Talk to an Expert

Cyber Security for Critical Infrastructure

Table of content

What is Cyber Security for Critical Infrastructure?
What sectors are at risk?
The Security of Critical Infrastructure Act 2018
Security Legislation Amendment Act 2022
Implications for Boards of Directors
FAQs

What is Cyber Security for Critical Infrastructure?

Cyber security for Critical infrastructure describes a framework for protecting the systems, networks and assets whose continuous operation is deemed necessary. This necessity stems from the security, resilience and basic functioning of a nation and its economy, especially concerning public health and safety.

Connectivity means Vulnerability

Almost all critical infrastructure operates in a digital environment, and while technologies like mobility and automation have improved, so have the vulnerabilities.

Global connectivity, primarily since Covid-19, has delivered more significant numbers of employees working remotely and from home. This has created new risks and greater opportunities for threat actors who have grown more sophisticated and capable. Critical infrastructure has become the preferred target for high-end cybercriminals like nation-states and terrorist organisations, including well-organised criminal syndicates.

Guides To Cyber Security

What sectors are at risk?

The Australian Government’s Department of Home Affairs has identified the following eleven sectors are covered under the Security of Critical Infrastructure Act 2018:

The Security of Critical Infrastructure Act 2018

Australia’s Department of Home Affairs describes the Act as; The Security of Critical Infrastructure Act 2018 (the Act) as seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors described above, covering food, utilities, education, transport, health and various technologies.

The key elements of the Act are:

A Register of Critical Infrastructure Assets
Mandatory cyber incident reporting – following recent amendments to the SOCI Act, responsible entities for critical infrastructure assets may be required to report critical and other cyber security incidents to the Australian Cyber Security Centre’s online cyber incident reporting portal, found at gov.au
Government Assistance – as a last resort if you have been unable to respond effectively.
The Secretary of the Department of Home Affairs will have the power to obtain more detailed information from owners and operators of assets in certain circumstances to support the work of the centre.
Minister for Home Affairs will have the ability to direct an owner or operator of critical infrastructure to do or not do a specified thing to mitigate against a national security risk where all other mechanisms to mitigate the risk have been exhausted.

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.

The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to introduce the following key measures.

A new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and
A new framework for enhanced cyber security obligations is required for operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)

The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and, resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.

Implications for Boards of Directors

It has never been more critical for Boards to understand and mitigate their organisation’s cyber risks. The rise of ransomware is just one threat challenging an organisation’s ability to respond to cyber attacks with more sophisticated attacks on critical infrastructure; the stakes are raised to a much greater degree.

With the above amendments now in force, boards and individual directors of critical infrastructure must be aware of their obligations to oversee and manage security threats.

While boards and directors cannot be prosecuted under critical infrastructure legislation, they do require the board to sign off on an organisation’s Risk Management Program (RMP).

The RMP is a written program that applies to responsible entities for one or more critical infrastructure assets. Organisations must identify and, as far as is reasonably practicable, mitigate material risks presenting a security threat.

This means all due care and diligence must be exercised in the governance of critical infrastructure entities.

How can Gridware help?

We can support your critical infrastructure organisation in:

Understanding the security implications of legislation
Identifying threats and hazards that could impact your assets
Implementing new cybersecurity controls
Ongoing monitoring and governance

Why Gridware?

World-class expertise
end-to-end integrated cyber security solutions and cyber security leader
24/7 Cyber Defence Centre (CDC) based in Sydney and offices throughout Australia
Leading expertise delivering governance, risk and compliance services internationally
Breadth of knowledge in emerging threats
Gridware is the trusted advisor to many law firms, cyber insurers, federal government agencies, pit to port mining operations, transportation, and critical infrastructure
Gridware has assisted critical infrastructure organisations in responding to cyber security incidents
Gridware is a member of the Australian National Cyber Security Institute (ANCI) which is Australia’s peak cyber security membership organisation
Gridware is a CREST Australia New Zealand Certified Company
Our experts deliver governance, risk and compliance services focused on mitigating cyber security risk
Our experts are qualified and experienced in active incident response and threat hunting
Our experts conduct regular penetration testing to proactively find holes in your operations and systems before attackers do

Get a Free Quote

24 Hour Support Line

Let’s Get Started

Thank you for your interest in Gridware. Drop us a line and the right security specialist will contact you the same business day. If you require immediate response, please call our 24/7 Response Line.

Frequently Asked Questions

What is critical infrastructure in cyber security?

Cyber security for Critical infrastructure describes a framework for protecting the systems, networks and assets whose continuous operation is deemed necessary for the effective protection of a nation, its people and its economy.

What is the security of critical infrastructure Act 2018?

The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors of communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.

How should I respond?

Board members or executives of critical infrastructure assets must have a documented Risk Management Program (RMP) that outlines a risk profile based on evaluation, mitigation, accountability and governance measures.