A Regulated Industries Perspective on Security and Resilience has been saved
Limited functionality available
In 1999, an article in the New York Times discussed the possibility of an “electronic Pearl Harbour”. Twelve years later, the US Secretary of Defence asserted that “the next Pearl Harbour… could very well be a cyber-attack,” one that might be “as destructive as the terrorist attack of 9/11.”
The threat of cybersecurity compromises aren’t new. Nor are they confined to the United States. Over the last five years, the world has watched the threat environment grow in both size and complexity.
From the Ukraine to Israel
In 2016, the Ukraine’s electricity grid was attacked by Russian malware. In the middle of a bitterly cold winter, power was cut to a fifth of Kiev. In 2017, Britain was struck by WannaCry, a piece of “ransomware” created by North Korean hackers. It hit Britain’s National Health Service, affecting hospitals and almost 600 medical practices. Last year, an Israeli water and wastewater plant experienced a strike from suspected Iranian sources.
Earlier this year, President Biden was forced to declare a state of emergency after Colonial Pipeline suffered one of the most disruptive ransomware attacks in US history. Incapacitation of computerised equipment prevented millions of barrels of petrol, diesel, and jet fuel from being delivered. It was reported that a US$5m ransom was paid. In August, 2021, President Biden met with infrastructure, technology, and finance leaders to discuss the “whole-of-nation effort needed to address cybersecurity threats.”
Closer to home
The Australian Government has sought to strengthen our national resilience through significant reforms to the Security of Critical Infrastructure (SOCI) Act 2018, cognisant of the very real hazards facing our economy and society. These reforms compel critical infrastructure stakeholders to enhance their security and resilience through a range of new due diligence, risk mitigation and governance obligations.
Passage of the SOCI Act implicitly acknowledges that threats, especially cyber-attacks, have reached a level where decisive action is now required. While cybersecurity is an important factor, it’s not the only threat facing the nation’s critical infrastructure. The Commonwealth Government has sought to develop a more holistic and converged approach by introducing explicit obligations to identify all hazards in reasonably minimising or eliminating material risks.
The role of regulators
There’s no doubt that significant expenditure will be required under the Government’s new framework. This creates several challenges in regulated markets with natural monopolies. There, policing of expenditure against the traditional criteria of prudency and efficiency needs to be balanced with the measures required to meet the SOCI Act, without opening the flood gates to potential “gold plating”.
Regulators play an essential role in preventing consumers from carrying the burden of overcapitalisation, but as a society we equally need to avoid disruption to essential services that could result in considerable consequential losses from underinvestment in security and resilience.
Reaching that balance won’t necessarily be a smooth journey. Even procedural considerations become more problematic. The SOCI framework requires stakeholders to respond within a timeframe that doesn’t align with any specific regulated period, because there’s no concept of a regulated period within the Act. This creates a disparity in how to deal with existing forecasting and expenditure frameworks. That is compounded by the fact there is no precedent or prior periods that can be looked at for benchmarking all-hazards type expenditure. In fact, the whole concept of benchmarking becomes far more convoluted, given that circumstances and mitigations will be spread across capex and opex in different ways for each stakeholder based on their own unique and specific assets. Evaluating this expenditure is not something that can be done in a public forum, given the highly sensitive nature of the information involved.
Part of the complex dynamic comes from a strong disincentive for regulated organisations to develop strategies and invest in controls without a clear cost recovery pathway. Arguably there is an implicit social contract by which any natural monopoly should already have priced and deployed appropriate systems, protecting their assets in the normal course of doing business. The fact that the Government has stepped in with such substantial intervention suggests regulated businesses may not have gone far enough in the current threat environment.
While it has created a compelling new framework, the Government hasn’t given much specific direction in how it expects individual sectors and organisations to respond. This is good, in that it facilitates the development of tailored strategies, but it’s also precarious in that limited direction puts the onus on stakeholders to assess trade-offs between costs and benefits in complying with the SOCI Act.
Regulators will have to make similar assessments when presented with expenditure proposals. Sector-specific, co-designed rules may help provide greater clarity, but these are intended to complement the sector-agnostic positive obligations, which remain the core “call to action” and doctrine within the framework. Given strong signals from Canberra, there is a potential risk of ‘over-compliance’. The consequences of this are arguably far less than unintentionally under-complying.
The question is how likely is that as an outcome and whether the social benefits of prioritising a higher threshold of security and resilience outweighs any potential cost inefficiencies in getting there? As the US discovered with Colonial Pipeline, the incidental and consequential losses resulting from a critical infrastructure breach can be extensive.
Australia’s path forward
It’s difficult to argue it’s not in Australia’s best interests to protect its critical infrastructure. A pathway forward in safeguarding the continuity of essential services and economy is judicious. Money will need to be spent filling capability gaps. Moving through that process quickly and efficiently will involve a transitionary period of increased expenditure. Regulated businesses have a difficult task ahead in identifying and remediating hazards. Regulators have a challenging role in testing and validating their responses. Rather than approaching it from a traditional arms-length perspective, greater collaboration and information sharing could greatly increase transparency, align expectations and provide more certainty as both parties work through the complications of meeting the Government’s targets.
Applying the all-hazard lens of the SOCI Act and how we respond as a nation may even serve as a test case for how to approach broader resilience issues such as climate change. The effects of climate change, if unmitigated, would wreak similar, if not worse, devastation to a successful cyber-attack.
In December 2015, the Sydney Desalination Plant was significantly damaged by a tornado that affected the suburb of Kurnell in the Sutherland Shire. The consequences? It took three years to rebuild. While the tornado was described as a 1-in-200 year event, it is unequivocal that climate change is increasing the frequency and severity of extreme climate events. It’s fortunate that Sydney wasn’t in drought at that time or in the subsequent period of rebuilding the plant.
Owners of regulated assets need to ensure that their risk assessment and mitigation adequately captures all hazards. Regulators in turn need to ensure that the prudent costs of doing so are passed through to consumers. This will require a shift in focus from the short-term efficiency costs to thinking about what is in the long-term national interest, taking into consideration broader interdependencies across the economy. A more forward-looking lens is not just about existing consumers. Future consumers – and our broader society – must also be considered as regulators and governments address the thorny concept of intergenerational equity.
Governments may also need to adopt a more systems approach to planning and managing critical infrastructure, ensuring the availability of individual critical assets is accounted for in a way that safeguards the system as a whole. Sydney’s summer of 2019-20 provides a poignant illustration. As drought and bushfires ravaged much of the country, an extraordinary rain event in February 2020 filled the dams. Along with the rain came a torrent of fire and flood debris that contaminated the Warragamba water supply, resulting in the need to temporarily cut it off. Luckily the Sydney Desalination Plant was in full operation and, thanks to the availability of other sources (including Prospect Reservoir), the city’s water supply remained undisturbed. While lucky in this situation, it nevertheless serves as an example of how interdependencies and contingency planning across critical systems is becoming equally as important as the individual assets themselves.
As a nation, we are boldly heading into an uncertain future. Critical infrastructure stakeholders will need to consider the Government’s all-hazards legislation as they prepare for natural disasters, pandemics, and complex new threat vectors. Australians understandably want an economy and society built on robust and reliable foundations. Regulators and industry have a unique opportunity to work together in giving effect to that under the Commonwealth’s security and resilience initiative.
Our Deloitte infrastructure team sees the big picture – and starts with the end in mind, from returns for shareholders to the communities we live in. We have the right ideas, the right technology and the right expertise – across the infrastructure lifecycle. Whether its revitalising existing assets, rebuilding old into new or reimagining a new Australia; we’ll help you transform projects from today’s plans to tomorrow’s solutions. It starts now.
Theo has experience providing economic, policy, and commercial advice to public sector organisations and the private sector entities they engage with, particularly in the assessment and review of how government services can be delivered and the assessment, review and development of economic and social infrastructure. Theo’s primary focus is assisting clients assess the merits and value proposition of transformative urban renewal, service delivery reform, and major infrastructure investments.
The Federal Government’s 2020 Cyber Security Strategy includes significant regulatory reforms that compel critical infrastructure stakeholders to uplift the security and resilience of their assets through more extensive due diligence, risk mitigation and governance.