Industry News

Australia’s CISC Releases Risk Assessment Advisory For Critical Infrastructure Across Energy Sector

18 January 2023

Australia’s Cyber and Infrastructure Security Centre (CISC) released on Tuesday its Risk Assessment advisory for critical infrastructure across the energy sector. The document emphasizes the requirement for stakeholders to modify their risk management approaches to guarantee that risks associated with the operation of assets essential for the country’s economic and social prosperity are identified accurately.

The Risk Assessment advisory has been designed to guide in assessing these types of risks to Australia’s critical infrastructure. “Through the provision of suggested risk assessment approaches, the material aims to assist sector stakeholders to adapt existing risk practices and help organizations understand risks within the broader national critical infrastructure context,” it added.

The document begins by identifying risk for critical infrastructure which may differ from the way entities have viewed risk in the past. “Risks that have the greatest impact on the social or economic stability of Australia or its people, the defence of Australia or national security, also need to be considered and framed within critical infrastructure entities’ existing risk management strategies,” it added.

The document said that “as part of this risk identification, organisations can consider broadly how the confidentiality, availability, integrity, and reliability of their assets may be impacted during and after any incident. Understanding this potential ‘relevant impact’ is important to prioritise risk and determine how best to both minimise the likelihood of the risk occurring and mitigate the potential impact.”

“Some entities in the Energy Sector have security-related regulations already in place,” the Australian Risk Assessment advisory said. “Entities in the sector may need to consider guidance such as the Australian Energy Sector Cyber Security Framework (AESCSF) or the Australian Domestic Gas Security Mechanism (ADGSM), or look to their state or territory government for regulatory frameworks and consider how they can incorporate national security–related risk into existing risk management frameworks. Entities should also refer to other CISC sector guidance for further information,” it added.

The advisory called for the adoption of an all-hazards risk management approach to combat convergence risks and ensure responses are comprehensive and integrated. The initiative requires collaboration between all stakeholders, including internal business units, sector and supply chain stakeholders, law enforcement, and emergency services. Furthermore, organizations should leverage information from government stakeholders to appropriately consider appropriate threats and hazards. Adopting multidisciplinary approaches, collaboration and integration is a good approach for inclusion in a critical infrastructure entity’s risk assessment.

The advisory further moved over to identifying and assessing criticality for energy sector critical infrastructure providers. This includes determining which sites and components of an asset should be considered critical and involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards.

The process is vital for all hazards risk management, providing input into the identification of plausible risk scenarios that may impact operations. The critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s national security interests. Establishing criticality is designed to guide the allocation of resources to best protect the operational capability of the asset.

Identifying important trends and technology drivers and how they impact risk can be challenging; trends interact in unpredictable ways, with at times profound consequences. Organizations are able to contribute to the process of monitoring and assessing threats through internal risk assessments. By identifying emerging risks, organizations are able to directly improve their security stance and share this information with external security bodies.

The advisory also addresses sector interdependencies and relationships. As critical functions can be exposed and vulnerable in the event of failure within another critical infrastructure sector, a critical infrastructure entity needs to carefully consider the sector interdependencies that interact with its operations as part of any critical infrastructure risk assessment.

“The Energy Sector is an upstream dependency of a number of other critical infrastructure sectors; as much as other sectors rely on its downstream services,” the Risk Assessment advisory said.

The document also identifies the threat and hazard landscape of the energy sector. All-hazards risk assessment considers both human-induced and natural threats and hazards. Given its role in critical infrastructure, as well as the key economic importance of its services; the energy sector is an attractive target, and the nationally-dispersed nature of its assets increases its susceptibility to natural hazards.

“The nature of physical, personnel, cyber, and supply chain threats to the sector is increasingly sophisticated and well resourced, and the frequency and magnitude of attacks is escalating,” the Risk Assessment advisory said. “Additional considerations might include geopolitical tensions, pandemics, and the demonstrated potential for cybertechnologies to be used as a long-distance act of aggression by nation states or other actors.”

It added that threats will endure and remain complex, and the energy sector, driven by improvements in technology and the need to meet commercial outcomes, will become more interconnected. This means that stakeholders in the energy sector need to re-evaluate risks regularly.

Due to interdependencies among different critical infrastructure sectors and assets,it is necessary to manage many risks collectively, the Risk Assessment advisory said. “Many risks may be poorly addressed because their causes or effects are still misunderstood, they are novel, or there is a lack of guidance on how to address them. Accountabilities for addressing some risks may also be unclear. Some risks may be too rare to justify allocation of resources to mitigate them. Finally, the consequences may be too large for any entity to address by itself,” it added.

For a given energy sector asset, the disablement of its resources will cause downstream issues in other sectors that are potentially vast and more detrimental to other industries than the direct damages to the energy asset. “Ongoing analysis of risks can lead to a better understanding of mitigation strategies, including their application at the source. Business continuity planning, consequence management, emergency management, disaster mitigation, vulnerability assessment, insurance, and other related disciplines all provide a variety of possible actions,” the document added.

The Risk Assessment Advisory also included a ‘Risk Assessment Methodology’ that energy sector organizations looking to improve their risk management processes may want to consider. The six-step approach to risk assessment was developed specifically to cater to critical infrastructure assets. They include understanding the business and sector landscape and how it fits under critical infrastructure; identifying critical assets; analyzing threats, hazards and vulnerabilities; evaluating the risk that each threat poses; identifying mitigations and implementation controls; and continually monitoring risks and updating treatment strategies where required.

Last week, the U.S. Department of Energy (DOE) and the National Renewable Energy Laboratory (NREL) announced a call for applications for the second Clean Energy Cybersecurity Accelerator (CECA) cohort. It gives participants in the Cybersecurity Accelerator Program work to advance cyber innovation and address grid vulnerabilities while supporting the transition to a clean energy future.