Skip to main content

Security of Critical Infrastructure

Protecting Critical Infrastructure and Systems of National Significance

The Federal Government has stepped in to strength our national resilience through significant regulatory reforms and amendments to the Security of Critical Infrastructure (SOCI) Act 2018. These compel infrastructure stakeholders to uplift the security of their assets through a range of new due diligence, risk mitigation and governance obligations.

The onset of COVID-19 has forever changed the world's economic and social fabric. Disruption to business models and supply chains have accelerated the appetite and need for digital transformation. While new communication, automation, collaboration, data processing, cloud and AI technologies offer enhanced productivity, they also increase the size and complexity of an organisation's attack surface and its vulnerabilities.

Adversaries are on the hunt, rapidly expanding the scale and sophistication of their attacks. Exploitations are occurring with greater frequency, severity and scope with incursions penetrating deeper and remaining undetected for longer. Australia's critical infrastructure remains a priority target, exposed to advanced and persistent threat actors increasingly motivated by nation states and big financial returns. A worsening threat landscape combined with greater digitisation and growing interdependencies have brought us to a dangerous crossroads.

The Federal Government's SOCI initiative is a principles-based, holistic response that goes beyond cyber-security alone. It requires critical infrastructure stakeholders to identify and reasonably mitigate all hazards across their cyber, human resources, supply chain and physical operations. Through the introduction of mandatory positive obligations, asset owners, operators and their Boards are being made directly accountable for implementing more robust risk management frameworks to enhance the resilience of key sectors in the economy.

At Deloitte, protecting critical infrastructure goes well beyond just great cyber-security. We can support you in identifying and mitigating threats and hazards across your entire organisation with risk minimisation strategies designed around global best practices in security, interoperability and scalability that ensure your commercial feasibility and financial exposure are sufficiently safeguarded.

  • $1.67 billion Federal initiative to uplift the security and resilience of critical infrastructure
  • Strengthening and expansion of Federal departments, agencies and powers
  • Amendment and creation of legislation, regulations and rules
  • New obligations on asset owners and operators to secure their products and services
  • Disruption to business models and supply chains from COVID
  • Insufficient risk management, resilience and accountability across all sectors
  • Greater potential for contagion from a compromise due to growing interdependence
  • Significant increase in the sophistication and frequency of cyber-attacks
  • Microsoft Exchange Hafnium; Software AG Clop; SolarWinds; Oldsmar Water; Indian RedEcho
  • Expanded definition of critical infrastructure
  • Broader sectors in scope
  • More assets in scope
  • New enforceable positive obligations
  • New enhanced cyber-security obligations
  • New Federal Department, Agency and Ministerial powers
  • Greater accountability and governance oversight
  • Significant capital and financial implications for non-compliance

Approximately 30% of Australian industry is now within scope, including:

  • Energy
  • Communications
  • Data Storage or Processing
  • Defence
  • Financial Services and Markets
  • Food and Grocery
  • Healthcare and Medical
  • Higher Education and Research
  • Space
  • Transport
  • Water and Sewerage.

Responsible entities for one or more critical infrastructure asset must have a written Risk Management Program that evidences a defensible risk profile based on appropriate evaluation, mitigation, accountability and governance measures. We can support you in:

  • Understanding the security implications of the regulatory and legislative landscape
  • Disaggregating the components of your critical infrastructure assets
  • Identifying threats and hazards that could have a material risk of impacting your assets
  • Assessing the likelihood and consequences of any threats or hazards
  • Implementing new controls
  • Ongoing monitoring and governance using continuous improvement measures.

Stakeholders within immediate scope are not the only parties that should take action. The Department of Home Affairs and Critical Infrastructure Centre have indicated that the regulatory framework will evolve commensurate with the threat environment. Any organisation within, or directly proximate to, a critical infrastructure sector should evaluate the future likelihood of falling within ambit and have a clear strategy for that eventuality.

How can Deloitte help?

At Deloitte we have the depth of expertise and multi-disciplinary teams needed to disaggregate, evaluate and respond to the challenges facing your organisation. We can support you in identifying and mitigating the threats and hazards across your cyber, human resources, supply chain and physical operations, including risk minimisation strategies designed around global best practices in security, interoperability and scalability.

By adopting a holistic approach, we can work with you in addressing compliance in a way that ensures your commercial feasibility and financial exposure are sufficiently safeguarded. Our cross-sectoral experience allows us to drill down to the key issues and assist in developing, documenting and actioning a Risk Management Program that facilitates growth, flexibility and innovation while positioning your Board and Management to meet their governance obligations.

We understand the challenges facing your business. Start the journey with us today and get a clear picture of your security posture, hygiene and options before your assets are affected.

Our Insights

Is your business a critical infrastructure asset?

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey