Australian critical infrastructure companies are reportedly experiencing increased uncertainty and risks to their supply chain security as they address risk management requirements under the Security of Critical Infrastructure (SOCI) Act, an invite-only panel discussion on ‘Supply Chain Security as a Component of the Insider Risk Program’ heard on Tuesday (28 February 2023).
The event, hosted by Providence Consulting Group and the Australian Cyber Collaboration Centre, was well-timed given the 17 February 2023 commencement of the Security of Critical Infrastructure (SOCI) (Critical infrastructure risk management program) Rules 2023.
Commencement of the Rules means that in six months, from 17 August 2023, critical infrastructure asset owners and operators must establish and comply with the Critical Infrastructure Risk Management Program. The program will require an annual risk mitigation maturity report, cleared at the SOCI entity board level, being provided to the Department of Home Affairs from 2024.
Hamish Hansford, Home Affairs’ Head of Cyber and Infrastructure Security Centre, contributed alongside a panel of cyber and personnel security leaders including Providence CEO Adash Janiszewski, Martin Moseley from the Australian Border Force Australian Trusted Trader program, Ben Somerville from DHL Express (Australia), and the event moderator Matt Salier, Chief Executive Officer of the Australian Cyber Collaboration Centre.
The panel discussion identified a range of risks that could affect the supply chain, include commercial risks, regulatory risks, insurance risk, freighting risk and labour risks.
“Supply chain security goes beyond cybersecurity. Technical solutions will not help if a supplier cannot spot a trusted insider who would like to exploit your data and information,” Mr Janiszewski told the event.
The panel heard that supply chain security largely centred on the identification, assessment, and management of risk stemming from human sources whose legitimate access provides them access to damage supply chain operations. Human-based sources of risk include criminals, malicious insiders, unintentional insiders, sophisticated organised criminal entities and foreign nation state interference.
Mr Hansford noted that supply chain security is the most challenging element of the Critical Infrastructure Risk Management Program because one risk cannot be treated in isolation of other risks. Mr Hansford also noted the challenge for senior executives and boards, who will have to approve annual risk maturity reporting to Home Affairs, of both receiving and understanding this risk management advice and translating that into protecting their SOCI entity.
All of the panel members agreed the fundamental importance of a well-developed and mature security culture in an entity. Success requires a workforce to be educated about security and for the security culture to be supportive with a view to identifying and assisting people who might need assistance so that they do not become an insider risk.
The panel agreed that improving supply chain security requires government and private sector to work collaboratively and share information, recognising the security environment is dynamic and evolves at a rapid pace.
Each organisation needs to establish requirements suitable for organisation’s business model, its role and function in the supply chain. They should take holistic and coordinated action to mitigate the security risks and overcome future challenges to their supply chain.
