The security and resilience of critical infrastructure is increasingly in headline news. The government’s response is new legislation to ensure and oversee the security of these assets. Utilities will need to focus on their security challenge in their future IT strategies.
It was late 2015 when former US Secretary of State Richard Armitage was stunned to discover the Port of Darwin had been sold to Chinese interests and that the proposed sale had not been raised in high level talks between Australia and the US.
The US was reportedly angry that the Port asset, with a significant role in the US’s Asian pivot under President Obama could be sold to a company with strong connections to their growing strategic rival.
This US rebuke prompted a more careful consideration when the next set of significant Australian assets went under the hammer, with the Treasurer Scott Morrison intervening in, and blocking the intended sale of the Ausgrid Distribution Assets to foreign entities in August 2016.
The Australian Government has developed a more holistic response to address the perceived vulnerabilities of Australia’s critical infrastructure assets with a new body called the Critical Infrastructure Centre (CIC). This body has been established under the Attorney General’s department to assess and manage the risks of “sabotage, espionage and coercion in the four priority sectors of telecommunications, electricity, water and ports.”
- The Purpose: the CIC’s task is to address the concerns raised by the rapid change in the technology landscape, the proliferation of cloud services, increased connectivity and globalised supply chains that is resulting in critical infrastructure assets having a greater exposure to security threats and malicious actors than ever before.
- The AG gets teeth: the government is underpinning the authority of the CIC with legislation. The Security of Critical Infrastructure Bill 2017 was introduced toward the end of 2017 called. This bill contains two parts: Firstly, the obligation on the government to create and maintain a Register of Critical Infrastructure Assets. This is intended to provide the raw data to support an ongoing risk assessment of Australia’s critical infrastructure, and a related obligation on owners and operators to provide information for this risk assessment. Secondly, an increase in the power of the Attorney General to direct organisations to act to mitigate a security risk.
- Scope: the bill is focused on the risks to Ports, Electricity Assets and Water and Sewerage Assets, (note that Gas Assets are presently not included). It encompasses all electricity networks, systems used for transmission or distribution of electricity, electricity generation stations critical to ensuring the security and reliability of an electricity network, water utilities servicing over 100,000 water and/or sewage connection, and Australian ports that are deemed to be the key ports in Australia for defence purposes, liquid fuel imports and bulk cargo exports.
- Implications: some clues as to actions being contemplated by government are outlined as scenarios in the draft bill’s Explanatory Document. These include directives:
- to move and store all data in an Australian Signals Directorate (ASD) certified cloud services provider if the company currently stores its data offshore
- to limit any offshore access to a company’s industrial control systems
- preventing a business from outsourcing the operations of its core network to certain low-cost, less secure providers
- preventing a business from sourcing core operational systems technology from certain low-cost, less secure providers
At a minimum, owners and operators of critical infrastructure assets such as Ports, Electricity and Gas Utilities, Water and Telecommunications will see an increase in requests to provision security related information to the government and can expect greater dialogue with the government regarding security risks to the infrastructure they manage.
Utilities will experience an increased tension between a cost focused Strategic IT direction which encourages the outsourcing of functions to the cloud or the offshoring of certain operational tasks and the restrictions imposed by a more onerous security environment which, increases pressure in the opposite strategic direction.
It is likely we might see directives like the 2013 decision by the Australian Government to disallow Huawei from supplying telecommunications infrastructure to the NBN. This overruled lower cost IT procurement decisions in favour of higher cost but authorised providers being selected.
For CEOs and CIOs in critical infrastructure companies, it will become increasingly prudent to carefully consider and classify the security implications of IT Strategic decisions, and conduct pre-emptive discussions with the CIC before embarking on any large scale change.
Inevitably, the increased prominence of national security risks will translate into a greater challenge for CIOs responsible for critical infrastructure as they seek to take advantage of the lower costs offered by technology and global virtual services whilst at the same time meeting the constraints and likely greater expense imposed by increased security demands.