No SOCI Puppets: Australia’s Focus on Critical Infrastructure Risk Management and Implications for Industrial Cybersecurity

No SOCI Puppets: Australia’s Focus on Critical Infrastructure Risk Management and Implications for Industrial Cybersecurity

Australia is at the forefront of collective cybersecurity regulation. Given their role in geopolitics and proximity to contested cyber domains, several recent security reforms are raising the expectations of 11 critical infrastructure sectors and 22 categories of critical infrastructure assets. Australia and many other countries around the world continue to bolster cybersecurity initiatives with the goal of increased trust and verification in mind.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has issued sector-specific guidelines while simultaneously building trust with industry, to enhance owner and operator input on actions like the rulemaking process for the new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The European Union is pursuing two new mandates that will provide “an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure.”

As of September 2023, the Australian government has also increased the number of businesses deemed ‘Systems of National Significance’ (by virtue of their interdependencies across sectors and potential for cascading consequences) to 168, with an overarching goal to maintain near real-time cyber threat awareness. In 2022, the INCONTROLLER incident highlighted the potential risks of cyberattacks targeting such systems. Thankfully, the attack was identified before any operational incidents occurred, showcasing the potential benefits of investing in cyber security solutions specifically designed for industrial, high-consequence operations.

Securing Critical Infrastructure and Industrial Operations

The Security of Critical Infrastructure (SOCI) Act of 2018, amended in in 2021 and 2022, includes “Positive Security Obligations” for entities within each sector. The 11 sectors include: Communications, Financial services and markets, Data storage or processing, the Defence industry, Higher education and research, Energy (Electricity, Energy Market Operator, Gas, Liquid Fuel), Food and grocery, Health care and medical, Space technology, Transport (including aviation and maritime assets), Water and sewerage.

SOCI requires each entity to categorize and register critical infrastructure assets, and to notify and share information about cybersecurity incidents – actual or imminent – as well as an estimation of actual or likely relevant impacts. Obligations for reporting on Positive Security Obligations depend on the sector and asset, as determined by the Australian government where existing regulations or compliance measures are deemed insufficient.

In addition, SOCI updates now require compliance with the Security of Critical Infrastructure Risk Management Program (CIRMP) rules that went into effect on February 17, 2023. With the grace period for assessing implications and application of new laws and requirements expiring for organizations August 17, 2023, entities now have until August 18, 2024, to demonstrate ongoing regulatory compliance.  

The CIRMP rule requires board-approved risk management programs that must adopt an all-hazards security approach to cyber and information security hazards. Specifically, responsible entities must first review all critical assets to:

  • Identify each hazard where there as a material risk of a “relevant impact”;
  • Minimise, mitigate, or eliminate any material risk from the hazard (to the extent reasonably practicable);
  • Comply with a framework contained in a document (to be enforced).

Entities may choose to adopt and maintain one of the following framework options:

  • Australian Standard AS ISO/IEC 27001:2015
  • Essential Eight Maturity Model published by the Australian Signals Directorate (Level 1)
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America (Level 1)
  • The 2020 21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327) (Security Profile 1)

Planning and framework oversight, and incident response preparedness, will be enforced by the Australian Signals Directorate (ASD). The Directorate also has established and maintains legal authority to directly interfere with and establish control over entities’ systems “when private owners have been compromised or controlled and cannot regain control,” as reported by the Mandarin.

The Scope of Risk Management

Individuals, teams, businesses, and sectors struggle with competing priorities: Connectivity of critical assets to the internet or accessible networks, insecure remote connections, complex and just in time supply chains to name a few. Should they focus on data security? Network security? Devices and endpoints? Does security come before, during, or after cloud adoption and increased automation projects? Despite shared goals and recognised dependence on technology in all aspects of daily life, challenges and constraints hamper the use of existing security frameworks, recommendations, and best practices.

The growing number of exploitable vulnerabilities and the great number of potential attack patterns has also revealed three common issues for critical infrastructure:

  • The looming threat of highly sophisticated, often nation-state level attacks, narrows focus to threat hunting at the expense of other indicators worth investigating.
  • IT security principles do not map perfectly to OT security requirements where segmentation and context drive prioritization.
  • Companies and security leaders continue to react to security incidents and available intelligence, rather than building the capability to limit their severity.

Categories for All-Hazards Risk Management

The biggest difference when we look at risk assessments for OT versus information technology (IT) is tolerance. Risk tolerance quantification looks very different based on system life cycles, available patches, acceptable system downtime, and the sequencing of maintenance. The tactics, techniques, and procedures threat actors use in cyberspace may or may not find a way to escalate privileges and cause mayhem targeting systems by exploiting vulnerabilities.

Risk tolerance therefore is a cycle of entities mapping necessary security components of their organisation, attempting to understand how those components fulfill various portions of existing standards, regulations, suggestions, and best practices, while hoping compliance regimes measure the right things as necessary to have — which are ultimately industry-specific and thus recreate the cycle.

Security leaders and teams must map:

  • The status of their security program, risk ownership, and visibility gaps.
  • Existing management and mitigation tools, resources, and capacity.
  • The development environment of third-party products and security management of suppliers.
  • Enterprise content management, data security and PII.
  • Operational products and services, hardware, software, IoT, cloud offerings, etc.
  • Upstream and downstream supply chain.
  • Operational technology and cyber-physical security.
  • The sea of available add-on security products.

As all sectors continue to reveal cybersecurity gaps, reorient change management, and drive holistic cybersecurity coverage, investments in industrial cybersecurity grow. Focused investments for OT fall into four main categories:

  • Category 1 – Network Visibility: If network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not, these assets cannot be protected without the necessary visibility into their day-to-day functionality.
  • Category 2 – Vulnerability Management: Vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.
  • Category 3 – Cyber Threat Intelligence: Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be both opportunistic, highly tailored, or a mixture of both, and can be alerted on with proper tuning of monitoring tools.
  • Category 4 – Gaining Situational Awareness: Components and connections continue to increase with multiple vendor systems and integrations. Simply having and storing reams of data is not useful for any risk mitigation strategy, it must be contextualised for relevance – combining network visibility, vulnerability management, and context-driven cyber threat intelligence.

Effectively, teams need a balance between automation and manual investigation. For under-pressure security teams, automating repetitive, time-consuming, low-level tasks is essential. If a tool can combine this automation with the real-time data and context needed to empower analysts to investigate high impact, time-sensitive incidents, even better!