Cyber Attacks Can Shut Down Critical Infrastructure. It’s Time to Make Cyber Security Compulsory

In some industries, this assessment will factor in the cost of a lost customer base who may never return. However, providers of critical services such as transportation, medical care, electricity, water, and food see little risk of losing customers.

After the Colonial incident, customers trooped back to petrol stations as soon as they could and went on buying fuel. Thus, critical industries may perceive less cost from a breach than companies in other industries because their customers will return.

Time for Compliance
Australia’s national efforts in cyber security are coordinated by the Australian Cyber Security Centre (ACSC) under the auspices of the Australian Signals Directorate. The ACSC works with public and private sector organizations to share information about threats and guidance on best practices for security.

ACSC documents such as the Essential Eight provide guidance for organizations on baseline security measures. These are supplemented by more comprehensive resources including the Australian Government Information Security Manual.

However, our research has shown the best practices are not universally followed, even by the Australian government’s own websites.

Lack of knowledge is not the problem. Security best practices are generally well understood and documented by the ACSC. The ACSC also provides specific guidance for critical sectors and industries, such as a security framework developed for the energy sector.

The challenge here is that these are guidelines only. Companies can choose whether to follow them or not.

What Australia needs is a cyber security compliance program. This would mean making it compulsory for companies that manage critical infrastructure such as ports or pipelines to follow some kind of rules.

A first step might be to demand these companies comply with the existing guidelines, and require certification of a baseline of cyber security.

Lessons from the United States
The US government responded to the Colonial cyber attack with an executive order to improve cyber security and federal government networks. The order proposes a raft of measures to modernize standards and improve information sharing and reporting requirements. These are valuable measures, many of which are already within the scope of the existing duties of Australia’s ACSC.

Another measure in the US order is the establishment of an independent Cyber Safety Review Board. Australia could likewise establish a partnership between government and industry to oversee cyber security. A similar body already regulates aviation: the Civil Aviation Safety Authority.

Such an organization would provide robust analysis and reporting of cyber incidents. It would also share information with information technology managers, software and hardware developers, public administrators, crisis managers, and others.

Cyber security threats create high levels of uncertainty for the public and private sector. Attacks that disrupt critical supply chain infrastructure have widespread impacts on society and trade.

A cyber security compliance program may be financially costly, but would be a worthwhile investment given the societal impact of a successful cyber attack.

Richard Oloruntoba is Associate Professor of Supply Chain Management & Supply Chain Management Lead, Curtin University. Nik Thompson is Associate Professor of Information Systems, Curtin University. This article is published courtesy of The Conversation.