A high-level webinar with prominent industry figures was held this week by MySecurity Media in association with cybersecurity company, Claroty to address the significant issue of Cybersecurity Protection of Critical Infrastructure.
The Australian Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the Security of Critical Infrastructure Act 2018 will see minimum cybersecurity standards applied to operators of important assets.
The Australian Government wants to extend a regulatory cybersecurity framework across 11 critical sectors and their attendant systems. The framework aims to protect key supply chains and infrastructure in the event of a serious security threat. Australia’s Cyber Security Industry Advisory Committee has warned the country needs to stay the course, investing money and resources along the way.
Three key industry professionals; Adm. (Ret) Michael S. Rogers: Former Commander, U.S. Cyber Command and Director, National Security Agency; Sam Grunhard: Head of the Critical Infrastructure Security Division, Australian Department of Home Affairs ; and Lani Refiti: Regional Director Claroty ANZ each spoke to the functional requirements needed for government and private operators to work together. The national and International cyber-attack trends on critical infrastructure along with system convergence between Operational Technology (OT) and Information Technology (IT) has motivated government to get the necessary insights from Critical Infrastructure operators to ensure they are protecting their systems.
OVERVIEW OF WHAT THEY SAID
Adm. (Ret) Michael S. Rogers
Critical infrastructure is increasingly being placed at risk. Historically, if we go back in the past, we tend to associate that risk with nation states using cyber as a tool to penetrate critical infrastructure of the networks, the IT, OT infrastructure. This is with a view that potentially degrading or denying it’s capabilities. And now, increasingly, you’re seeing not only that, but you’re seeing criminal actors who view this critical infrastructure as sources of revenue.
Critical infrastructure clearly is becoming not just a nation state target but a ransomware criminal target. Because there is such significant revenue to be gained. And like Australia in the United States, much of what we define as critical infrastructure does not exist under government control. It is private infrastructure run by private entities. And the government therefore has an interesting challenge. How do you both incentivise private industry to make changes, and then by the same token, how do you generate a regulatory or compliance framework that provides the means to set a baseline of cyber security?
The events of the last six months highlights there is no one single group that has the answers. Government can’t do this by itself, and the private sector can’t do this by itself. It is all about how we create partnerships, collaboration, and integration.
We clearly have a deteriorating threat environment. We do worry about our foreign nation states, but clearly a lot of the activity we’ve seen over the last 12 to 18 months has been criminal gangs. While we haven’t had a Colonial Pipeline style attack in Australia, we’re certainly watching that very closely. We did have some significant disruptions to, for example, our hospital network during the early height of COVID last year, as an example of what can go wrong. We are very worried about the deteriorating threat environment, as you imagine we work very closely with international partners.
The other key point is collaboration. Collaboration with the private sector. A great deal of our critical infrastructure in Australia is in private hands and not only does Government not have control over them, but it also simply doesn’t have the expertise.
So, the design of the scheme that is before parliament at the moment is precisely designed to recognise that fact. And also, to formalise how we can partner and establish a legal framework so we can bring the governments capabilities to help in a time of crisis but also in a way that is covered by a legal authorising framework that makes clear who is responsible for what. Who you can appeal to and what are the requirements. It is putting into place all of those legal requirements that make crystal clear for everyone involved how we’re going to run and what the rules of the game are. That’s really the intention of the legislation. What we’re doing in the meantime is codesigning with industry what the rules will look like while parliament continues to consider the bill.
The Security of Critical infrastructure Act and its amendment, the overall feedback from clients is that it has been a great thing to give them a sense of clarity.
The rules of engagement, in terms of what they need to do, the expectations and obligations. If you start from that point of giving the operators a sense of clarity it helps them to move forward in terms of cyber security and improve their uplift work.
And it must be said, after 12 years of working in the critical infrastructure sector, there has been significant improvement in terms of risk mitigation and cyber risk maturity. But given the change happened slowly in this sector, in particular technology, there is still a lot of work to be done. And additionally, not all 11 sectors that are covered under the Act are at that same level either.
View the Full Interview here.