Critical infrastructure and the resilience tightrope

Jason Stevens

The Australian innovation ecosystem demands a more precise definition of resilience for critical infrastructure that moves beyond cataloguing vulnerabilities, and leaders must encourage bold strides to build it.

The Defence Advanced Research Projects Agency (DARPA) in the US, which targets an 80 per cent failure rate to birth groundbreaking solutions, offers a path to follow for resilience building innovation.

For example, DARPA’s Cyber Grand Challenge revolutionised cybersecurity approaches through a competition where autonomous systems battled to swiftly find vulnerabilities and patch flawed code within seconds, not months.

Australia could benefit from similar high-risk, high-reward initiatives that drive innovation in resilience. This concept is evolving to encompass physical infrastructure like power, electricity, gas, as well as the cyber dimension.

It defines a company or agency that foresees and withstands disruptions, swiftly bouncing back and adapting for the future. This safety net allows businesses to thrive no matter the challenges, including cyberattacks, supply chain issues, or natural disasters.

In the context of a food supply company, for example, resilience involves ensuring the physical infrastructure necessary for food production and distribution and safeguarding the cybersecurity aspects of their operations.

While international cybersecurity standards like NIST and the Essential Eight set the stage for safe innovation, taking more “calculated risks across the public and private sector can lead to new business models, cutting-edge technology implementations, or novel ways to serve customers”, according to ANU College of Law, Tech Policy Design Centre, Senior Research Fellow, Dr Huon Curtis,

During the latest episode of podcast series Securing critical infrastructure: the regulatory vs the practical, in partnership with SentinelOne, he pointed to notable innovation at the state level in the decentralised digital identification (Digital ID) platforms being created by the NSW Government. These platforms address the shortcomings of legacy systems but also create new opportunities for innovative resilience building.

For example, the state’s Digital Driver Licence (DDL) has a 77 per cent adoption rate after focusing on transparency, a user-friendly interface, and the increased need for digital engagement during the pandemic.

Other examples include the arrival of the ConnectID digital verification platform, bridging the public and private sectors through a government partnership with Australia’s leading banks to meet the safe handling of customer data while prioritising user consent under the Trusted Digital Identity Framework (TDIF).

DigitalID is a cornerstone technology that the government hopes it will help make Australia the most secure nation by 2030. “This target also reminds us that more innovation is needed to build national resilience,” said Dr Curtis.

The maintain trust and build more resilience, government must also rectify optimism bias in agencies’ cybersecurity compliance self-reporting, as identified by the Australian National Audit Office. Failure to do so may lead to understating existing IT vulnerabilities, directly impacting resilience.

“In the private sector, complacency at a board level remains a concern, and the positioning of cybersecurity as a priority is often unclear,” Dr Curtis said.

SentinelOne Regional Director for Australia and New Zealand Jason Duerden, a co-speaker on the podcast, said board members are often “ruled by fear, uncertainty, and doubt when taking action on cybersecurity.”

Until a breach, a ransomware demand, or data leaks on the dark web, board members don’t fully appreciate the potential risks, he said.

“While there is awareness globally and locally that cybersecurity is a priority, positioning it on the board priority list is still a question that needs answering,” Mr Duerden said.

With the government driving discussions around critical infrastructure resilience with new laws, board members must embrace legislation and advance their digital cyber maturity.

The alternative is that high-profile breaches continue, driving large-scale customer exits from their companies.

Cyber intrusions may also impact public safety, forcing emergency management providers back to legacy radio equipment to communicate effectively in responding to fires and floods, as happened in Victoria recently.

“Making systems more secure and resilient is a sign of maturity and a commercial differentiator leading to profitability,” said Dr Curtis.

Regionally and globally, the government has called upon its Quad partners – India, Japan and the United States – to adopt a ransomware policy that discourages payments to cyber adversaries and introduces reporting obligations for exceptional circumstances.

“My colleagues wrote the ransomware policy recommendations (above) urging a board-level statement of compliance,” said Dr Curtis. The report absorbed insights from leaders across academia, industry and government.

Meanwhile, Australia and its Quad alliance partners are also working to enhance software design within regional supply chains. They focus on DARPA-like initiatives, including the Quad Cyber Challenge, to raise cyber security awareness and build a more secure and resilient cyber ecosystem to benefit economies and users globally.

Regarding local supply chain risk management, Mr Duerden emphasised how integrating AI, generative AI, and machine learning has been crucial in limiting damage from recent intrusions, including the 3CX phone hack, which affected over 600,000 global companies and around 12 million active users.

“These technologies enable early detection of potential threats, empowering organisations to respond promptly and recover effectively,” he said.

By leveraging AI-driven insights, businesses can enhance their supply chain risk management and implement proactive measures to mitigate cybersecurity risks while pursuing resilience.

“Ultimately, we need to embrace failure as a learning tool and move towards a landscape where resilience is more than a buzzword when protecting critical infrastructure,” said Dr Curtis.

This necessitates reshaping the partnership between the public and private sectors and cultivating a mindset that embraces calculated risks and shared responsibility.

Securing critical infrastructure: The regulatory vs the practical podcast series and accompanying articles are produced by in partnership with SentinelOne.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories