Critical Infrastructure: Australia's Seismic Legislative, Risk, Security & Governance Shift

Critical infrastructure and systems of national significance are entering a new era in Australia.

Recent legislative changes to the Critical Infrastructure Bill reflect these changes, including positive obligations imposed upon providers and entities to demonstrate and validate security risk management practices.

The revised positive security and risk obligation introduce an 'all hazards' requirement.

Consequently, this new positive obligation requires significant security risk management experience, qualifications, and expertise to evaluate and assure operators, shareholders, communities and regulators.

Threats, vulnerability and demand on security risk management professionals has risen exponentially.

"As the threats and risks to Australia’s critical infrastructure evolve, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver." - (Department of Home Affair, 2021)

In addition to the requirement to understand, evaluate and analyse complex, networked systems as part of the new positive security obligations and elevated risk management requirements.

"The physical and virtual topology of a critical infrastructure, the human beings intentionally attacking it, and other human beings defending it constitute an ecosystem in which all of these elements continuously co-evolve. This is why any critical infrastructure should be perceived as a dynamic system that requires continuous architectural adaptation as novel generations of infrastructures are to replace extant systems." - (Keupp, 2020)

Risk Management

Operators, investors, boards, insurers and management will be considering their risk management options.

"...requiring the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program" - (Department of Home Affair, 2021b)

Standardised and more complex security risk management calculations will be required.

Encompassing not only historical threats, vulnerabilities but a broader, 'all hazards' security risk management consideration.

"Critical infrastructure operators face a wide range of risks to the continuity of their operations. Most operators have a strong understanding of the vulnerabilities of their assets, and have implemented comprehensive security regimes. However, the national security threats of espionage, sabotage and coercion emerging from increases in foreign involvement, outsourcing, offshoring and supply chain dependencies can create particular national security risks that are not as well understood or managed. Supply chains, including outsourcing and offshoring arrangements, are particularly vulnerable. Critical infrastructure operators should identify and manage foreign involvement risk within their organisation’s risk management framework." - (Critical Infrastructure, 2020)

As a result, security risk management advisors, consultants and executives will require specific, verifiable and advanced qualifications to support these new demands and requirements.

Security Risk Management

The basics will still apply.

"The objectives of a risk assessment are threefold: evaluate credible threats (including criminal) and capabilities, identify vulnerabilities, and assess consequences. Upon completion of the risk assessment, gaps in existing protective security systems should be identified. This is done through the application of operational experience in physical security, knowledge of related processes, familiarity with security equipment/systems, and measures of success/effectiveness. The findings of the risk assessment must be thoroughly documented in the assessment report, along with recommendations to address them." - (Interagency Security Committee, 2015)

However, assessments, controls and protection standards will need to be hyper-contextual to specific threats, in specific contexts and circumstances.

"Protection standards are specific to the type of security interest, as well as to specific targets. Consequently, various levels of analytical and design sophistication are applied to protect different assets. " - (US Department of Energy, 2016)

Security risk management integration will become normative. That is, all elements of security and risk impacting an organisation at all levels at all times.

"Critical infrastructure has long been subject to risks associated with physical threats and natural disasters, and is also now increasingly exposed to cyber risks. These risks stem from a growing integration of information and communications technologies with critical infrastructure and adversaries focused on exploiting potential cyber vulnerabilities. As physical infrastructure becomes more reliant on complex cyber systems for operations, critical infrastructure can become more vulnerable to certain cyber threats, including transnational threats." - (Homeland Security, 2019)

Again, expanding an elevating the qualification and education standards of security risk management practitioners, professionals and executives in the industry and public/private/commercial roles.

"The decreasing separation between the physical and technological aspects of the environment, assets and services means that security issues can no longer be siloed as personnel, physical or cyber. Increasingly, if measures are to be effective in addressing the security risks, a multi-layered approach that includes consideration of personnel, physical or cyber security, as well as good governance, is required." - (CPNI, 2019)

Superficially, top-down narratives will need to be addressed and supplanted with bottom-up security risk analysis, practices, evidence and governance.

"(Security Risk Management) Convergence is also going to impact on how threats are considered within an organization. The all-hazards approach has been front and center in the past—but its application has largely looked at the surface layers of threat." - (Radvanovsky and McDougall, 2019)

All security risk management practices will need to be informed by detailed, comprehensive and technical security risk assessments.

"A comprehensive risk, threat, and vulnerability assessment offers an organized and systematic approach to assessing and documenting risks to the organization. The risk assessment provides an informed list of risks and recommended corrective actions to help the enterprise attack and correct the most serious risks identified. A risk assessment is generally a holistic view of the facility and is intended to view all activities and look for “all hazards” that can constitute risks to the company." - (Hayden, 2020)

However, the varying scale, complexity and geography of critical infrastructure and systems of national significance remains only a part of the consideration. Various states of criticality, vulnerability and recoupability will also need to be evaluated, including the ageing status of many state and national facilities, systems and sites.

The Risk of Ageing Infrastructure

"In many ways, physical infrastructure is much like a living thing which goes through a process of creation, growth, maturation, decline, and death. Unlike natural systems, though, physical systems cannot sustain themselves; they must be renewed from without in the form of maintenance, repair, renewal, and replacement on a more or less continuous basis. These sustaining actions require us to invest capital, materials, labor, and other resources. Depriving a physical system of funding for maintenance and repair, for example, will have a similar effect to depriving a living organism of food or water—it will decline and ultimately, die. " - (Little, 2012)

Current, future and forecasted states will converge engineering, science and security risk management.

"Two issues are paramount in looking at our aging infrastructure: what is the present condition and how urgent is it to expend significant public funds to effect its repair, replacement, and management improvement; what are the priorities across the range of infrastructure types." - (Homeland Security, 2010)

Governance

Notwithstanding, the on-going management, stewardship and governance of security risk management and critical infrastructure/systems.

"Governance is “all of the processes of governing, whether undertaken by a government, a market or a network, over a social system (family, tribe, formal or informal organization, a territory or across territories) and whether through the laws, norms, power or language of an organized society” " - (Gritzalis, et al., 2019)

Legal Perspectives

Legal commentators, experts and firms have already formed solid perspectives on the new changes.

"Whereas previously the Security of Critical Infrastructure (SOCI) Act covered specific assets in the electricity, gas, water and maritime ports sectors only, the Act now expands the coverage to encompass 11 sectors deemed ‘critical’. " - (Gilbert + Tobin, 2021)

"The meaning of "critical infrastructure asset" is broadened to incorporate 22 different classes. This notion of a "critical infrastructure asset" covers a much broader range than the previous Act. The effect of this change will be to expand the range of entities with mandatory reporting obligations and subject to the other requirements of the Act, which the Australian Government believes will assist in addressing security threats to our critical infrastructure." - (Clayton Utz, 2021)

Most, focusing on consistent themes and concerns.

"The Draft Bill expands the scope of existing obligations under the SCI Act and introduces a host of new obligations. These include obligations to:Adopt and maintain a risk management program that aligns with sector-specific rules." - (Allens >< Linklaters, 2020)

But introducing new, undefined vocabulary specific to security risk management such as resilience, security and protection.

"The program intends to increase resilience across critical infrastructure assets, address vulnerabilities across physical, cyber, supply chain, and personnel domains, provide a wholesale uplift in critical infrastructure security, and reassure the Government that critical infrastructure assets are appropriately safeguarded against all risks." - (BDO, 2021)

In addition to the emergence of 'positive security' obligations.

"Some critical infrastructure assets will also be designated as 'systems of national significance' ...

Positive security obligation

Those in critical sectors who are responsible for a critical infrastructure asset (whether by sector-specific definition in the Bill or prescription/declaration) may be subject to the positive security obligation. The positive security obligation involves 3 potential aspects:

1) adopting and maintaining a critical infrastructure risk management program, requiring responsible entities to manage and mitigate risks by applying an all-hazards approach;

2) mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and

3) in some circumstances, providing ownership and operational information to the Register of Critical Assets." - (MinterEllison, 2021)

But, the rules and status of critical infrastructure and systems of national significance remain highly dynamic, politicised and securitised.

"The Minister may declare a critical infrastructure asset a 'system of national significance', having regard to the nature and extent of interdependencies between the asset and other critical infrastructure assets." - (Clyde & Co, 2021)

Presenting one major question... where exactly is this security risk management advice originating from? What are the qualifications, credentials and status of said 'experts'?

Are they professionally, legally and practicably defensible?

That is, are they dilettantes, dabblers and diplomas or commensurately qualified and experienced for this new age of security risk management and the protection of critical infrastructure and systems of national significance?

Interdependent Nature of Infrastructure Systems

Who is looking at the 'big picture', and the mandatory strategic view of one or more of these industries and their relationship, dependencies and connectivities?

Source: Little, 2012

In sum, critical infrastructure and systems of national significance have undergone a major, quiet revolution of affairs.

That is, the goal posts have moved considerably.

The threats have elevated, legislation, regulation has been escalated and the demands and requirements of the 'security risk management profession' have also risen considerably.

The big question is now, have the individuals, vocation and security risk management profession or industry risen just as fast and comprehensively?

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk, Resilience and Management Sciences

References:

Allens >< Linklaters (2020) Proposed updates to security of critical infrastructure legislation. Available at: https://www.allens.com.au/insights-news/insights/2020/11/proposed-updates-to-critical-infrastructure-legislation/

Ashurst (2021) Major reforms to Australia's critical infrastructure laws - exposure draft legislation released. Available at: https://www.ashurst.com/en/news-and-insights/legal-updates/major-reforms-to-australias-critical-infrastructure-laws---exposure-draft-legislation-released/

BDO (2021) An overview of the Critical Infrastructure Bill. Available at: https://www.bdo.com.au/en-au/insights/cyber-security/articles/an-overview-of-the-critical-infrastructure-bill

CPNI (2019) Security Considerations Assessment, Centre for the Protection of National Infrastructure.

Clayton Utz (2012) Significant reform to Australia's cyber security laws with passage of critical infrastructure reforms. Available at: https://www.claytonutz.com/knowledge/2021/december/significant-reform-to-australias-cyber-security-laws-with-passage-of-critical-infrastructure-reforms

Clyde & Co (2021) Changes to the Security of Critical Infrastructure Act. Available at: https://www.clydeco.com/en/insights/2021/03/changes-to-the-security-of-critical-infrastructure

Critical Infrastructure Centre (2020) Protecting your critical infrastructure asset from foreign involvement risk, Critical Infrastructure Centre, Australian Government

Department of Home Affairs (2021) Explanatory Document: Exposure Draft Security Legislation Amendment (Critical Infrastructure Protection) Bill, Department of Home Affairs, Australian Government

Department of Home Affairs (2021) Exposure Draft: Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, Department of Home Affairs, Australian Government

Gilbert + Tobin (2021) Security of Critical Infrastructure Act (SOCI) reforms - what your business needs to know. Available at: https://www.gtlaw.com.au/knowledge/security-critical-infrastructure-act-soci-reforms-what-your-business-needs-know

Gritzalis, D., Tehocharidou, M. and Stergiouplous, G. (2019) Critical infrastructure security and resilience: Theories, methods, tools and technologies, Springer

Hayden, E. (2020) Critical Infrastructure Risk Assessment: The definitive threat identification and threat reduction handbook, Rothstein Publishing

Homeland Security (2010) Aging Infrastructure: Issues, Research, and Technology, Science and Technology, Department of Homeland Security, US Government

Homeland Security (2019) A guide to critical infrastructure security and resilience, Cyber-Infrastructure, US Department of Homeland Security, US Government

Interagency Security Committee (2015) Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide, US Government

Keupp, M. (2020) The Security of Critical Infrastructures: Risk, Resilience and Defense, Springer

Little, R. (2012) Managing the Risk of Ageing Infrastructure, IRGC - Public Sector Governance of Emerging Risks - Infrastructure Case - November 2012

MinterEllison (2021) Changes to critical infrastructure laws in 2021: is your sector impacted?. Available at: https://www.minterellison.com/articles/changes-to-critical-infrastructure-laws-in-2021

Radvanovsky and McDougall (2019) Critical Infrastructure: Homeland security and emergency , 4th ed, CRC Press

US Department of Energy (2016) Physical Security Systems: Assessment Guide, Office of Cyber and Security Assessments, US Department of Energy, US Government.