On Thursday 19th September, GNGB hosted our September STN Cyber Forum on the topic of CI-RMP. We welcomed Tim Slattery and Marina Shteinberg from Pentagram Advisory who shared their insights and experiences on best practices, common challenges, how to effectively prepare your CIRMP, and establish an effective CIRMP assurance framework.
Below is an outline of what was discussed in the session.
Importance of security in critical infrastructure.
The 2018 Security of Critical Infrastructure Act outlines what business’ in Australia must comply with security protocols for Critical Infrastructure. Given the ever-changing digital age that we live in today, with a constantly pivoting cyber environment, it is paramount that businesses have security frameworks that are reviewed regularly. It’s important to always assess links within your business supply chain and examine where data can be compromised. Maintaining a live document that outlines risks and threats is quintessential in the environment we find ourselves.
Tips for implementing a CIRMP – how to maintain a holistic approach to enterprise security management
Integration – Examine ways that you can integrate your CIRMP into your everyday business management processes. How can you embed this into existing risk management and business management frameworks?
Governance – It’s important to allocate an owner for managing the compliance and implementation of your CI-RMP to ensure that it is maintained and actioned. Ask yourself the questions, who is the best owner in our business for this? Aim to remove a silo approach for your CI-RMP management so that all team members can play a part in understanding the relevance of CI-RMP frameworks too.
Resource utilisation – strive to continue to build upon existing processes rather than implementing new processes.
Security culture – Inspire your team to see that we all play a part in keeping our team and systems secure. Establish basic security practices as the norm in everyday procedures. We are only as strong as our weakest link!
Avoid a compliance mindset– It’s easy to let CI-RMP frameworks become compliance tasks! However, try and avoid that mindset and focus on everyday integrations. You can review case studies of other businesses or countries where there have been breaches, often it’s because of this mindset that occurrences have occurred as the controls have slipped through the cracks.
What does CI-RMP have to do with the SOCI act and how can we incorporate what we do now and already.
As much as it may come across as confronting, often the weakest link for security and critical infrastructure threat comes from your own insider threat. That is, often threats can come from your own team – whether it be intentional or unintentional. Given the complexity and constant evolution of security breaches, it’s easy for team members to lose focuses of security basics.
Consider using a simple insider threat program which is people centred. Help ensure that the language in this is not super technical, rather is human centric in its language. It’s important to ensure that teams see the importance of CI-RMP frameworks and processes as something that they should own and practice. In case of a breach, it’s important to swiftly delineate whether breaches have been intentional or unintentional and invoke respective policy procedures to mitigate the situation.
Personal security hazard
For those who are managing CI-RMP frameworks, consider the following points in your processes to ensure a holistic and human centric insider threat program.
- Insider threats and examples. What can we learn from these examples? Log and record all events and resolution frameworks.
- Mitigation of an insider threat in a SOCI event. What are the steps, policies and procedures we need to follow in the case of a SOCI event?
- Consider the lifecycle of an employee in an organisation. Where are the potential gaps in this cycle for incidents to happen?
- Risk based workforce screening. Consider implementing a screening framework for all future and current employers.
- Connection with the supply chain security hazard. Be sure to maintain good and relevant connections with all touch points in supply chains including personnel.
- Remember that threats are often internal and unintentional. How do we help mitigate this in our organisation?
Reflections on the Ukraine war and what it can mean for Australian organisations’ CI-RMP
- Geopolitical risk in investment
Australia should think about its geopolitical position and consider where it needs to focus investment into to help strengthen its resilience in case of attack.
- Energy sector
When the war in Ukraine hit, vast amount of the country was hit with energy supply outages. Without running electricity, much of the country became unhabitable to live, uprooting many Ukrainians. Australia needs to prioritise energy and investment in renewable energy or independent energy sources. It’s prevalent to diversify where energy comes from so that in the case of attack, alternate sources can be relied upon to keep communities functioning and sustainable.
- Supply chain resilience
Like the source of energy being disrupted for Ukraine when the war hit, supply chains were also significantly impacted, limiting supply of much needed resources in and around Ukraine to keep it thriving. Diversifying supply chains in critical infrastructure is crucial for Australia to consider in case of attack. Consider increasing supply and resources internally along with multiple allied resources.
- Cybersecurity
Australia should consider strengthening its critical infrastructure frameworks around cyber security given the technological age we live in. Particularly in critical sectors where cybersecurity is essential, i.e. government agencies, healthcare providers etc. What investment do we need to consider in this area.
- Inside threats
Australia to invest in insider threat programs to mitigate risks from both external and internal actors, with threat actors now targeting insiders within organisations is a viable threat vector,
