Posted: 09 Nov. 2021 5 min. read

Creating resilient infrastructure by paying close attention

It was an honour to participate in this year’s AFR Infrastructure Summit as part of a panel which focused on exploring our collective journey towards creating resilient infrastructure well into the future.

The world is changing fast, with infrastructure-driven stimulus booms meeting the disruptive winds of technology and digital service changes, increased cyberattacks, environmental disasters and evolving legislation and regulation. With this environment in mind our session kicked off with a quick definition of resilience – an often-heard buzzword since COVID-19 hit. Resilience, in relation to business, is the ability of an organisation to quickly adapt to disruptions while maintaining continuous business operations, while safeguarding people assets and overall brand equity. Resilience is also about people, because without people there is no infrastructure, it becomes monolithic. It does nothing, and is no good to anyone.

And let’s not forget resilience’s bedfellow, sustainability. Together, they are keeping business and government leaders awake at night; especially in the infrastructure sector.

Michelle Price, CEO, AustCyber, led off our discussion and shared some interesting stats about the number of Australian businesses that said they were prepared for cyberattacks before and since COVID-19: the number has slightly increased, from about 10-15% to 25% in the last 12 months. At least we’re heading in the right direction! But that also means 75% of Australian businesses do not believe they are prepared for a cyberattack or major disruption to their operations, making them extremely vulnerable. Conversely, cyber is one of the top five reported issues in the Australian media. It’s on everyone’s agenda, as it should be. Because the number of cyberattacks in rising exponentially – on both physical assets like critical infrastructure, and digital assets like sensitive information, data, IP and other ‘intangible assets’.

All businesses are a target, no matter the sector or their size. The perpetrators? Either nation states or governments from other countries that want to cause deliberate harm through manipulation by changing circumstances. These attacks are typically strategic and targeted. Or, gangs (syndicates of organised criminals), who are purely driven by making money. And although motivations and tactics differ in scale and severity, businesses need a singular response: a cyber-physical security and resilience strategy.

We then heard from Ainsley Simpson, CEO, Infrastructure Sustainability Council, who gave some great insights into the increasing popularity of the organisation’s voluntary IS Rating Scheme. Increasing demand is driven by policy, funding, planning and procurement requirements. For example, for policy: a progressive transport authority with different thresholds may use the rating system to contractualise sustainability assessments. Or for planning, a Government department may require all critical infrastructure to measure its sustainability performance. And in the case of procurement, the majority of state government agencies need to show that they are using public funding wisely, measuring what they should in terms of economic, social and environmental performance benefits.

Regardless of the imperative, Ainsley said that the Council has seen promising improvements – incremental and exponential – in assets’ triple bottom line reporting. And the rating process itself has seen some fantastic results. Ainsley mentioned an example involving millions of tonnes’ worth of reductions in carbon dioxide emissions in the lifecycle of an energy infrastructure.

I agree with Ainsley that what gets measured, gets done – the role of the Council is more important than ever. In more recent years it’s been great to see asset managers actively benchmarking their performance, and making informed decisions about their assets and their future lifecycles. Most recently, in response to industry feedback, the Council has decided to continually reiterate the ratings scheme to make sure it is always relevant and current. This is great news for the sector.

Another key tool which holds asset owners accountable is legislation, which I highlighted. The upcoming changes to the Security of Critical Infrastructure Act (SOCI), which will be fully rolled out by the middle of next year, has huge implications for assets and those who manage them.

The SOCI legislation introduces positive enforceable obligations on asset owners and operators, with Boards facing increasing requirements to understand, prepare and transparently monitor and report. The new Act is an asset-driven, principles-based legislation, which expands the risk domains from cyber to include supply chain, personnel and physical threats and hazards and drives a converged risk assessment view. This is essential in building resilience in the infrastructure sector. Why? Because we are in a virtual cyber war. Businesses and governments are unprepared for cyberattacks, even though they are confronted by the possibility every single day. The updated Act will take more infrastructure into consideration, because critical infrastructure has extended from well beyond large physical assets like transport and dams, power turbines and ports to groceries, financial services, broadcast service providers... In other words, the critical infrastructure landscape has expanded, and so has the number, complexity and magnitude of threats. Millions of assets are now in ambit play.

What does all this mean? Asset owners need to be continually vigilant, understand their asset and infrastructure stack, plan and prepare to mitigate all foreseeable and actionable risks.  

They cannot let their guards down, and need to continually ask themselves: what are the risks in front of us? The threat landscape is increasingly converging. Asset owners need to take a step back, and stop assessing risks on a siloed basis, and more on an ‘all hazards’ converged risk basis.

It’s important for Boards to comply with the Act as part of their fiduciary responsibilities. They need to remember that risks are foreseeable. Simply put, if you’re sitting in a leadership position, it is foreseeable that you will be attacked. For example, a cyberattack can cost you significant ransomware. An unsustainable supply chain can make your operations unviable. Board members need to understand all of these risks, and plan to mitigate them. In the case of the Act, the Federal Government will expect critical infrastructure assets owners to respond quickly. Leaders can start getting ready now, and need to get on the front foot.

Alexander Danne, Partner, Head of Energy + Infrastructure, Gilbert + Tobin, also shared some great insights and said that there are two risks to infrastructure: cybersecurity and infra technology. In other words, how can we build long term assets that are supported by contracts that can be renegotiated, depending on tech-driven or other changing circumstances? And how can you maintain obligation transparency? And the sustainability of the contractual environment? These are all considerations for existing and future infrastructure owners.

Ultimately, great infrastructure makes Australia a fantastic place to live, work and thrive. Michelle closed our panel discussions with three great tips for leaders:

  1.  Really care! The secret to getting cyber right is to recognise that it is highly contextual. You cannot ‘pick up and put down’ what others are doing. Your organisation and the context in which you’re operating is different. It requires your attention, so focus on it
  2.  Back up your data remotely
  3.  Make sure you are truly recognising the cyber physical – be sharp on who you are employing, who is supplying you, and who else they are supplying to. Value chains are where the risks lie.

In closing, my key takeaway is organisations cannot be complacent. The pace, scale and sophistication of risks confronting organisations is continually growing. They need to know their assets in detail, focus on prevention rather than responding strategies, and be ready and willing to act when needed.

Panellists:

Alexander Danne, Partner, Head of Energy + Infrastructure, Gilbert + Tobin
Michelle Price, CEO, AustCyber
Theo Psychogios, Partner, Deloitte
Ainsley Simpson, CEO, Infrastructure Sustainability Council
Martin Kelly, Property Reporter, The Australian Financial Review

Get in touch

Theo Psychogios

Theo Psychogios

Partner, Financial advisory

Theo has experience providing economic, policy, and commercial advice to public sector organisations and the private sector entities they engage with, particularly in the assessment and review of how government services can be delivered and the assessment, review and development of economic and social infrastructure. Theo’s primary focus is assisting clients assess the merits and value proposition of transformative urban renewal, service delivery reform, and major infrastructure investments.