Search
Close this search box.

Cyber Security for Critical Infrastructure

Table of content

What is Cyber Security for Critical Infrastructure?

Cyber security for Critical infrastructure describes a framework for protecting the systems, networks and assets whose continuous operation is deemed necessary. This necessity stems from the security, resilience and basic functioning of a nation and its economy, especially concerning public health and safety.

Connectivity means Vulnerability

Almost all critical infrastructure operates in a digital environment, and while technologies like mobility and automation have improved, so have the vulnerabilities.

Global connectivity, primarily since Covid-19, has delivered more significant numbers of employees working remotely and from home. This has created new risks and greater opportunities for threat actors who have grown more sophisticated and capable. Critical infrastructure has become the preferred target for high-end cybercriminals like nation-states and terrorist organisations, including well-organised criminal syndicates.

What sectors are at risk?

The Australian Government’s Department of Home Affairs has identified the following eleven sectors are covered under the Security of Critical Infrastructure Act 2018:

The Security of Critical Infrastructure Act 2018

Australia’s Department of Home Affairs describes the Act as; The Security of Critical Infrastructure Act 2018 (the Act) as seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors described above, covering food, utilities, education, transport, health and various technologies.

The key elements of the Act are:

  • A Register of Critical Infrastructure Assets
  • Mandatory cyber incident reporting – following recent amendments to the SOCI Act, responsible entities for critical infrastructure assets may be required to report critical and other cyber security incidents to the Australian Cyber Security Centre’s online cyber incident reporting portal, found at gov.au
  • Government Assistance – as a last resort if you have been unable to respond effectively.
  • The Secretary of the Department of Home Affairs will have the power to obtain more detailed information from owners and operators of assets in certain circumstances to support the work of the centre.
  • Minister for Home Affairs will have the ability to direct an owner or operator of critical infrastructure to do or not do a specified thing to mitigate against a national security risk where all other mechanisms to mitigate the risk have been exhausted.

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.

The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to introduce the following key measures.

  • A new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and
  • A new framework for enhanced cyber security obligations is required for operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)

 

The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and, resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.

Implications for Boards of Directors

It has never been more critical for Boards to understand and mitigate their organisation’s cyber risks. The rise of ransomware is just one threat challenging an organisation’s ability to respond to cyber attacks with more sophisticated attacks on critical infrastructure; the stakes are raised to a much greater degree.

With the above amendments now in force, boards and individual directors of critical infrastructure must be aware of their obligations to oversee and manage security threats.

While boards and directors cannot be prosecuted under critical infrastructure legislation, they do require the board to sign off on an organisation’s Risk Management Program (RMP).

The RMP is a written program that applies to responsible entities for one or more critical infrastructure assets. Organisations must identify and, as far as is reasonably practicable, mitigate material risks presenting a security threat.

This means all due care and diligence must be exercised in the governance of critical infrastructure entities.

How can Gridware help?

We can support your critical infrastructure organisation in:

  • Understanding the security implications of legislation
  • Identifying threats and hazards that could impact your assets
  • Implementing new cybersecurity controls
  • Ongoing monitoring and governance

Why Gridware?

  • World-class expertise
  • end-to-end integrated cyber security solutions and cyber security leader
  • 24/7 Cyber Defence Centre (CDC) based in Sydney and offices throughout Australia
  • Leading expertise delivering governance, risk and compliance services internationally
  • Breadth of knowledge in emerging threats
  • Gridware is the trusted advisor to many law firms, cyber insurers, federal government agencies, pit to port mining operations, transportation, and critical infrastructure
  • Gridware has assisted critical infrastructure organisations in responding to cyber security incidents
  • Gridware is a member of the Australian National Cyber Security Institute (ANCI) which is Australia’s peak cyber security membership organisation
  • Gridware is a CREST Australia New Zealand Certified Company
  • Our experts deliver governance, risk and compliance services focused on mitigating cyber security risk
  • Our experts are qualified and experienced in active incident response and threat hunting
  • Our experts conduct regular penetration testing to proactively find holes in your operations and systems before attackers do

Get a Free Quote

Let’s Get Started

Thank you for your interest in Gridware. Drop us a line and the right security specialist will contact you the same business day. If you require immediate response, please call our 24/7 Response Line.

Frequently Asked Questions

Cyber security for Critical infrastructure describes a framework for protecting the systems, networks and assets whose continuous operation is deemed necessary for the effective protection of a nation, its people and its economy.

The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors of communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.

Board members or executives of critical infrastructure assets must have a documented Risk Management Program (RMP) that outlines a risk profile based on evaluation, mitigation, accountability and governance measures.

About Author
Picture of Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia...

Read More
Published November 30, 2022

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →