Australia’s Critical Infrastructure entities are increasingly being targeted by sophisticated cyber-attacks. There are now several Government policy and legislative initiations that address cyber assurance and reporting. But is that enough? What must the private sector do for itself?
Cyber threat actors are cooperating with each other more and more to achieve their objectives. Our defensive strategies cannot be formulated in isolation by individual critical infrastructure entities; a collective security posture is needed. A community-based approach supported by Government efforts, can materially uplift cyber resilience across the critical infrastructure ecosystem.
This approach is needed as the challenges for directors and boards of critical infrastructure operators increase and additional obligations placed on them and their entities. The onus is on them to mitigate risks, which involves balancing risk mitigation measures with their costs within the entity’s operational context.
The extent to which the government can share information across the entire critical infrastructure community is limited. It can provide assessments of the threats and will need to increase that effort; however, that is likely to be of a highly technical nature, which many critical infrastructure businesses will not be able to process or understand. Much of this information is classified and cannot be easily shared. Industry needs an internal trusted facilitator for the intelligence exchange and to ensure the overall quality of information flowing out to the critical infrastructure community.
A new, sovereign entity is seeking to redress this gap, the Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC) Australia. ISACs are not new, with the first established in the early 2000s. Yet, until CI-ISAC was established, no ISAC addressed the breadth of critical infrastructure sectors, and they all supported only a subset of these sectors that are essential to the well-being of our communities.
CI-ISAC is a not-for-profit entity that was established in early 2023. Being member-owned, it is developing the capability to deliver outcome-driven, contextual and accessible cyber threat intelligence products for the best interests of its members and without any other corporate agenda. Not all critical infrastructure operators’ cyber security capabilities are at a similar level, so a collective approach not only protects the Australian community generally, but also secures the supply chains of individual critical infrastructure operators and therefore benefits their shareholders and investors.
Other ISACs only focus on individual critical infrastructure sectors, but they also primarily serve an international network of customers. This divides their attention geographically and also divides their national loyalties. CI-ISAC is wholly Australian-owned and focused. While it relies on a workforce of Australian citizens living across the globe, it is careful to host all of its enterprise data repositories in Australia. It is committed to providing Australia with a sovereign cyber threat intelligence capability that supports the Australian community through sharing information across Australian critical infrastructure owners and operators.
Australian critical infrastructure entities are currently suffering the same threats and cyber-attacks across the different sectors, and across all sizes of businesses. The network effects of a larger, cross-sectoral ISAC benefits members by leveraging mature players to build turn-key capabilities which can be used to assist less mature, financially constrained industry members and accelerate their cyber maturity. This, coupled with central supporting functions, consolidates expertise, and maximises utilisation of highly skilled and low-density cyber professionals. CI-ISAC Australia offers economies of scale and efficient utilisation of central expertise.
CI-ISAC augments existing initiatives and does not detract from the excellent work already underway. CI-ISAC has not introduced any new frameworks or assurance initiatives; rather, it has put in place an industry-led vehicle and capabilities around operational cyber threat sharing to drive cyber defence outcomes. This enables members to manage their risk more effectively by getting insights across all critical infrastructure sectors.
The CI-ISAC contributes to Australia’s strategic capabilities by:
- building cyber threat intelligence sharing and cyber resiliency capabilities and services to meet the needs of all critical infrastructure sectors to ensure that they are scalable and refined based on members’ needs over time;
- integrating the national critical infrastructure ecosystem through rapid and relevant products and services and cultivating collaborative relationships to provide a collective problem-solving capability;
- delivering timely and relevant analysis, advice, and innovative solutions to complex cyber-security challenges;
- becoming recognised as a trusted partner working with Government to boost national cyber resilience and assurance;
- supporting existing public and private engagements by solely focusing on operational cyber defence;
- fostering a national collective cyber defence posture for the critical infrastructure industry; and
- being a well-governed, member-owned organisation that delivers value for money
It is vital that Australian critical infrastructure operators establish their own, private-sector measures to counter growing cyber security threats, independent of, but complementary to those provided by the Australian Government.
The CI-ISAC provides a unique capability that helps them do just that.
Dr Gary Waters
Originally published on LinkedIn, 8th November 2023
