The vulnerability of critical infrastructure has been dragged to the forefront of business strategy and public policy debate over the last two years. The attacks globally by cybercriminal gangs on supply chains in 2020 and 2021 — and more recently and graphically — the role of cyber attacks in the war in Ukraine has reinforced why cyber now is the top risk registry item for many organisations.
The extraordinary acceleration of digitalisation during the pandemic has also increased business vulnerabilities to cyber-attacks. Industrial systems, in particular, are more exposed than ever before as organisations sacrificed the airgap which protected many control systems in return for the commercial advantages that data analytics delivers in a networked environment.
In Australia, the range of companies that fall under the Commonwealth Government’s definition of critical infrastructure is growing.
A bill passed last year expanded the definition of critical infrastructure to a further 11 sectors, including data storage or processing, financial services, and healthcare. It also allows the government to intervene to contain a cyberattack on critical infrastructure.
For organisational boards, this also means considering more strident cyber incident reporting obligations.
For the inaugural edition of Digital Nation Boardroom Impact, we interrogate the issue from the perspective of participants in the critical infrastructure brainstorming session held in January and from subsequent interviews conducted in February.
Participants in Boardroom Impact Brainstorming sessions addressed issues such as the interconnectedness of value chains brings organisations beyond even the new extended definitions into the discussion, the need for board education, the importance of understanding the wider issue of cyber and risk, and the implications of cybersecurity insurance.
Boards are traditionally populated with directors who have a very strong financial grounding, says Thomas Fikentscher Cyberark’s ANZ regional director. However, securing critical infrastructure from cyberattacks requires a more detailed understanding of risk.
It is an area where in other regards boards often apply considerable focus. For instance;
On this last point, he said boards in Australia tend to be populated by people with strong financial backgrounds.
“When people use the term metrics, they look at businesses in terms of financial metrics, so return on investment numbers, they go through P&L items, they understand how balance sheet should be structured, they understand how you actually have funding mechanisms. That's what a lot of board members come from.”
“This concept of risk needs to be discussed in more depth. And I think there are metrics that you can actually look at when you think about risk.”
“In my opinion a risk such as cybersecurity should be elevated to the level of critical enterprise risk, which means it can threaten the viability of a business if not managed properly (like issues such as credit risk for a financial institution or supplier risk for a manufacturing business).”
He believes some boards may treat cyber security as an emerging risk. “This is where newer elements such as climate change, demographic shifts and also cybersecurity might sit.”
“The problem is that boards often are less informed in these areas and have less experience as they wouldn’t have exposed during their active period as operational managers. Although it’s ultimately a job of the operational leadership team to manage these new risk items, boards should spend more time to learn more about it and discuss the consequences in detail.”
The interconnectedness of business creates significant implications for leaders and for boards from the broader definition of critical infrastructure says Sarv Girn who has interrogated the issue professionally, both as a non-executive director of the Reserve Bank, and also as a former CIO, and chief digital officer, for organisations, such as the Reserve Bank of Australia, and most recently Cuscal.
According to Girn, “Directors need to think of downstream vendors that supply into your company. So you may not be the primary critical infrastructure per se, as per the old definition, but if you're a transport company, for example, delivering parcels or delivering goods into retailers, then you do become critical infrastructure for the upstream suppliers.”
He said the real challenge for directors, therefore, is to work out where they are in the value chain.
“Are they going to be tapped on the shoulder if even if they're downstream, not primary critical infrastructure, but they're part of that value chain? The accountability on them is huge now in not just knowing their own client base and their suppliers, but really which part of the food chain are they supporting?”
Like Cowley, Girn believes the pandemic has exposed some key business issues for critical infrastructure providers.
He says one key learning is the dependency some businesses have on what he calls enabling industries and the need to diversify the supply chain.
“You have to have a backup plan. If your primary delivery organisation is unable to do it due to a cyber-attack or whatever physical issue that they may have, always have another supplier that can step in.”
According to Simon Cowley, the chief information officer at Ausnet Services, a key provider in Australia’s utilities sector, traditionally critical infrastructure has been thought of as services such as power, utilities and telecommunications.
As a provider in the energy sector, Cowley also recognises how the interconnection of systems means that the leaders of organisations that plug into critical infrastructure have a stake in the conversation.
“Certainly the energy sector is a great example of that. The national grid is made up of some big players who play particular roles in that, but there are also a lot of smaller providers that make up that network. Like many things, the interconnectivity is there today.”
If some of those smaller companies who are providing their services fall over, that can create a massive disruption that flows into some of those other parts of the network he said.
“So it isn't just large organisations. But certainly all organisations are really critical to making sure that everything runs smoothly and that we've got redundancy planned so that if something does fail we can call upon all of those infrastructure providers to redirect things.”
In addition to the impact on the perspectives of policymakers and the public from high profile cyber-attacks overseas, the impact of the pandemic has also changed attitudes about the extensiveness of critical infrastructure.
“One thing that's become really clear out of the back of things like the pandemic is that it's much broader than that. So we saw examples where supermarkets have struggled to provide produce to everyone. And that's linked to things like supply chain and logistics, trucks, and transport, warehousing. So the definition as to what makes up critical infrastructure has really expanded and broadened.”
The changes that the government’s critical infrastructure reforms, reflect this by extending the definitions, he said.
“And not only those ones that are around food, but things like financial services and other things that people just need to keep their life going day to day.”
The issue of educating directors on their role in managing cybersecurity, especially in the context of critical infrastructure has been a subject of much debate in the sector.
Leah Fricke is a non-executive director for Columbus Capital, as well as the chair of its risk committee. She also chairs the audit and risk management committee for Western NSW Health District giving her insight into the issue from both the health sector and finance sector and from public and private perspectives.
Fricke stressed two key points. Directors don’t really need to be told to take critical infrastructure seriously, either by the government or the IT industry. And while directors need to be able to competently interrogate the issue of cyber security, it is unrealistic and unnecessary for them to be subject matter experts.
“A number of boards have been dealing with this issue for years. If your view is that your service is critical to society, for many boards I’m involved with, we didn’t need the government to tell us that,” she said.
“We’ve been dealing with that as a reality of our day to day existence.”
“Boards have been grappling with their role in the community and the services that they provide for a number of years now.”
She said recent events around Covid response and the implications for the health system have highlighted to many in the community, that there is a fragility to our health services.
Fricke also addressed the idea that directors need to be better educated around cyber security saying it is unrealistic to expect everyone sitting around the boardroom to have a deep knowledge of every topic that is in front of them.
“In looking at critical infrastructure issues, boards are going to need to focus on what are the questions to ask. How do they extract from their leadership team and from other advisors the information that they need to be able to guide through the challenges that come from the requirements around critical infrastructure and that particular organisation’s role within the broader context of society.”
When COVID struck Australia in early 2020, there was a massive and immediate shift to ecommerce.
Many organisations saw their online share of commerce grow from the low teen percentages to 100 per cent virtually overnight. That put huge pressure on Australia’s logistics sector, which also had to contend with issues such as closed borders, and delays in the ports.
For companies like Aramex, the pandemic demonstrated the criticality of secure and available infrastructure to the business. It’s an international logistics company operating in 69 countries with about 7 per cent market share in Australia.
According to CIO Ruby Wolff, the rapid acceleration of e-commerce digitalisation during COVID also brought an increase in cybersecurity threats.
And it highlighted the importance of the logistics sector as critical infrastructure.
“Gone are the days of us having to be online most of the day locally. We now are 24/7 with all of our information security and support because we cannot afford any downtime. In December, and we measure it down to minutes, our primary application was only down for six minutes and that was really because of service maintenance downtime. But that’s how critical it is right now”
“Infrastructure is critical and time of response is critical. Amazon or a large e-comm player, if they're getting a slow response to any of your calls or information, they just switch to another player and it's a millisecond response. So that infrastructure is critical for us.”
On the cybersecurity front, Wolff said the company has seen a huge increase in phishing attacks. “Especially because we're a franchise network, so we've got this really wide base of people, and [hackers] will try and come into them via phishing attacks in any form or means.”
“We do a lot of education to protect that and a lot of monitoring to make sure of that. We can't have any penetrations through there. So we've upskilled our internal team to manage any phishing attacks and monitor alerts.”