'Resilience' key to critical infrastructure strategy revision

The Federal Government is promoting a resilience-based approach in case of major disruptions to the country's power, water, health, communications and banking infrastructure.

Launched yesterday, the Critical Infrastructure Resilience (CIR) Strategy extends a $50.2 million  Critical Infrastructure Protection program launched by former Attorney-General Philip Ruddock in 2004.

Current Attorney-General Robert McClelland said the new emphasis on resilience would enable organisations to deal with natural disasters or attacks more organically.

"A number of recent government policy reviews supported a shift to resilience, recognising that CIR better reflects the all hazards approach and should be promoted," a spokesman for his department told iTnews.

"These reviews include the 2008 Homeland and Border Security Review conducted by Ric Smith and the 2009 COAG-related Review of National Critical Infrastructure Protection Arrangements."

Resilience is described in the strategy as: the coordinated planning across sectors and networks; responsive, flexible and timely recovery networks; and organisational cultures that focus on providing a minimum level of service before returning to full operation.

According to the strategy (pdf), a resillience-based approach "encourages organisations to develop a more organic capacity to deal with rapid onset shock."

"This is in preference to the more traditional approach of developing plans to deal with a finite set of scenarios, especially in the context of an increasingly complex environment."

The strategy is informed and supported by a Trusted Information Sharing Network (TISN) that involves sector groups, expert advisory groups, and various communities of interest.

It is also underpinned by Australia's Cyber Security Strategy and national computer emergency response team, CERT Australia.

The TISN's communications and IT security sector groups both receive secretariat support from the Department of Broadband, Communications and the Digital Economy (DBCDE).

Recognising that many of Australia's critical infrastructure networks are privately owned and operated, the Government has taken a non-regulatory approach to implementing its strategy.

"Australian businesses are responsible for ensuring that they have appropriate measures in place to secure their infrastructure, including plans for continuity of business," the Attorney-General's spokesman said.

"The Attorney-General's Department works collaboratively with Australia's critical infrastructure organisations ... to ensure that they have access to information that can assist them to develop appropriate protective security and organisational resilience measures."

Resources are available on the TISN website outlining risks of, and best practices for, remote access, wireless and mobile device security, user access management and outsourcing.

The Attorney-General's Department plans to introduce a separate Implementation Plan "over the next few months", and also plans to conduct a "comprehensive review" of the strategy in 2015.