Login
iscover
Opinion: Australia’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 amendments have been in place for nearly a year, and in this time, Australian critical infrastructure has had a workout on its cyber defences, writes Stefanie Oakes, general manager – Asia Pacific Services, Honeywell Building Technologies.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The amendments introduced to the Security of Critical Infrastructure Act 2018 (SOCI) feature an expanded list of what constitutes critical infrastructure, as well as put in place regulations and obligations which significantly raised the cybersecurity standard for many organisations.
The added industries each have a key role to play in keeping Australia running and reflect the growing understanding of where vulnerabilities may occur. These sectors, along with finance, data centres and storage, transport, energy, space, water and communications, are now subject to tighter cyber obligations under SOCI.
The updates are timely. According to the latest Australian Cyber Security Centre (ACSC) Threat Report, every single Australian industry was hit by ransomware in 2021-22.
Cyber incidents are often thought of as data breaches or ransomware. As the lines blur between Information Technology (IT) and Operational Technology (OT) environments, any network connection and Internet-connected device operate can be a target. This means if not properly protected, building systems like physical security devices and the heating, ventilation, and air conditioning (HVAC) systems can be at risk.
The pandemic has seen most industries move at least part of their workforce to remote systems, creating further vulnerabilities and avenues for attack. Think of it this way: the more doors you have to navigate your system, the more doors that can be breached.
Many organisations simply don’t have the expertise required to sustain the planning or reporting SOCI requires, or the governance transparency to identify where ownership of assets lie.
But compliance to SOCI shouldn’t be seen as a cost burden to business, but as an opportunity to reduce risk. Cybercrime is only increasing, and these regulations provide a strong incentive to move fast, and start thinking about the real risks of an attack. Remediation could prove more costly than mitigation.
In a rapidly changing threat landscape, cyber skills are a muscle that must be continuously flexed whether or not the organisation is covered by SOCI.
For larger organisations, the challenge is identifying and building the governance structures to clearly delegate cyber responsibilities. PwC surveyed Australian organisations and found 87 per cent were concerned that risk owners did not have the required skillsets to manage risks. In many companies with a large spread of assets, divisions and departments, it’s not always obvious who is in charge.
Smaller organisations have different challenges. Budget constraints being significant, as is the uncertainty of whether some of the high-level cyber requirements apply to them. The ACSC reports nearly half of small businesses spend less than $500 a year on cybersecurity while these businesses incur an average cost per cybercrime of $39,000.
Additionally, SMEs often lack the same level of institutional knowledge or the ability to attract the right technical talent. If the one employee who knows all the passwords leaves, the business may be required to build its security posture back up from scratch.
A regulation is only as good as the people governed, but these new obligations have seen an increase in creative cyber solutions which make the most of tight budgets and skill shortages.
Businesses are using autonomous, AI-enabled deception tactics to outsmart attackers and high-fidelity threat detection to spot and control attacks. Deception technologies confuse actors and lead them away from critical assets and towards decoys.
The key advantage of this technology is the lack of a requirement for specialist training or complicated modifications to suit existing OT environments. In a resource-tight organisation, a solution such as this is easier and cheaper to implement.
At their core, the SOCI regulations encourage businesses to start to implement cyber safeguards, but basic internet hygiene should be the first step any organisation takes as it recalibrates in the new SOCI environment.
This means educating staff on identifying scams and on current threats, using strong passwords Multi-Factor Authentication, protections like VPN, regularly cleaning out operating systems, deploying patches and the latest software upgrades, and delegating responsibility for each element of a company’s cyber stance.
Without this basic knowledge, information security offices can’t effectively report breaches in a timely manner. Once this familiarity in place, building proper policies and governance frameworks flows more easily.
In the last 12 months organisations have taken steps to secure themselves, but cyber protection is a continuous process. Threats will continue to advance and multiply, and new skillsets and policies will need to develop to respond. There are currently 11 industries covered by SOCI, but as our understanding of cyber and critical infrastructure grows, this number is likely to grow. That means all industries must start to take control of their cyber defences, including protecting more than IT assets.
Stefanie Oakes is the general manager – Asia Pacific Services, Honeywell Building Technologies.
