Project Brief

CRITICAL NEXUS:

The role of policy and cybersecurity in critical infrastructure resilience

1.    Abstract

Reliable access to energy, water, transport, finance, and communications are inextricably linked to societal stability, economic output, and ultimately, national security. Governments worldwide are acutely aware of the role these essential services play in underpinning the function of contemporary society. Nevertheless, despite more than two decades of working to address critical infrastructure protection, recent cyber-attacks such as those impacting Colonial Pipeline, the Amsterdam-Rotterdam-Antwerp refining hub, and more recently DP World Australia, attest to critical infrastructure resilience remaining a formidable task; moreover, one with potentially far-reaching and dire consequences should regulators and industry fall short in combating increasingly sophisticated and capable adversaries.

This research initiative explores the global critical infrastructure policy landscape, focusing firstly on identifying policy characteristics with the potential to realise material uplift in cyber posture and maturity, and mapping these against nations engaging in critical infrastructure strategy or policy. Following this, Australia’s approach will be analysed in the context of global findings, with a discussion on government and industry’s role in securing critical infrastructure assets, concluding with recommendations on additional policy and strategic elements to further progress critical infrastructure resilience.

2.    Project Brief

From ransomware syndicates targeting medical facilities with time-critical risk-to-life consequences, to nation-state actors engaging in grey zone activities for geopolitical advantage, critical infrastructure is a high-value target across multiple threat actor categories. While such scenarios may be reminiscent of dystopian futures portrayed in fiction, they are, in fact, occurring in the here and now. The 2017 attacks on the UK National Health System and the ongoing campaign of Russian cyber-attacks on Ukrainian infrastructure serve as high-profile examples of significant societal disruption.

Addressing critical infrastructure protection presents multifaceted challenges for policymakers and asset owners alike. Governments face navigating complex legislative structures and regulatory bodies with overlapping responsibilities, while endeavouring to harmonise diverse stakeholder interests in formulating strategies that balance efficacy against the burden of regulatory impost imposed upon asset owners. Further complexity is found in the array of technologies deployed in critical infrastructure domains, from commodity information technology to specialised industrial controllers manipulating the physical environment. Many such devices have lifecycles measured in decades, having been designed and installed well before cyber risk arising from converged information technology and operational technology environments were considered. Subsequently, standard information security practices policymakers may recommend asset owners deploy are often ill-suited or outright dangerous in operational technology settings such as power stations, nuclear reactors, oil refineries, etc.

This collision of highly complex challenges and high-consequence outcomes at the national scale makes for a critical nexus warranting investigation.

3.    Objectives

The research intent is to contribute to the body of knowledge by presenting a global survey of critical infrastructure resilience policy, accompanied by characterisation and analysis of policy elements that give rise to effective cyber posture and maturity uplift. Subsequently, discussion will pivot to assessment of Australia’s approach, and the role of government and industry stakeholders in securing the nation’s critical infrastructure assets.

4.    Problem Domain

When examining potential research topics in cybersecurity, one can posit two categories of research problems worthy of pursuit: problems lacking sufficient consideration, and problems lacking focused perspective. The nexus between critical infrastructure policy and cybersecurity is arguably both.

Adding to the body of knowledge in this field brings the potential for impactful contribution due to the relatively limited research volume. Despite the importance of safeguarding critical infrastructure and the essential services provided, there remains an observable gap in scholarly investigation specifically focused on the intersection of policy and cybersecurity within the context of critical infrastructure resilience. In targeting this gap, the opportunity exists to generate valuable insights to inform policy and practice as government and industry look to enhance critical infrastructure resilience. Moreover, the timeliness of this research is underscored by deteriorating geopolitical stability, with escalating tensions and rivalries heightening the likelihood of attacks targeting critical infrastructure as a means of exerting strategic influence or coercion. As such, conducting research in this area addresses a knowledge gap and serves the need for proactive measures to strengthen critical infrastructure resilience in times of increasing uncertainty.

The focus of this research initiative is:

How does policy influence critical infrastructure cyber resilience, and what is Australia’s comparative standing on the world stage?

  1. What commonalities and differentiators characterise the global policy landscape addressing critical infrastructure cyber resilience?
  2. How does Australia’s policy position drive advancements in cyber posture and maturity for critical infrastructure assets within the national context?

5.    Outcomes

The primary outcomes of this research initiative are:

  • Survey of global critical infrastructure policy landscape,
  • Identification and characterisation of policy attributes,
  • Analysis of attributes contributing to material cyber posture and/or maturity uplift,
  • Assessment of Australia’s approach and characterisation against global findings.

Pending research outcomes, additional commentary on the roles of government, industry, and academia may be provided should findings support the provision of such a narrative.

6.    Course and Project Alignment

The nominated research initiative demonstrates strong alignment with the 2718CS Master of Cyber Security Articulated Set, focusing on contemporary governance and application of cybersecurity principles and practices. In doing so, the body of work draws upon fundamental learnings from:

  • ITC595, Information Security
  • ITC596, IT Risk Management
  • ITE514, Professional Systems Security
  • ITE533, Cybersecurity Management
  • ITE534, Cyberwarfare and Terrorism

Likewise, although to a lesser extent, the balance of subjects studied contributes to baseline knowledge supporting research and assessment activities.

As such, this capstone project brief satisfies 2718CS Master of Cyber Security course alignment requirements.

7.    Resources

Böröcz, M. (2021). Critical Infrastructure Protection Policy in the EU.Strategic impact, 80(3), 46-61. https://doi.org/10.53477/1841-5784-21-15

Izycki, E., & Vianna, E. W. (2021). Critical Infrastructure: A Battlefield for Cyber Warfare? International Conference on Cyber Warfare and Security , 454–XII. https://doi.org/10.34190/IWS.21.011

Kulugh, V. E., Mbanaso, U. M., & Chukwudebe, G. (2022). Cybersecurity Resilience Maturity Assessment Model for Critical National Information Infrastructure. SN Computer Science, 3(3). https://doi.org/10.1007/s42979-022-01108-x

Pagnacco, A. (2021). Critical Information Infrastructure Protection: Between Cybersecurity and Policymaking. Italian Conference on Cybersecurity. https://api.semanticscholar.org/CorpusID:245331222

Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 No 33 (Cth.) (2022). https://www.legislation.gov.au/Details/C2022A00033

Security Legislation Amendment (Critical Infrastructure) Act 2021 No 124 (Cth.) (2021). https://www.legislation.gov.au/Details/C2021A00124

Tvaronavičienė, M., Plėta, T., Beretas, C. P., & Lelešienė, L. (2022). Analysis of the critical infrastructure cyber security policy. Insights into Regional Development (Online). 4(1), 26-39. https://doi.org/10.9770/IRD.2022.4.1(2)

Warren, M. (2021). Australia Critical Infrastructure Protection: A Twenty-Year Journey. Journal of Information Warfare, 20(4), 45-56. https://bit.ly/ITC571-LV-Jrn_Info_Warfare

Leave a Reply

Your email address will not be published. Required fields are marked *

Step 1 of 2
Please sign in first
You are on your way to create a site.

Log in