CISC Newsflash: Edition 9

From the desk of Sam Grunhard, Acting Head, Cyber and Infrastructure Security Centre

Hi everyone. As Hamish foreshadowed in the last edition, 2023 is off to a cracking start and we have already seen some significant developments in critical infrastructure protection.

The Critical Infrastructure Risk Management Program rules were switched on in early February; in March, the Critical Infrastructure Advisory Council met to discuss – among other things – the recently released 2023 Critical Infrastructure Resilience Strategy and Plan; and it was a genuine pleasure to meet so many of you in person at our inaugural Conference – CIS2023 – on Friday 24 March 2023. More on these developments below.

In CISC, with Hamish Hansford recently promoted to Deputy Secretary, I am CISC’s acting Head and look forward to working with you all. In his new role, Hamish maintains oversight of the CISC, so our longstanding commitment to working with owners and operators as a partner and best-practice regulator is unchanged.

New Strategy and Plan for Critical Infrastructure Resilience

In February, the Minister for Home Affairs and Minister for Cyber Security, the Hon. Claire O’Neil MP, launched the 2023 Critical Infrastructure Resilience Strategy and Plan.

The Strategy provides a national framework to guide Australia’s approach to critical infrastructure security and resilience and brings together legislative and regulatory settings within the Trusted Information Sharing Network (TISN) to deliver nationally aligned and integrated initiatives.

These documents will guide Australia’s critical infrastructure interests over 2023-28, and while many of the activities outlined within the Plan will be led by CISC, we will do so in partnership with the critical infrastructure community, chiefly through TISN.

The contributions of critical infrastructure owners, operators and all levels of government will be critical to ensure the success of the Strategy and Plan.

Risk Management Program Rules switched on

On 17 February, the Critical Infrastructure Risk Management Program Rules commenced.

The Critical Infrastructure Risk Management Program (CIRMP) is the third preventative element of the Security of Critical Infrastructure Act 2018 as amended in 2021 and 2022.

The rules work alongside the register of critical infrastructure assets and the mandatory cyber incident reporting obligations, to uplift Australia’s critical infrastructure security.

Entities must establish and maintain a CIRMP by 18 August 2023 and have implemented their identified cyber security framework by 18 August 2024. Responsible entities must comply with their annual reporting obligations by 28 September 2024.

CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure. For some critical infrastructure entities, we recognise that implementation of a CIRMP will be an extensive task. Wherever your business is in terms of maturity, the CISC will assist whenever possible.

To assist, we’ve developed a comprehensive guidance document, and you can review a recording of a Town Hall presentation on our website.

Together, sensible Government regulation and attentive owners and operators can secure Australia’s critical infrastructure – in the process safeguarding our shared security and prosperity.

#CIS2023 – a huge success

Last week, CISC held the inaugural Cyber and Infrastructure Security Conference – bringing together more than 500 industry participants at Sydney’s International Convention Centre, and more than 1000 participants via a live stream.

With owners and operators from every state and territory in attendance, and with all critical infrastructure sectors represented alongside some of our international partners, the event was a fantastic opportunity to build a community of best practice for critical infrastructure protection in Australia.

The Secretary of the Department of Home Affairs, Mr?Michael?Pezzullo AO, opened the inaugural event. If you missed his remarks, you can read them on the Home Affairs website.

Conference attendees were able to listen to several leading experts and industry professionals, including the CEO of Optus, Kelly Bayer Rosmarin, the CEO of Foodbank, Brianna Casey, and the CEO of Ports Australia, Mike Gallacher.

Associate Professor Steve Curnin from the University of Tasmania gave a presentation on the organisational health check tool, while the CISC’s own cyber security exercise team partnered with cyber security firm Dragos to give participants experience in thinking through the implications of a ransomware attack.

If you missed any of the presentations, recordings will be available soon on the CISC website.

Thank you to all the speakers and participants, and stay tuned for more information about CIS Conference 2024 in due course!

Transport Security Reforms

Transport security is a joint effort between Government and industry -– so we’re seeking aviation and maritime stakeholder views on a strategic reform agenda and new regulatory model.

A discussion paper is now live on the CISC website. It identifies five key areas for review:

·????????Removing prescription in security programs.

·????????An outcomes and risk-based security management approach.

·????????The Department’s regulatory relationship with screening providers.

·????????Screened and unscreened air services.

·????????Industry engagement and education to support performance and compliance.

To read the discussion paper and have your say, head to: Reviews and inquiries. Consultation closes 12 May 2023.

10 key points for Government and industry to think about

We’ll leave you with the 10 key points newly promoted Deputy Secretary Hamish Hansford asked Government and industry to think about at #CIS2023, as we all go about protecting Australia’s critical infrastructure and cyber security:

1.?Critical infrastructure will increasingly be at the heart of our national life.

2.?Government and the public will always have a disproportionate interest in critical infrastructure.

3. Our threat environment will deteriorate.

4.?Supply chains will be particularly stressed and need careful management. International partners will be important.

5.?Things will go wrong, but we can be prepared.?

6.?Risk management is an enduring and ongoing function not a static Risk Management Plan.

7. Success will look like a critical infrastructure community willing to collaborate.

8. Success will need a curious mindset.

9. Failure of imagination: we must always challenge our imagination to make sure we don’t fail, potentially catastrophically.

10.?We can’t be beholden to the current strictures. Be bold and think big!