No one needs reminding of the increase in quantity and complexity of cyberattacks, particularly those targeting vital infrastructure. But critical infrastructure asset owners and operators, in particular, should know that they will have their work cut out to proactively identify and reduce security threats.
How to do it? Embrace risk management. Here’s how to go about it.
Why risk management for critical Infrastructure asset owners and operators?
But why?
Well, in certain jurisdictions, critical infrastructure asset owners and operators are required by law to embrace risk management principles.
Indeed, in Australia, for instance, asset owners and operators of regulated entities are legally obligated to manage risks that may impact their business continuity as well as the country’s economy, security, and sovereignty.
This is part and parcel of the positive security obligation (PSO) foisted on regulated entities. Exactly what they sound like, PSOs are security mandates firms must abide by to avoid regulatory sanction.
What does risk management look like for regulated entities?
PSOs might differ by industry, but they will likely include a risk management component.
What might risk management look like for regulated entities?
For one, regulated entities are likely to have to take an all-hazards approach when identifying and understanding their security risks, both natural and human-induced hazards. Examples include:
- Understanding how risks might accumulate throughout the supply chain
- Understanding the way systems are interacting
- Outlining which of these risks may have a significant consequence to core service provision
Beyond identifying and understanding risks, entities will likely also have to put appropriate risk mitigations in place.
What do these entail? Well, here, risk mitigation encompasses both proactive risk management as well as having processes in place to detect and respond to threats as well as a plan for disasters and a way to lessen negative impacts should disasters occur.
In this compliance regime, regulated entities are also responsible for engaging with their relevant regulator to ensure that identified risks and proposed mitigations are proportionate to risk, while also respecting business, societal, and economic impacts.
Risk management procedures to minimize the impact of security incidents
Even in jurisdictions without explicit risk requirements, critical infrastructure asset owners and operators should plan for things to go wrong. That’s as much for the country’s security as for protecting the corporate bottom line.
Here, entities should consider putting robust procedures in place to recover as quickly as possible from incidents, should threats be realized.
For example, entities should ensure that they have plans in place for a variety of incidents. That might include having the following:
- Back-ups of key systems
- An adequate stock on hand (such as medicines)
- Redundancies for key inputs
- Out-of-hours processes and procedures
- Ability to communicate with affected customers
These risk management procedures, however, should be part of a comprehensive risk management program – rather than free-floating measures.
Entities should have appropriate risk management oversight and responsibilities in place. That means strong governance and clear lines of accountability, demonstrated comprehensive planning, as well as a robust assurance and review process in place proportionate to the identified risks.
What other risk management principles should owners and operators follow to enhance the security of their critical infrastructure assets? Learn what Australia has demanded of its critical infrastructure asset owners and operators.