Operators of critical infrastructure assets may not have the visibility needed to meet compliance requirements for a national security bill, according to cyber-physical systems experts. But with comprehensive pre-employment screening and compliance monitoring technology, these organisations can be assured that personnel risk, at least, is under control.
Second part of Critical Infrastructure Bill sails through parliament
The second part of the Security Legislation Amendment (Critical Infrastructure Protection) Bill was passed by Parliament on 31st March 2022. Its rapid passage from Bill to law reflects growing concerns about cyberattacks against the background of Russia’s aggression in Ukraine, a rocky relationship with China, and the findings of the ACSC Annual Cyber Threat Report.
Entities that own or operate critical infrastructure assets in Australia are now obligated to create and maintain a critical infrastructure risk management program. But as ITNews warns, most critical infrastructure operators will be unlikely to meet the requirements of the bill in the near future due to a lack of visibility.
What are the requirements?
The Bill requires owners of certain assets to “adopt, maintain and comply with” an all-hazards critical infrastructure risk management program. Impacted owners operate across multiple sectors including communications, transport, financial services, defence, higher education, energy, health care, water and sewerage.
According to a breakdown of the new laws by, “all-hazards” includes physical security hazards, natural hazards, cyber and information security hazards, supply chain hazards, and (crucially), personnel hazards.
The Bill requires asset owners to create a risk management program that includes a risk identification process, a risk management process for each material risk to an asset that will minimise or eliminate the risk, and a process for reviewing the program. A Critical Asset Register (CAR) includes people risk; the threat of employees, contractors and other personnel exploiting a physical or IT vulnerability.
What are the personnel risks to critical infrastructure assets?
A March 2022 report by Imperva/Forrester found that despite the majority (58%) of incidents that negatively impacted sensitive data in the past 12 months being caused by insider threats, 59% of APAC organisations do not prioritise insider threats in the same way they prioritise external cyber threats. Three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy.
While some of the strategies to protect against insider threat include encryption, auditing of employee activity, and training, a key data protection strategy is to keep known criminals from entering the organisation in the first place. A sophisticated background checking system supported by technology that offers complete visibility will help ensure 100% compliance with the personnel aspect of the ‘all-hazards’ risk management program required by the Bill.
Visibility remains the key hurdle to regulatory compliance
Speaking about the Bill, cyber-physical systems expert Lani Refiti told ITNews that organisations “can’t secure what they can’t see … organisations need to have comprehensive visibility of their assets before they can even think about managing and patching them.”
While Refiti was talking about the need to gain visibility into the security of infrastructure such as manufacturing plants, this advice applies equally to visibility of your employees, candidate background checks, and ongoing compliance management. Tools such as CVCheck and Cited include in-built compliance workflows that give risk managers visibility and control over candidate check results and approvals so you can hire and manage compliance with confidence.
