Is your critical infrastructure #cybersecurity risk management program focusing on the WRONG assets (or missing some)? Probably. To get this right means first asking, “what is critical infrastructure in cybersecurity?” and then getting the scope right and everyone on the same page. Reading this article might just save your company millions.
The approach I will take here is to first start at the top with your business obligations, and then drill all the way down to asset classes. This will help you better understand what of your assets are IN SCOPE, and perhaps as important for your sanity, what’s OUT OF SCOPE.
Are your company’s assets
The 2023 Critical Infrastructure Resilience Strategy (the Strategy) defines critical infrastructure as:
“those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security“.
Critical infrastructure includes:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage
Perhaps your business or agency is on the above list. Does this automatically mean that you are critical infrastructure? NO! The Security of Critical Infrastructure Act (2018) [whimsically referred to as SOCI] defines how big of a player you need to be in order to be classified as critical. For example, an asset is a critical electricity asset if it is:
“(a) a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules; or
(b) an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory, in accordance with subsection (2)”
So in this example, if your electricity network only ultimately serviced 1000 customers… probably not critical infrastructure. Of course, you’ll just want to formally confirm that with your regulator or other relevant party. Assuming that you find that you indeed, are critical infrastructure, read on for advice on reducing the scope of what you need to jealously guard.
“in terms of complying with SOCI, the focus needs to be on the critical function”
The business function conjuction
Typically, a business has many discrete functions (e.g. HR, Finance, Legal, IT, etc.), but in terms of complying with SOCI, the focus needs to be on the critical function. Your critical function is simply the primary service you provide as defined in SOCI. All other ancillary functions should be completely separated out (e.g. firewalled, air-gapped). Yes, you still need to protect other functions, but not in terms of SOCI compliance. We’ll get to why that’s the case in a moment. In terms of cyber security, you need to protect those critical assets that, were they to be materially disrupted by a cyber security incident, the critical function would be Significantly Impacted.
What is a Critical Infrastructure Asset?
Hopefully, by now you have a general idea that a Critical Infrastucture Asset is an asset related to delivery of the Critical Function. To dispel ambiguity and assure that we aren’t taking on too much (or too little), we need to clearly define our terms of reference. To accomplish this, I refer to what I believe does the job best: NIST’s Cybersecurity Capability Maturity Model (C2M2). Although this relates to the Energy Sector, I recommend looking at this approach for any Critical Infrastructure.
Also within scope for protection are “assets within the function that may be leveraged to achieve a threat objective includes assets that may be used in the pursuit of the tactics or goals of a threat actor”. So, if you have a networked printer, security camera are any other type of cyber asset adjacent to your critical assets, they are also in scope. This is exactly why you want to segregate your critical cyber assets from all unrelated cyber assets as much as possible. For those of you familiar with the Payment Card Industry Data Security Standard (PCI-DSS) will see the similarities in approach: To reduce risk (and save on effort and expense) “get as many assets out of scope as possible”.
Conclusion
Have a good read of SOCI and as you consider your cyber security strategy to meet compliance obligations, delve deeply into NIST C2M2. Yes, you can use any recognised cyber risk management framework (e.g. ISO 27001, AESCSF, C2M2, etc.), but this document should be consumed, regardless.
