The global events of 2021 again made it difficult to plan and execute most face-to-face gatherings as a security and technology community. Nothing quite beats eye contact and an elbow bump in real life.
After two false starts, I was thrilled to join BeyondTrust and 16 security and technology leaders in Melbourne toward the end of November 2021. The opportunity to share stories from the past 18 months, feel aligned to peers, and ask questions for the benefit of all around the table felt foreign, but comfortable all at once.
Critial infrastructure organisations have been the target of a significant number of cyber breaches over the past 12 months, including the Colonial Pipeline ransomware attack in May 2021. With the Security of Critical Infrastructure Bill passing in Australia just days before we met (which made us feel fortunate for the delays in hosting this roundtable meeting), all attendees were eager to discuss the bill’s impact and how their peers around the table were planning to address the new regulations.
With a mix of industries from healthcare to education and government, the large representation from engineering companies in attendance at the roundtable surprised me the most. As suppliers to critical infrastructure, the mounting pressure on third parties is already being felt, long before the industries who are new to the SOCI list have their heads around the regulator's new expectations.
When the bill passed in November, it was split into two parts. Part one includes reforms seen as urgent and, therefore, a subset of the original bill. This new bill expanded the coverage of the Act from 4 sectors (electricity, gas, water, and ports) to 11, and now encompasses:
- Communications
- Data storage and processing
- Financial services and markets
- Water and sewerage
- Energy
- Health care and medical
- Higher education and research
- Food and grocery
- Transport
- Space technology
- Defence
You can read more about the reforms here: https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-of-critical-infrastructure-act-2018-amendments
Around the table, the level of understanding of the impact of the reforms was mixed. Despite this, the overarching topic that weaved throughout the entire conversation was that of third-party risk--both for entities within critical infrastructure sectors and those who supply it. We discussed data protection in detail as well as cyber hygiene (including the ACSC Essential 8) and how the burden of third-party risk assessments was being felt by all around the room.
User access of both authorised internal users and third parties was raised as a considerable concern as the cyber risk through partnerships becomes ever more evident. The control (or lack of) most IT teams have over third parties (and their partners) makes it harder for organisations to set up trusted agreements. Even with contracts in place, having an understanding of who has access, from where, and why is key when it comes to awareness of a potential exposure and the ability to subsequently remediate a cyber incident.
An estimated 51% of organisations have experienced a breach caused by a third party. For those organisations in Australia already regulated for example by APRA (the Australian Prudential Regulation Authority), third-party risk has been on the agenda for some time. For instance, financial services regulated by APRA have spent the past 2+ years striving to gain an understanding of their critical data and who has access to it.
Organisations considered a third party to a critical infrastructure provider are beginning to grasp what these reforms might mean for their cyber security maturity and their ability to continue critical infrastructure partnerships, should their security risk posture not meet expectations.
Mandated cyber controls are unheard of for many organisations now included in the list of critical infrastructure services in Australia,. For most, the use of the Essential 8 was called out as something put in place due to third-party partners requiring that surveys and spreadsheets be populated to attest to their cyber resilience being in line with specific standards. This is subjective and, for some attendees, there was concern that ticking the box on these third-party assessments was all the requestor was after.
Some CIOs and CISOs are seeking ISO certification or SOC II compliance to sidestep the third-party surveys, which in many cases, peers around the table saw as sufficient for attestation of controls. But truly achieving ongoing cyber hygiene (not just a point-in-time attestations), requires a risk management program. The SOCI bill that was passed in 2021 did not include the obligations for a risk management program as this requirement was not as urgent as some of the other components of the Bill.
Since our roundtable convened in November, the federal government has begun consulting with industry on the proposed ‘part two’ critical infrastructure bill. Part two includes obligations to implement and maintain risk management programs concerning critical infrastructure, and the ability for government to declare Systems of National Significance (with accompanying enhanced cyber security obligations). On this bill, the government will take industry submissions until February 1, 2022.
Since the passing of the Security of Crtical Infrastructure reforms. many organistions are feeling the pressure to meet the obligations of regulators or partners in order to continue to do business. Many businesses have not previously had a Board-level focus on cyber security. However, this can only be a good thing for business, customers and third parties alike, as we see a rising tide lifting all boats. Dedicated cyber security leaders and advisors must be engaged by organisations to ensure that they are protected and can, in turn, provide sufficient protection to their third-party partners..
From our discussions, the reforms to the Act are not just about the 11 industries, but also about the supply chain that feeds them. While many organisations are already on top of assessing and knowing the information security ‘values’ of their partners, many are at the start of this journey.
When it comes to your supply chain, how confident are you in the security controls of those who have access to your systems?
Claire Pales, Guest Author
Claire Pales is a best-selling author, a podcast host, and Director of The Security Collective, a consulting company committed to strengthening cyber security in every business. Claire's experience includes establishing teams and leading award-winning security strategies throughout Australia and Asia, including Hong Kong, China, and India. Her focus is to coach boards and executives to enable their organisations to establish exceptional information security practices. In addition to a postgraduate qualification in eCrime, Claire is a qualified coach and graduate of the Australian Institute of Company Directors (GAICD). In 2019, Claire was named a Fellow of the Australian Information Security Association (FAISA). Based in Geelong, Claire is a mum to four children, a passionate security leader and an advocate for all people in cyber.
