SMEs get swept up in critical infrastructure laws

Stuart Corner

A high percentage of Australia’s small and medium businesses (SMEs) could be swept up by provisions in new legislation designed to secure Australia’s critical infrastructure, now before a parliamentary committee.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduces a Positive Security Obligation (PSO) that requires entities, covered by the legislation, to manage the security and resilience of their critical infrastructure assets.

There are several different elements to the obligations, to be designed by the government in consultation with industry, and how they apply to any particular entity will be determined by a set of rules.

Small business, big issue: SMEs may be swept up in critical infrastructure protection laws

However, according to industry-led advocacy and research initiative IoTSec Australia’s chief executive Lani Refiti many small businesses supplying entities that have significant critical infrastructure roles could be caught by the obligations and incur significant costs to meet compliance requirements.

In Bridging the Cyber Divide video series, produced as a partnership between InnovationAus and CyberArk, Mr Refiti says the PSOs would be applied according to rules that will be turned off and on by government, depending on what an organisation does.

“So, if you are deemed as part of the enhanced critical infrastructure that will be covered by the Act, and are one of these smaller companies, the government may choose to turn on the PSO, and you will have to meet that obligation at a substantial cost to yourself,” he said. “Or the government may also choose not to turn it on.”

He added there is a feature in the bill to try and fine tune it so it’s not one-size-fit-all. “But the unfortunate issue is that some smaller companies will have the cost of doing business driven up because they will have to meet these new regulatory requirements.”

The new legislation is being reviewed by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). It proposes to considerably broaden the range of systems that will be regarded as critical infrastructure, and the range of organisations responsible for critical infrastructure.

“They are looking to expand across a number of other sectors: healthcare, medical space, technology, and such,” Mr Refiti said. “And the ramifications on those industries as well as their supply chains is becoming very, very crucial.”

According to CyberArk’s Singapore-based vice-president of engineering for the Asia-Pacific and Japan Jeffery Kok, cyber security initiatives taken by the Singapore government show how broad the concept of critical infrastructure now is.

“The government-led ‘Smart Nation’ initiative started in 2014 as a series of projects to drive pervasive adoption of digital smart technology in Singapore in order to improve efficiency and the quality of life. There’s a whole range of projects, everything from national identification and national digital identification to smart sensors everywhere,” Mr Kok said.

“As soon as they launched it, the government realised they need to protect citizens’ identity so a year later they launched the Cybersecurity Agency, with the mandate to protect Singapore’s critical infrastructure,” he said.

“They created standards, guidelines for everything from day-to-day IoT devices used at home to technologies used by utilities and transportation – all with security in mind. It’s been years in the making and we’re still only scratching the surface.”

Mr Kok said the increasingly popular practice of interconnecting operational technology (OT) and information technology (IT) networks was greatly increasing the number and type of organisations that would be swept up in the critical infrastructure net.

“A lot of critical infrastructure organisations are really looking at how they conduct their business,” he said. “Their OT environments used to be air-gapped and locked away, but they have started expanding them because of all the benefits that the new order brings. So, a lot of OT starts to look a lot more like IT.

“Now we talk to people that are IT/OT, and there has been a drastic change in how business is conducted.”

Mr Refiti provided a telling example: “One of the projects I worked on last year was around a power utility that had set up sensors on power lines across regional areas. Because of the critical nature of the network, they set it up as a separate 4G network with an MPLS backbone.

“It was always going to be separate from their IT network, but someone made a decision that they needed to correlate data across both networks,” he said.

“So within about six to seven months, they created a bridge across both networks to facilitate data sharing, and that network has just become part of the corporate network.”

The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

If you would like to know more about cybersecurity and privileged access management from CyberArk please click here.

Do you know more? Contact James Riley via Email.

Leave a Comment