Cybersecurity for Australia’s Critical Infrastructure
Digitisation has transformed our lives by providing boundless economic and social benefits through improved efficiency and productivity. Yet within critical infrastructure organisations, technological innovation has accelerated faster than our ability to secure it.
Technology exposes our nation and our critical infrastructure to significant risks and vulnerabilities from cyber criminals.
Australian Legislation Reforms to Mitigate Risk
The Australian government’s awareness of these risks prompted them to pass the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) last month, to increase the security of our critical infrastructure. These latest amendments introduce new and enhanced obligations for risk management programs and security respectively.
This is a first for many sectors; and organisations will need to move quickly to achieve the legislated protocols and systems.
Critical Infrastructure is Facing a Multi-Pronged Cyber Threat
Critical infrastructure now encompasses our energy, financial, electricity, liquid fuel, gas, water, broadcasting, hospitals, defence and electricity assets. Our daily life depends on these vital systems. And yet these vital systems depend on secure digital networks.
Securing these systems from cyber-attacks is top of mind across the globe in the wake of highly publicised ransomware attacks on critical infrastructure. The attack surface has broadened even further because many providers rolled out IoT devices during the pandemic.
Sanctions Against Russia are Increasing Threat of Cyber Attacks
The cybersecurity agencies of the United States, Britain, Australia, Canada and New Zealand—who have joined to create the Five Eyes Intelligence-Sharing Alliance—believe there is an increased threat of malicious Russian cyber activity against critical infrastructure globally as a response to sanctions imposed for its invasion of Ukraine. 
According to PwC’s Digital Trust Insights Survey 2022, 69% of Australian executives expect an increase in state-sponsored attacks on critical infrastructure.
Efforts to undermine adversaries through attacks on critical infrastructure represent a far less costly and almost invisible way to create chaos instead of deploying military force. Proxies, amateurs and organised criminal networks add layers of ambiguity to hide aggressors.
According to Sonic Wall, ransomware attacks are on the rise, allowing criminals to lock up the data of a target organisation, demand payment or else face consequences such as energy loss to important economic centres, triggering real-world impact. In the first half of 2021, there were 304.7 million ransomware attempts. Yet the second half of 2021 proved to be even worse, reaching 318.6 million.
Cyber-Attacks are Increasing and Focusing on Critical Infrastructure
According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report of 2021, cyber-attacks are escalating in severity and frequency at a rate of one reported attack every eight minutes. And one quarter of cyber incidents reported to the ACSC in the 2020-21 were associated with Australia’s critical infrastructure or essential services. 
Operators on the frontline of these attacks have seen their annual cybersecurity spend increase by 500% in some instances. And organisations are spending up to $20 million to reduce their risk rating to an acceptable level.
In fact, PwC’s 2022 Global Digital Trust Insights Survey found regulatory compliance rates are the second highest priority for Australian CEOs in the design of their cyber strategies.
Risk Managers Appointed to Boards to Lessen Fallout
All organisations need to have back-up, or disaster recovery plans in place. Large companies are now appointing Risk Managers to their boards and their sole responsibility is to ensure organisations can survive the next major crisis.
Scenario planning enables decision-makers to identify ranges of potential outcomes and estimated impacts, evaluate responses and manage for both positive and negative possibilities.
By preparing for the worst, organisations can adapt quickly and minimise commercial and service delivery losses.
What are the New Risk Management Program Obligations?
The new legislation introduces an enhanced regulatory framework. The aim is to uplift core security practices in the management of eleven critical infrastructure assets:
|1. Critical broadcasting assets||7. Critical electricity assets|
|2. Critical domain name system||8. Critical liquid fuel assets|
|3. Critical data storage or processing assets||9. Critical gas assets|
|4. Critical hospitals||10. Critical water assets|
|5. Critical energy market operator assets||11. Specified critical defence industry assets|
|6. Critical financial market infrastructure assets|
Critical Infrastructure entities are now required to establish, maintain and comply with a Risk Management Program that meets the following principle-based outcomes:
- Identify material risks. Entities will have a responsibility to take an all-hazards approach when identifying hazards that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset.
- Minimise risks to prevent incidents. Entities will be required to consider risks to their critical infrastructure asset and establish appropriate strategies to minimise or eliminate the risk of hazards occurring.
- Mitigate the impact of realised incidents. Entities will be required to have robust procedures in place to mitigate, so far as is reasonably practicable, the impacts of a hazard, as well as work to recover as quickly as possible.
- Effective governance. Through the risk management program and risk management program rules, entities will be required to have appropriate risk management oversight arrangements in place, including evaluation and testing.
Preparing your Organisation to Ensure Compliance
Infrastructure entities must prepare an annual Risk Management Plan and submit it to the Commonwealth regulator or the Secretary of the Department of Home Affairs. They must submit this report within 90 days of the end of the financial year and it must be approved by their board, council or other governing body.
To be successful, organisations will need to meaningfully engage with the reforms to give boards and relevant regulators the assurance they require.
Engaging the right representatives from your company will ensure the plan is practical, implementable and considers your organisation’s perspectives and operating context.
The Janellis Enterprise Resilience Framework
Developed in collaboration with leading Australian organisations operating in high-risk industries both nationally and internationally, Janellis’ Enterprise Resilience Framework is based on the International Benchmarking on Organisational Resilience.
Download our International Benchmarking on Organisational Resilience Harvard Business Review submission containing case study examples such as NSW State Emergency Service; Qantas; Lendlease Group, Transfield Services and Westpac Banking Corporation. Or the technical version here.
Organisations use our International Organisational Resilience Framework as a roadmap to start their resilience journey as well as an assurance tool for organisations that already have the capability.
Organisational Resilience brings together all elements of capability under one enterprise-wide framework. It allows organisations to visually and virtually connect all aspects of resilience including: Risk Management, Cyber Security, Incident and Emergency Management, Crisis Management, Business Continuity and Disaster Recovery.
The Janellis Business Resilience Framework
The framework is aligned with International and Australian standards including:
Complying with Infrastructure Reforms can Deliver Competitive Advantage
Critical infrastructure is vital to our nation’s economy and security and yet Australian operators face a diverse range of ever-increasing cyber threats.
Ensuring your organisation is prepared to meet the core requirements of the new Critical Infrastructure Reform is essential. If executed well, organisations will obtain additional benefits such as operational resilience and excellence. When Australia develops a reputation as a cyber resilient nation, we will be sought after as exceptional service providers by organisations across the globe.
To learn more about our Frameworks, join us in our upcoming Virtual Lab by clicking the button below:
 Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 . 2022. Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 . [ONLINE] Available at: https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022. [Accessed 03 May 2022].
 Reuters. 2022. West warns of Russian cyberattacks on critical infrastructure | Reuters. [ONLINE] Available at: https://www.reuters.com/world/europe/west-warns-russian-cyberattacks-critical-infrastructure-2022-04-20/. [Accessed 03 May 2022].
 Reuters. 2022. West warns of Russian cyberattacks on critical infrastructure.
 SonicWall. 2022. 2022 SonicWall Cyber Threat Report | Threat Intelligence. [ONLINE] Available at: https://www.sonicwall.com/2022-cyber-threat-report/. [Accessed 03 May 2022].
 ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au. 2022. ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au. [ONLINE] Available at: https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21. [Accessed 03 May 2022].
 PricewaterhouseCoopers. 2022. The new equation to protect Australia’s critical infrastructure. [ONLINE] Available at: https://www.pwc.com.au/important-problems/cyber-security-digital-trust/critical-infrastructure/protect-australias-critical-infrastructure.html. [Accessed 03 May 2022].
 PricewaterhouseCoopers. 2022. The new equation to protect Australia’s critical infrastructure.
 Australian Government, Department of Home Affairs. Cyber and Infrastructure Security Centre. www.cisc.gov.au. 2022. [ONLINE] Available at: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-risk-management-program.pdf. [Accessed 03 May 2022].
Janellis is a Management Consulting firm specialising in helping organisations execute their strategy and build resilience. This is done through three key practice areas of Project Delivery, Capability Uplift and Organisational Resilience.
Janellis helps organisations build resilience and deliver complex programs by uplifting capabilities in areas such as team-based critical thinking. Uplifting critical thinking skills relies on experiential and ‘learning by doing’ activities using scenarios. In response to COVID, Janellis has combined online learning and experiential learning through our Digital War Rooms and Virtual Labs. Our Master Facilitators enable experiential learning both in real-time and online using virtual tools where teams put into practice our tools and frameworks.