Australia needs to take an all hazards approach to its critical infrastructure assets, a conference heard.

If Australia doesn’t take a broad ‘all hazard’ approach to critical infrastructure it could find itself facing a catastrophic risk it isn’t prepared for, a technology conference has heard.

Hamish Hansford addresses TiG 2024 in Canberra on July 23, 2024.

Hamish Hansford heads the Australian Cyber and Infrastructure Security Centre within Home Affairs, which brings together cyber security and critical infrastructure policy.

He spoke about the importance of a holistic approach to risk and outlined the issues that keep him up at night at the Tech in Gov conference in Canberra on Tuesday.

“Unless were looking holistically in an all hazard manner and actually taking a national view about our collective risk, we may well one day have a catastrophic risk that were’ not prepared for,” he told delegates.

Mr Hansford said while the government’s response to the July 19 CrowdStrike incident that disabled 8.5 million devices around the world was effective, it highlighted existing challenges, including:

Risk responsibility

The number one concern, according to Mr Hansford, is who owns responsibility for cyber risk. With different risks shared among CTOs, users and cybersecurity professionals, there’s often a high level of confusion about who is actually managing it.

“I think that’s an outstanding challenge that we should collectively think about,” he said. “Understanding who bears the risk, how do we mitigate that risk and work more collaboratively together, particularly when it comes to legacy technology.”

Procurement

Another challenge lies in procurement, one of three issues targeted in a series of directives to government agencies issued by Home Affairs earlier this month.

Mr Hansford said high standards in procurement frameworks aren’t always accompanied by due diligence in process, including in relation to claims about standards under the Essential 8.

Supply chain management

Supply chain management currently suffers from duplication, creating a particular risk, Mr Hansford told the conference.

“Surely there is a better way that we can approach the management of supply chain so that we can reduce the duplicate work .. and use collective economic power to actually drive security uplift,” Mr Hansford said.

He said there was a need for a more granular understanding of supply chain networks, where goods and services are deployed across the public and private sectors and having better business continuity planning to respond to malicious or other incidents.

“That’s an area that I see time and time again as an area of immense work in critical infrastructure, but an immense area of vulnerability and I think the … (CrowdStrike) update that went awry (is an) immediate example of what can happen with supply chain.”

Security policy

The current protective security is complex, consisting of 16 different overlapping policies, and the government is currently working to simplify it.

“What we’re trying to do is inspire people to think about risk management and security more generally, and that is an area of work at a policy and conceptual level,” he siD.

Interdependence

Mr Hansford listed his final area of concern as interdependence and interdependent risk.

There are currently 60 businesses with 168 systems of national significance that, if subject to a cyber incident, would have ‘disproportionate and cascading impact’.

Our work has been, over the last two years … making sure there’s a community wrapped around those systems of national significance,” he said.

“How do we think about incident response? How do we have the plans in place to enable an effective response, and how do we exercise those plans?”

All hazards approach

The government has introduced a requirement for the nation’s critical infrastructure to have an all hazards risk management program by August, and the next step will be to apply the same requirement for systems of government significance.

“There are a range of risks that are impacting us, across the economy, across government, that to think about holistically,” Mr Hansford said.

“Every minute we focus on , particularly from my perspective and government and critical infrastructure security is a minute that we should be preparing for a worst case scenario – hoping for the best but planning for the worst. “

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.

Sign up to the Government News newsletter

Judy Skatssoon

What keeps Australia’s critical infrastructure boss up at night

All hazards approach

TAGS

Leave a comment: Cancel reply

Latest comments

Kate F on: NSW public servants urged to prepare for binding code of conduct

Sarath Jayatilake on: Two face criminal charges as Vic building regulator faces corruption probe

Brian Cooke on: CSIRO to cut up to 500 jobs

Most read

Liberal Party drops threat of legal action after council elections stuff-up

AI disclosure becomes mandatory for APS

Cooling ability of trees during heatwaves overestimated

Public enquiry into Liverpool City Council can proceed, judge rules

Govt unveils plans for TEx digital ID system

Popular posts

Latest news

Feedback sought on proposed overhaul of NSW councillor code

Vocus CEO to lead NBN Co

Sydney’s speediest councils for DA approvals revealed

NSW Council trials new solution for blue-green algae

Bioplastic hub opens in Perth