A new industry association has set out to establish a cyber intelligence sharing community to help boost the cyber resilience of the largest and smallest critical infrastructure providers in Australia.
The Critical Infrastructure Information Sharing and Analysis Centre (CI-ISAC) hopes to enlist and support the 11,000 organisations it estimates are covered across the 11 critical infrastructure sectors outlined in the Security of Critical Infrastructure (SOCI) Act.
It will also target material suppliers and Australian local government bodies, which co-founder Dr Scott Flower describes as “the forgotten critical infrastructure sector”.
When the organisation is fully networked with critical infrastructure industries, it hopes to be able to distribute technical advisories about cyber incidents, with context and executive summaries, within hours of an incident.
The main selling point to members is the distribution of digestible updates on cyber threats and guidance on how to defend against them. Information will be collected on the group’s cyber threat sharing platform.
Members will also have the opportunity to attend a fortnightly threat intelligence forum.
Dr Flower said this type of cyber resilience uplifting organisation could not reach its full potential if initiated by the federal government.
“While working at ASIO I became acutely aware that although the industry trusts government, they are still sensitive to the potential for shared information to have potentially unnecessary negative regulatory impacts on their business,” Dr Flower said.
“However, more than ever we need to increase the sharing of cyber threat intelligence to ensure there are no chinks in our collective cyber armour.”
Mr Sandell also noted that smaller businesses without extensive cybersecurity operations don’t always know how to respond to increasing cybersecurity obligations.
Amendments to the SOCI Act passed last March require organisations to develop risk management programs that “embed preparation, prevention and mitigation activities into business as usual activities”.
It also gave the Australian Signals Directorate powers to order “nationally significant” companies to install software to pass on data in certain situations.
The SOCI Act also includes a “last resort” power for the ASD to step in and take control of a company’s systems if it is subject to a cyber-attack.
The 11 sectors covered by the SOCI Act are: communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.
Using the economies of scale generated from a wide membership, the new industry association hopes to benefit the small businesses the most, by offering them the same services as larger members at a lower cost.
“As we mature in time we’ll start building in more turnkey capabilities so the stuff the smaller players can’t afford,” Mr Sandell said.
“We work with the bigger players to build standardised playbooks and base pieces of technology they can just take off the shelf and use it to start building up their security capabilities.”
“It’s not like most ISACs where if you pay top tier you get the premium service and if you pay the bottom tier you might dial into a threat call, we’re not discriminating it’s bringing everyone else on the journey, we don’t leave anyone behind. Everyone gets the same services and capabilities”.
Dr Flower noted that large critical infrastructure businesses have an incentive to share their cyber intelligence with smaller businesses across industries because they are often also their customers.
“What we’re trying to do with our financial services colleagues is say, ‘They all bank with you guys, they all have insurance with you guys’, you have a vested interest in helping uplift the sectors that aren’t your sector as well’,” Dr Flower said.
CI-ISAC will be based in Maroochydore, Sunshine Coast which Mr Sandell says has a “really supportive council for technical businesses” and a budding tech precinct.
Membership fees will vary from $1,000 to $30,000 depending on the size of the organisation and the industry it is in. At this stage the co-founders noted they have several in-principle member agreements with organisations.
Do you know more? Contact James Riley via Email.