Institute of Internal Auditors Australia
South Pacific and Asia Conference (SOPAC)
25 March 2003
Critical Infrastructure: How organisations can protect themselves
Let me begin by thanking the Institute of Internal Auditors Australia for the invitation to speak at this South Pacific and Asia Conference.
It is reasonable that citizens can take for granted the simplest tasks in their day-to-day lives. And it is reasonable that the underlying complexities of society’s infrastructure are hidden from this busy world. But never more so than perhaps this current time, in the midst of a war, are people conscious of the vulnerabilities and threats that may well exist in day to day life. It is these vulnerabilities to essential services delivered through critical infrastructure that are the subject of my presentation.
This morning we are here to discuss Critical Infrastructure and how organisations it is assessed and managed by organisations. The obvious starting point is an appropriate definition for this Critical Infrastructure.
I would then like to touch on why organisations need to take responsibility for security and protection through action. I will also review how the government is tackling these issues. And finally, in light of these observations I would like to pose some suggestions for the way forward.
Firstly, to the definition: rapid changes in technology have led to the need for continual updating of this definition. From energy utilities to transport to natural resources infrastructure, the definition is already extensive, but now it is even broader. Electronic communications are now the nervous system for our society and I have chosen to emphasise this aspect of critical infrastructure, as it is often the least understood.
The Attorney-General’s Department describes Critical Infrastructure as:
“… those physical facilities and those information technologies and communication networks which would, if destroyed, degraded or rendered unavailable for an extended period, impact on the social or economic well-being of the nation or affect Australia’s ability to conduct national defence and ensure national security.”
That definition is somewhat abstract, a more functional definition can be found in Adam Cobb’s Australia’s vulnerability to information attack: Towards a national policy. Cobb uses the term National Information Infrastructure (NII) and includes the following;
 |
“Government networks – executive and agencies; |
|
Banking and financial networks – stock exchanges, electronic money transfers; |
|
Public utility networks – telecommunication systems, energy supply (military and civil), air traffic control and guidance systems such as global positioning systems (GPS), or instrument landing systems (ILS),: |
|
Emergency services networks including medical, police, fire and rescue; |
|
Mass media dissemination systems -satellite, television, radio; |
|
Internet; |
|
Private corporate institutional networks; and |
|
Education and research networks”. |
Now it is easy to see why it is vital that such systems are protected. It is also not hard to imagine how dramatic and crippling a denial of service for any or all of these systems would be. You only need to ask the firestorm victims in Canberra about the impact a loss of essential services had on them.
With the interdependence that exists between systems an attack on one aspect of the National Information Infrastructure could have drastic effects further along the chain. Cobb highlights a pertinent example:
“Many…systems are also dependent on support systems. In the harsh Australian summer many of these vital computer systems will depend upon air-conditioning and related environmental-control devices to function. A specific system may be very secure from information attack, but highly sensitive to changes in temperature or humidity.”
So then, where are we now? What has changed or developed to make critical infrastructure become such a priority? Not just for the government, but for the business sector as well. I believe there have been two global changes that have dramatically affected why critical infrastructure protection must now be considered at a far higher priority. The first is neo-conservative economics and the second is the nature of terrorism.
Since the 1980′s when neo-conservative economics really came to the front of financial thinking we have seen much of our public utility networks switch from being in the hands of the government to the private sector. In the past, it would have been the sole responsibility of the government to guide the protection of critical infrastructure. At the time there would have been little consideration to the effect on inbuilt emergency responses, system redundancy or back-up systems as a result of privatisation.
Now our crucial electricity and gas networks are in private hands. And despite the efforts of the current government, the residual-monopoly carrier, Telstra is still majority publicly owned, but for all intents and purposes is governed as though it is a private corporation.
That being said, we are considering these issues because no single authority has control over Australia’s critical infrastructure. The Government is aware of this situation, evidenced by this statement, again from the Attorney-General’s Department:
“The protection of Australia’s critical infrastructure cannot be carried out solely by the government or by individual companies, as much of Australia’s critical infrastructure is privately owned or operated.”
We now must work with the private sector in making sure it is protected, and Australians are kept safe.
Outsourcing of critical infrastructure and mission critical information services carries a similar risk to privatisation. The Australian National Audit Office performance audit of certain IT Outsourcing contracts identified security and data protection as an issue. This was reinforced in the Humphry Review, which recommended the IT outsourcing program be abandoned citing amongst other things, security risks.
The second reason critical infrastructure has become such a pressing concern is due to the nature and risk of terrorist attack. The dreadful attacks on New York, Washington and closer to home in Bali, drove home the shock realisation of just how vulnerable some non-government targets can be. Thankfully Australia has seen very little terrorist activity here on our own soil, but that may not always be the case.
No one can fully say what the implications of Australia’s involvement in this current war in Iraq will be. With the uncertainty on how long the conflict in the Middle East will be drawn out, now more than ever, it is vital that everything possible is done to protect our critical life-serving and life saving infrastructure.
So what the Australian Government is doing about it?
In November 2001 the Howard government announced the formation of the Business-Government Task Force on Critical Infrastructure. The task force met on March 26 and 27 2002. Represented at this task force were Chief Executives of companies that have a vested interested in critical infrastructure, representatives from State and Territory Government as well as a number of Commonwealth agencies. The focus of discussion was ways in which business and government could best co-operate in the protection of critical infrastructure. From the discussions came five recommendations to the Commonwealth Government. These were:
|
A commitment to develop a program of study for threats and vulnerabilities to the National Information Infrastructure. |
|
The creation of a “learning network” among key private and public sector organisations to improve their strategic response and readiness to security threats. |
|
An examination of legislative frameworks for sharing information, ensuring confidentiality and excluding liability. |
|
The development of models of good critical infrastructure assurance |
An examination of the ways to encourage investment in the security and resilience of critical infrastructure.
In November 2002 the Commonwealth Government announced the formation of the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN). According to the Attorney-General’s Office:
“TISN is intended to allow the owners and operators of critical infrastructure to share information on important issues such as business continuity, consequence management, information systems attacks and vulnerabilities, e-crime, protection of key sites from attack or sabotage, chemical, biological and radiological threats to water and food supplies, and the identification and protection of offshore and maritime assets.”
As part of TISN the Attorney-Generals department chairs the Critical Infrastructure Advisory Council (CIAC). CIAC is made up of representatives from various sectors of critical infrastructure, it also contains a representative from each of the States and Territories and relevant Commonwealth agencies. The main role for CIAC will be on medium to long-term issues focusing on preventative measures, not response arrangements for specific security incidents.
One final aspect of the Governments strategy worth noting is the Council of Australian Governments (COAG) endorsement of the National Counter-Terrorist Committee’s (NCTC) guidelines for the protection of infrastructure. According to the TISN information
“The NCTC is responsible for ensuring an overarching national strategy is developed and maintained for the co-ordination of the protection of critical infrastructure from terrorist attack, and that national counter-terrorist exercises including significant elements of the critical infrastructure.”
What the government hopes to achieve with these various networks is – to quote a joint media release from the Attorney-Generals Department and the Minister for IT’s office – create a “one stop shop” for critical infrastructure protection”.
My main concern with this “one stop shop” notion is whether or not it will be made accessible to all stakeholders. It seems the Government does not intend to legislate for the protection of critical infrastructure. Given the lateness of Australia’s foray into such issues at the policy level, I am not convinced we have the luxury of such a feather-light-touch approach.
It gives the impression there is a single, simple solution to a complex and challenging issue. It would be a travesty if the response were so glib that it lacked substance. This would allow only large organisations with resources to invest in a robust and meaningful critical infrastructure protection to participate. The rest of the community would be left in the dark.
I am concerned as to how real this agenda will be. Will it change behaviour or be an ongoing talkfest?
For example, there has been a lot of community concern over the effect of the sale of Telstra on the standard of service to regional and rural centres. Viewed through the prism of communications as critical infrastructure, Telstra’s willingness to merely pay its fines as a way out of their consumer service guarantees, rather than invest in their infrastructure to meet the standard, is a grave concern.
Telstra operates an extensive network of coaxial cable, microwave radio, optical fibre, digital radio concentrators, mobile phone cells, submarine cables and submarine fire cables. It is reasonable to suggest that all of Australia’s telecommunications interconnect at some point with Telstra’s infrastructure. The continuing Senate inquiry into the Australian Telecommunications Network has drawn out some interesting evidence of the inherent risk to service standards in the neglect and inevitable decay of that infrastructure.
There is no sign on the horizon that infrastructure protection is an issue, let alone a priority. Telstra can’t even keep their services going in heavy rain.
Telstra’s decision to reduce capital expenditure and boost bottom line profits and dividends is an effect of privatisation and cannot be separated from the decline in services and neglect of infrastructure maintenance. This example is consistent with the neglect that occurred in Californian power stations that led to extraordinary poor service and blackouts only a few years ago.
In fact, the US provides many other examples, but I would like to turn to an important presidential initiative in June 1997 when Bill Clinton created the President’s Commission on Critical Infrastructure Protection (PCCIP). The Commission found many of the issues that the Australian government has, five years later, highlighted – the impact of ownership in non-government hands and the need for general information sharing.
However, one aspect emphasised in the Commission that has not been fully explored in the Australian discourse is Information Stovepipes. In the past government departments and agencies’ ability to collect and distribute information has been limited due to statutes and regulations. The PCCIP asserts that:
“These carefully defined authorities that pertain to a particular community or industry can act as “stovepipes”, permitting information about emerging threats and actual penetrations or attacks to flow up and down within narrowly defined channels but preventing it from flowing across to those in other infrastructures or communities who need to know.”
If Australia’s protection of critical infrastructure is to be successful then it is vital that information is accessible and can be used to continually inform policy, practice and outcomes. For those stakeholders who are not in a position to directly participate in the government’s network there must be accurate and transparent reporting.
To date, my understanding is that information about incidents does not have to be reported outside of an organisation, so it is hard to get an accurate picture of the problem. Related to this is another area that the PCCIP emphasises, that of cost. It states that any solutions proposed must be viable in both the marketplace and the public policy area. As the PCCIP points out:
“The resources required to collect information may be too great for an individual company. And business executives feel that release of information about attacks, especially successful attacks, may subject them to stockholder suits and loss of customer confidence”
This means that if any strategy is to be successful it is vital that there is full co-operation across the board of business, and that every step must be taken to make sure that those business participating do not suffer any undue financial burdens in the process.
This is a very light touch approach that defers to commercial considerations. This is also a factor for public agencies, where political sensitivities can replace or add to commercial factors and act as a disincentive to share information about vulnerabilities and incidents.
One of the few insights into the state of security in the federal government was contained in the Australian National Audit Office’s performance audit of September 2001 titled Internet Security within Commonwealth Government Agencies. The principal objective was to form an opinion on the adequacy of Commonwealth agencies’ management of Internet security.
The audit office assessed protection against viruses, malicious code, website debasement, denial of service attacks, data theft and destruction and breaches of privacy.
Included in some 45 specific findings, the Audit Office found that six of the 10 agencies audited were found to manage websites containing significant vulnerabilities, potentially exploitable by a malicious user over the Internet. In addition, the audit team identified other security issues in all sites.
The Audit office also found that for Commonwealth websites were hosted and managed using in-house resources, the level of co-ordination and communication between relevant groups was substantially better than when site management was contracted to an external service provider.
A series of general recommendations arose from this report, many of which appear to have been adopted in government policy. Once again, the Audit Office prompted policy movement.
It will be interesting to see whether the Government acts on all the recommendations put forward by the Government/Business Taskforce I referred to earlier.
But what should organisations be doing here and now? There are several things that organisations should be considering. The first thing is to acknowledge that we have a shared responsibility to protect our critical infrastructure and a willingness to develop a “culture of security”.
Managers need to provide adequate, secure protection of their resources. To that end the Protective Security Manual is a framework for physical, information and personnel security. For information infrastructure there is also Australian Communications Security Instructions (ACSI)33 which provides the formal basis for organisations to develop and implement IT and website security practices.
Organisations should also undertake planning to assess individual company risks. The standard risk process Standards Australia/New Zealand 4360 can be used to assist in this planning.
Due attention to industrial democracy principles, ensuring that employees are fully engaged with the implementation of security and critical infrastructure protection policies, is essential to ensure that outcomes are achieved. Given the tension surrounding privacy for employees, it is important to understand that privacy and security can co-exist, not compete against each other.
The education and training of all employees on the need for security helps cultivate a culture of safety and emphasises that security is a key goal for the whole organisation.
Organisations must review their risk management plans regularly, as circumstances can change very quickly. The lightening quick worm attacks on information infrastructure, like SQL Slammer on Australia Day this year, illustrate this point.
Organisations must keep up to date with developments in information technology and adapt their procedures accordingly. This is a key point. So many times I have observed decision makers at the board level in both public and private organisation duck their responsibilities on the basis that it involves technology.
But the reality is that the timing of a response to a new worm or virus can mean the difference of no impact on service outcomes or devastating and extensive down time. So, first and foremost I argue that decision makers must take the time to understand the changes wrought by technology, particularly the information infrastructure: software, networks, hardware in their organisation.
It is not enough to just take advice and leave it to the experts. Information is core business and has been for a very long time. Strategic control of information requires understanding that information is core business. To their credit, there are a number of managers in the public sector that understand this and I know you will be hearing from them during this conference. That knowledge informs the priority that issues like e-security and critical infrastructure protection are afforded in a given organisation.
This includes, as I said, understanding the need for ongoing risk assessment. Recently the government has conducted terrorist scenario testing. If the government conducts similar exercises in regards to national information infrastructures business would be well advised to participate. This would give organisations a chance to test out the effectiveness of their security measures, and make any improvements.
Organisations should also consider participating in the summit on Critical Infrastructure Protection to be held next month in Melbourne. At this summit the administrative arrangements in regards to the creation of TISN and CIAC will be discussed. The make-up of sector representation for TISN and CIAC will be considered at this summit. It is vital that stakeholders participate in this forum. Details can be accessed via the Attorney-General’s Website.
And finally the most important practical, ongoing activities any organisation can do to protect critical infrastructure is to report any incidents or suspicious activity to the relevant authorities. And, people may be surprised to learn that the Defence Signals Directorate (DSD), are willing and able to advise and provide assistance on such matters.
I thank you for you time.
