In this blog, Marina Maydanov, a Critical Infrastructure Security Advisor from Providence Consulting Group discusses the challenges and opportunities that recent critical infrastructure reforms introduced by the Australian Commonwealth Government bring to owners and operators of critical infrastructure assets in an increasingly complex threat landscape.
Providence Consulting Group is a Fivecast partner and provider of risk and protective security services to Australian Governments, Defence, Industry and Critical Infrastructure entities.
For owners and operators of Australian critical infrastructure organisations, the last few years have brought multiple challenges to the secure operation of their assets. A dynamic threat environment, increasing number of destructive and costly cyber attacks, greater reliance on global supply chains to support essential services and new legislative obligations are driving the urgent need for new protective security measures and risk management protocols.
Let’s zoom in on the reforms and explore what they mean for critical infrastructure companies.
The recently amended Security of Critical Infrastructure Act 2018 (SOCI Act) requires owners and operators of critical infrastructure assets to develop and maintain a written critical infrastructure risk management program (RMP). The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 details the mandatory baseline security standards for an RMP that should be met by 17 August 2023.
Owners and operators of critical infrastructure assets are also required, under the RMP, to report annually on the effectiveness and maturity of their risk mitigations to the Department of Home Affairs or the relevant Commonwealth regulator. The annual report must be approved by the entity’s board, council or other governing body and be submitted between 30 June 2024 and 28 September 2024.
The RMP must address risks across four hazard vectors: cyber and information, personnel, supply chain and physical and natural. Critical infrastructure companies, subject to the Rules, are required to establish and maintain a process or system to minimise, mitigate or eliminate the relevant impact on the critical asset arising from these four vectors.
An all-hazards approach must be taken when identifying risks that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset and appropriate risk mitigation strategies must be established.
Implementation of these new protective security requirements may sound like a complex, challenging and expensive exercise and those responsible for establishing an RMP may be faced with the dilemma of where to start.
Let’s examine if similar protective security regimes already exist, what parallels can be drawn and are there lessons learned to share.
Protective Security in the soci act 2018
Protective security policy that sits behind the SOCI Act and the Rules are primarily based on the Commonwealth Protective Security Policy Framework (PSPF) that has been evolving for the past couple of decades.
The PSPF provides protective security policy and guidance to government entities to support the effective implementation of the policy across security governance, personnel security, physical security and information security.
Government entities apply the PSPF using a security risk management approach. This allows them to apply the PSPF in a way that best suits their individual security goals and objectives, their specific risk and threat environment, as well as their risk tolerance and security capability. It also allows for protective security effects to mature over time and in response to changing circumstances.
Sounds familiar, right? So, what can we learn from the PSPF implementation?
7 practical tips from the PSPF world for critical infrastructure leaders on establishing an RMP:
- Integrate security into existing business management systems and processes – integration of a formal and systematic approach to protective security management can directly contribute to the business capability and credibility of your company.
- Create business efficiencies and continuity – quantitative and qualitative benefits of security management systems can improve overall performance and communication within your company.
- Identify a single, accountable board-level owner of security risk to ensure the organisation’s security activities are appropriately governed, resourced and managed.
- Identify the existing Governance structure and assess whether it can effectively mitigate security risks.
- Optimise the broad range of stakeholders – establish multi-disciplinary governance with clear roles and responsibilities.
- Remove silo approaches ensuring that security risk management is an integral part of all business activities, with key stakeholders willing to share ‘near misses,’ best practices and learning.
3. Resource Utilisation
- Build on existing best practices, standards, guidance, processes and procedures rather than starting over.
- Utilise existing core principles and systems of quality and safety management (if implemented effectively and in use).
- Senior management can demonstrate a strong commitment to security but fail to adequately resource security departments. This approach will not enable success.
- Link security objectives to resource allocation.
5. Avoid a ‘Compliance Mindset’
- Security and risk management practitioners historically and culturally relied on the compliance approach, characterised by checklists and templates.
- A compliance approach ignores the context in which the desired security measure is deployed, at times resulting in an investment yielding no measurable reduction in actual risk.
- Compliance is contrary to the risk-based approach, not because compliance as a concept is flawed or inappropriate – there are instances when compliance is required – but because rules-based thinking is inadequate for managing the dynamism of human systems. Protective security is about people – your workforce and the source of threats.
6. Security Culture
- Establish the norm – define and communicate the norm of behavioural expectation and acceptable behaviour at your workplace.
- Communicate regularly – security objectives are communicated and understood throughout the organisation and applicable third parties, suppliers, etc.
- Regular security awareness and training – security requirements can also be seen as a barrier to effective working unless staff awareness and training are delivered in a way that supports the organisations strategic objectives.
- Security is everyone’s responsibility.
7. Performance Metrics
- Establish performance metrics – specific, measurable, achievable, and relevant that will provide a richer assurance picture, beyond regulatory compliance.
- Empower and promote reporting: healthy security culture is where the proactive reporting of security-related matters constitutes part of the company’s inherent behaviour.
- Continuously evaluate security maturity.