Securing critical national infrastructure
With recent legislative changes for the management of risk in critical infrastructure, Ravinn were engaged by an Australian airport* to undertake a cyber security review of their systems, with a focus on Operational Technology (OT) systems, across the airports operating environment.
New legislation for critical infrastructure
The intent of this review was to enable them to understand the key cyber risks and identify the areas to focus on to build cyber resilience across the organisation and enable them to plan to incorporate the legislative requirements and be ready before the allotted time period for operators of critical infrastructure assets.
The SOCI Act (2018) provides a framework for managing risks relating to critical infrastructure and has an emphasis on cyber security requirements. The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022. The SLACIP Act amends the SOCI Act to introduce the following key measures:
A new obligation for responsible entities to create and maintain a critical infrastructure risk management program
new framework for enhanced cyber security obligations required by operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)
The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and resilience, part of business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.
The SLACIP Act expanded the designated critical infrastructure sectors to eleven sectors which includes Transport. With the planned Transport Security Amendment (Critical Infrastructure) Bill, aimed at the aviation and maritime industries in particular, due out in late 2022, our client were proactively seeking to get ahead of the game.
Aviation cyber threats
The cyber threat landscape for aviation is an active and fast-changing environment. In 2020, Russian state actors are alleged to have compromised San Francisco International Airport, targeting websites used by employees and contractors. In Canada, the IT system of Saskatoon Airport was allegedly breached in December 2021. In 2020, just before the declaration of the COVID pandemic, a report found that 97{39e37070b3f55e0471ddc18c12cea5de2b2fb5248dec69a89d59c3ad014b0f62} of the 100 biggest airlines in the world had outdated software, with known, exploitable vulnerabilities and inadequate encryption. When one considers the mix of Information Technology (IT) and Operational Technology (OT) and the lives at stake, worst case scenarios are enough to make the blood run cold.
Cyber resilience with Ravinn
There are two main components to becoming cyber resilient. First, is to understand the threats to your own systems and the risks attendant upon these threats. Second is understanding where the priorities are for building cyber resilience within the systems; this approach makes the most effective use of time and money and ensures tackle the most serious risks first.
There is no direct correlation between the cost of cyber security measures and efficacy. Many risks can be treated with relatively simple, yet solid, treatments. Ravinn provides the expertise to help identify these “quick-win” aspects, whilst helping to build a plan for the larger, more costly measures which might also be required. This approach can help prevent one becoming an unhappy statistic along the journey to cyber resilience.
Ravinn provided a report that included a threat overview and risk assessment and including prioritised practical actions that should be taken to mitigate these risks, using clear language to concisely highlight action points for airport management.
This report was very well received, positioning the airport to not only protect passengers, staff and all other personnel at the airport, but also get a head-start on meeting their obligations under the new legislation.
Expert Assistance Saves Time, Money and Stress
Managing critical infrastructure, such as an airport, is stressful enough. Trying to decipher the new cyber security requirements can seem like a daunting task. One airport has already discovered that tapping into Ravinn’s pool of expertise can make the whole process easier, quicker, and more cost effective.
Contact us if you want help with the critical infrastructure legislative requirements and becoming cyber resilient! Some requirements are already in place, so don’t wait to check how these may apply to your organisation.
Critical reform and media links
- Critical Infrastructure- changes to legislation
- Security Legislation Amendment (Critical Infrastructure Protection) Act 2022
- Aviation and maritime critical infrastructure reforms
- Russian state hackers behind San Francisco airport hack
- Saskatoon Airport Authority hit with cyber attack
- Forbes: Airport Security Concern As 97{39e37070b3f55e0471ddc18c12cea5de2b2fb5248dec69a89d59c3ad014b0f62} Of World’s Top 100 Fail Cybersecurity Test
*Note that for operational security reasons we may withhold details of our clients.
