Infrastructure operators need access to intelligence to protect their assets
22 Feb 2023|

Home Affairs Minister Clare O’Neil launched the government’s ‘critical infrastructure risk management program’ yesterday. The minister is clearly focused on preventing a repeat of last year’s high-profile and publicly contentious hacks of Optus and Medibank. The new program’s broad, all-hazards approach to the resilience of our critical national infrastructure illustrates an enhanced security posture in response to the heightened security threats that Australia now faces.

Unlikely due to coincidence, O’Neil launched the program hours before ASIO Director-General Mike Burgess released his annual threat assessment. It revealed espionage and foreign interference now surpass terrorism as Australia’s most significant security threats. Protective security, including physical, and cyber security, will be critical to the government’s policy responses to this assessment. The government cannot ensure that protection without collaboration with the private sector.

The risk-management program rules are the third and final security obligation legislated in recent amendments to the Security of Critical Infrastructure Act 2018.

The rules apply to a range of critical infrastructure assets, from energy and medicine to food and communication.

For operators of these assets, especially their directors and boards, the program introduces new obligations for protecting critical infrastructure from cyber and physical attacks and disruptions. In government-speak, these responsible entities must ‘take a holistic and proactive approach toward identifying, preventing and mitigating risks’.

In the past, the federal government’s critical infrastructure resilience has had a sharp cyber focus, and this should remain a strong priority. But Australia needs an integrated approach to critical infrastructure security and national resilience. The new risk-management program understandably adopts an all-hazards approach encompassing the full spectrum of security risks—physical security, cyber and information security, and personnel security—along with supply-chain risks.

Physical security risks relate to protecting parts of an asset critical to its functioning, including protection against physical access to sensitive facilities and natural disasters.

Cyber and information security encompass the risks to digital systems, computers, datasets and networks that underpin critical infrastructure systems. These risks include improper access, misuse and unauthorised control.

Personnel security relates to the ‘trusted insider’ risk posed by critical workers who have the access and ability to disrupt the functioning of an asset.

Supply-chain risks relate to disruption directly affecting a critical infrastructure asset. The threat could be naturally occurring, malicious or purposefully intended to compromise the asset.

It’s clear that the program places obligations on entities responsible for relevant critical infrastructure assets. But the government has stopped short of providing definitive security requirements. Instead, it has adopted a principles-based approach that places the onus on the industry to act to mitigate risks, but only ‘so far as is reasonably practicable’. In determining what is reasonably practicable, entities are advised to ‘appropriately balance the costs of risk mitigation measures with the impact of those measures in reducing material risk within their own operational context’.

To identify reasonably practicable measures to mitigate a risk, operators must undertake detailed risk assessments that consider the consequences and likelihood of an event occurring. Central to this, especially for malicious, non-natural-disaster risks, is an understanding of the threats they face and of the capability, intent and opportunity of an individual, group or country to carry out those threats.

Under the risk-management program, operators, not the government, own the risk. Ensuring that the private sector—which now largely owns and operates such critical infrastructure—takes responsibility for due diligence is a vital requirement. However, with the program’s introduction, the government now has an implied enhanced obligation to provide industry with clear, concise and actionable assessments of the threats they must deal with. Implementing the risk-management program will be challenging given that much of the collaboration between the private and public sectors will require access to government information that is often highly classified. This problem will become even more complicated because our nation’s security and sovereignty will require the government to provide industry guidance on issues such as the material risk of Chinese artificial-intelligence-enabled products and services, for example.

The risk-management program mandates an annual reporting requirement for entities to provide assurances to the government of their management of security risks. And noncompliance comes with civil penalties. Without regular access to threat intelligence, it is unclear how entities can make risk-mitigation assessments or identify their vulnerabilities.

The government, while avoiding highlighting specific threats publicly, is enhancing the nation’s security posture. The new risk-management program is a positive step forward for Australian national security and resilience. Still, it will require significant further steps, in particular to ensure that collaboration goes beyond consultation and becomes genuine public–private sector partnerships, to fully counter the threats and realise the full benefits.