Australia’s water industry can enhance critical infrastructure risk management by learning from Europe’s integrated resilience strategies. James Boddam-Whetham, the General Manager of Noggin, a Motorola Solutions company, has thoughts on how Australia’s water industry could progress.
Australia is no stranger to attacks on its water supply infrastructure. Indeed, we were one of the first countries to experience a computer-generated cyber-attack on its sewage systems, back in 2,000 when a disgruntled contractor hacked into a computerised waste management system in Queensland, releasing millions of litres of sewage into local parks and rivers.
Around the world, these types of attacks have only become more commonplace. In 2023, for instance, a cyberattack caused a water tank overflow in Texas. Nor is water infrastructure the only target, but the critical infrastructure sector writ large. Last November, the Australian Signals Directorate, reporting on the cyber threat from 2023 to 2024, announced that over 11 per cent of cyber security incidents were related to critical infrastructure.
How the water supply industry is faring with regulation
In turn, successive governments here in Australia have been responding to these trendlines, crafting ever-more stringent security legislation to regulate the industry. Starting with 2018’s Security of Critical Infrastructure Act (SOCI), the government has been upping the compliance burden on industry to enhance the security and resilience of our critical infrastructure sectors.
As many of you know, Parliament passed another set of amendments to the SOCI Act only last year. Catalysed by the 2023-2030 Australian Cyber Security Strategy, these latest amendments place more management powers (no longer limited to serious cyber incidents but all serious incidents that might compromise security and continuity) in the hands of regulators to issue directions to change an entity’s critical infrastructure risk management program (CIRMP).
Industry leaders acknowledge that they aren’t quite ready for the updated compliance obligations when asked how they’re faring. As reported in the industry white paper, Securing Society: Insights on Cyber-Physical Safety in Australia’s Critical Infrastructure, 60 per cent of responding industry leaders cited struggles with maintaining comprehensive asset registers, conducting vulnerability assessments, and meeting SOCI Act’s Positive Security Obligations (PSOs).
So, what can Australia’s water industry learn from global examples of critical infrastructure compliance? I turn to the example of Europe.
The example of the EU
Europe, like Australia, is no stranger to attacks on its critical infrastructure. But unlike in Australia, there’s an active war in Europe, exacerbating the critical infrastructure threat. In response, the European Union has promulgated two major directives to shore up the security and continuity of its critical entities.
The first is the Directive on the Resilience of Critical Entities. Entering into force in January 2023, almost a year after the war in Ukraine began, the Directive, which sets requirements for Member States to pass into national law, aims to strengthen the resilience of critical entities against natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.
In their turn, regulated critical entities will soon have to carry out regular risk assessments before taking the appropriate technical, security, and organisational measures needed to enhance resilience and ensure the ability to notify competent authorities of incidents.
The EU Commission will soon be handing down non-binding guidelines to further specify appropriate technical, security, and organisational measures critical entities must take once they have fully assessed risk. Whatever the Commission and regulators come up with, entities will have to document the steps they take in a detailed resilience plan before applying that plan in practice. That resilience plan will have to focus on the following:
- Preventing incidents from occurring
- Ensuring adequate protection of critical infrastructure
- Addressing the impact of and recovery from incidents
- Guaranteeing adequate employee security management
Beyond developing resilience plans, entities will likely also have to formulate initiatives (such as developing or adapting risk management and resilience frameworks) to ensure compliance.
The other compliance regime for critical infrastructure entities in the EU is the NIS2 (Network and Information Security) Directive, the heir to NIS1 (2016), which sought to enhance cybersecurity cooperation among and harmonisation across EU Member States.
The heart of NIS2 compliance for medium-sized enterprises or larger operations within critical infrastructure sectors is the requirement to adopt cybersecurity risk-management measures like with the Directive on the Resilience of Critical Entities, these measures are intended to be appropriate and proportionate technical, operational, and organisational procedures applicable to all operations and services of the entity concerned – not just information technology IT assets or critical services that the entity provides.
More interesting still for Australia’s critical infrastructure sector, prescribed measures must also be based on “an all-hazard approach,” addressing network and information systems’ physical and environmental security from systems’ failure, human error, malicious acts, or natural phenomena. Falling under the rubric are some of the following types of measures:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity, disaster recovery, and crisis management
- Supply chain security
- Security in network and information systems acquisition, development, and maintenance
- Cybersecurity risk management
- Human resources security, access control policies, and asset management
Of course, the measures listed above don’t represent the full extent of the compliance burden placed on European critical infrastructure organisations. The throughline, however, is the crucial importance of proactive risk management. We at Noggin, therefore, recommend introducing flexibility and integration to the risk management programs and procedures our water supply infrastructure entities develop to comply with SOCI here in Australia.
Such integrated resilience management will likely encompass dedicated capabilities for critical infrastructure management, preparedness, threat intelligence, incident management, vulnerability assessment, and third-party risk management.
In the final analysis, Australia’s water industry is experiencing an uptick in security threats, propelling increasing government demands. One way to move forward with compliant risk management programs is to look to the example of peers in jurisdictions like the EU.
I’d also recommend investing in integrated software to give your critical infrastructure risk management program the flexibility it needs. Solutions like our own at Noggin empower entities to meet their compliance obligations by enabling teams to work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.
For more information, visit noggin.io
Related Articles:
- Understanding cybersecurity risk in Victorian water utilities
- CISA release incident response guide for water, wastewater sectors
- Why does clean data matter in construction?