure draft here.
The government’s strategy can be broken down into three key areas (note: this is our grouping); reporting obligations, cyber risk management, and operational capabilities.
- Reporting obligations relate to organizational, supply chain, and asset information – this category also includes cyber incident reporting, with the time window for notification also being shortened.
- Cyber risk management will see organizations needing to adopt (if they haven’t already) risk management processes for critical services, taking into account all hazards, threats and requirements. Cyber risk is likely to fall under the ownership of board or executive leadership, as we have seen elsewhere around the world. Industry specific regulations are also likely, with regulators appointed for each industry, and co-design of standards and requirements the stated goal.
- As for operational capabilities, we will see the bolstering of cyberthreat sharing and incident assistance. Faster and industry-specific cyberthreat sharing will be an important capability to uplift readiness across the board. The government is also investing in furthering the Australian Cyber Security Centre’s (ACSC) incident response and assistance capabilities. More on that can be read in our submission.
Much, however, remains undefined, with sector specific workshops and other efforts still to come (at time of writing). That doesn’t mean we should wait – there is a lot we can do to prepare for what is ahead.
Preparing for what’s ahead
We can break down what can be done today into three areas:
Firstly, visibility is critical – knowing what assets you have, how they communicate with each other, and over what protocols. As the old adage goes, you cannot secure what you don’t know about, but you also can’t see what isn’t visible. In many organizations, and particularly Operational Technology environments, visibility is commonly lacking, although it remains critical to understanding vulnerabilities and truly being able to assess risk.
Once we know what we are securing, we can move onto mitigating known weaknesses and protecting it. The reality today is that many organizations have devices that are insecure operationally due to not being patched, but as aforementioned, you can’t patch what you don’t know about. Knowing what you have also means you can better assess what additional layers of defense could be useful.
Now that we have gained visibility and begun to act, we can focus on improving operational efficiency. The competing pressures of elevated cyberthreat landscapes and constrained budgets mean we must do more with less, and finding efficiencies is essential for managing the additional new responsibilities that will come under the expanded Act, including the need to report incidents faster.
These sound like challenging tasks, but the process of adaptation to the proposed changes in the Act can be smoothed by focusing on integrated security. Developing your network as a digital platform means the security components can all work together, incorporating the ingestion of threat intelligence, sharing of relevant context, enhancing detection and response capabilities, and containment and recovery operations. But this all requires a cohesive approach.
Security is no longer a bolt-on product. It must be integrated with solutions, and this means solutions must be considered holistically. Digitization interweaves digital capabilities within our businesses, and we must engineer digital capabilities the same way we engineer physical infrastructure. An all-hazards approach reinforces this concept, and cybersecurity must be baked into everything we do.
Cisco embraces this holistic approach, and embeds cybersecurity within its products, and ensures the cyber needs of our customers are at the forefront of everything we do. As a trusted partner of key critical infrastructure operators globally and within Australia, Cisco knows how to help navigate the digitization and cybersecurity challenges the modern critical infrastructure landscape presents. If you have further interest, please reach out to a Cisco representative to discuss how to best prepare for your critical infrastructure obligations.