The recent establishment by the Attorney-General and the Treasurer of a Critical Infrastructure Centre (CIC) follows strong media interest in the issue of foreign direct investment in Australian infrastructure, including the leasing of part of the Port of Darwin and a major review into the processes of the Foreign Investment Review Board.
The Centre will develop coordinated, whole-of-government national security risk assessments to support decision-making on foreign investment review processes. It aims produce transparent, rigorous and commercially credible recommendations and to provide greater certainty for foreign investors and industry on the types of assets that could attract national security scrutiny.
Bringing clarity to the security dimensions of foreign investment is one benefit the Centre can provide. It will also advise on ways to enhance the resilience of infrastructure against potential disruptions, including identifying the cascading effects of multiple failures in interconnected systems that operate over wide areas and across state borders.
The ministerial announcement noted a changing threat environment—Australia’s increased reliance on outsourced supply chains, especially in relation to energy supply; shifts in Australia’s international investment profile; and the vulnerability of national critical infrastructure (CI) to sabotage, espionage and coercion. Australia isn’t alone in creating institutions focusing on protecting critical infrastructure. The United Kingdom, United States , Canada and other economies have given considerable attention to these issues.
Groups such as AusCERT, which evaluates global cyber network threats, and the recently established Australian Cyber Security Centre might be better placed to advise on threats from cyber espionage and related risk reduction measures. A key mitigation function that fits the CIC’s remit is the identification of asymmetric vulnerabilities within infrastructure systems that are connected or controlled via the internet.
‘Connectivity’ in the modern world (the internet-of-things) comes with assumption of seamless interoperability within and across linked systems. The expectation in our ‘always on’ society is that electricity supplies will be constant, communications ubiquitous and e-commerce always available, along with an assured supply of potable water, waste treatment and other conveniences.
While there’s historical evidence that failure could occur in such complex systems purely due to their intricacy, the propagation of failures is often not linear, with disruptions (so-called domino effects) spreading to cause significant problems in other systems via the inter-connectedness of components; sometimes referred to as ‘network events’.
Making ‘sense’ of failure in complex infrastructure systems and identifying the vulnerabilities that may have allowed them to occur is another task that the CIC could add value. The ability to anticipate cascading failures which could impact in the longer-term on trade, e-commerce and supply chain management is important to a range of public and private institutions. Impact and vulnerability assessments, possibly similar to HAZOP studies (Hazard and Operability), could examine potential failure points in complex infrastructure systems either before construction, or when additional components are to be added.
Of course Australia isn’t without guiding policy or strategy to protect critical infrastructure. The 2015 National guidelines for protecting critical infrastructure from terrorism focuses on potential disruptions of infrastructure systems by terrorists. The Critical Infrastructure Resilience Policy and Strategy recognises CI as essential to Australia’s economic and social prosperity and notes the central importance of resilient services to communities. The National Strategy for Disaster Resilience also provides a wider context for the work of the CIC by emphasising the importance of business continuity management in disaster risk reduction. Having a wide policy platform is good, but providing practical advice and guidance on options to support critical infrastructure and enhance resilience is the CIC’s most important role.
Another key role should be advising on resilient design and coordination for new infrastructure investments on Infrastructure Australia‘s priority infrastructure projects list. I’d also expect the Centre to collaborate with Australia’s Trusted information Sharing Network and, in particular, the existing Critical Infrastructure Program for Modelling and Analysis capabilities within the Attorney General’s department. Both have important roles in anticipating the consequences of disturbances across infrastructure systems and in developing national continuity (of essential service) management options.
The CIC should become a leading voice in vulnerability assessment and risk-reduction in Australia’s ever growing network of critical infrastructure. While it needs to collaborate with state jurisdictions and the private sector, the Centre should support the concepts of Prevention and Preparation by promoting the need for infrastructure to be built with resilience as a design and operational principle as well as anticipating generic sources of vulnerability across networks. Finally, if anticipation and prevention fails, the CIC can support timely and effective Response and Recovery mechanisms that assist with the rapid restoration of essential services and ensure post-crisis learning is captured.