To help safeguard essential services crucial for citizens’ well-being and quality of life, the Australian government enacted the Security of Critical Infrastructure Act[i] (SOCI) in 2018. The act aims to mitigate cyber threats targeting critical infrastructure assets, reducing the risk of damage or disruption.
The act originally covered four core sectors: electricity, gas, water and ports. It has since been expanded to cover assets in 11 other critical infrastructure sectors, including financial services, communications, data storage and processing, defense, food and grocery, healthcare, higher education, transport, space technology, energy, and water and sewerage.
The reality is that all critical infrastructure assets could be directly affected by a cyber incident, potentially putting a nation’s industrial security at risk. In May 2021, for example, a major oil pipeline fell victim to a ransomware attack, leading to a shutdown lasting several days that impacted consumers and businesses along the East Coast of the United States. The hack was deemed a national security threat with the U.S. Department of Transportation invoking emergency powers[ii] in response to the attack.
Why organizations need to focus on SOCI
So, what do organizations need to know about SOCI? First and foremost, failure to comply with SOCI carries legal ramifications, along with the possibility of physical, financial and reputational damage. This means organizations with critical infrastructure need to immediately focus on making sure their operational technology (OT) cybersecurity is up to the task.
Prioritizing cybersecurity and cyber resilience is imperative for every organization and corporate board. This emphasis stems from the fact that under SOCI regulations, board members are now required to understand the consequences of a cyberattack and can even be held personally accountable for a cyber breach. Non-compliance can result in substantial civil penalties, up to AUD 55,500 for corporations and AUD 11,100 for individuals per day.[iii]
With SOCI, if an organization becomes aware that a critical cybersecurity incident has occurred and is having a “significant impact” on the availability of an asset, it must notify the Australian Cyber Security Centre (ACSC) within 12 hours after learning of the incident. Likewise, if an organization learns that a cybersecurity incident has occurred and that incident is having a “relevant impact” on its asset, it must notify the ACSC within 72 hours after becoming aware of the incident.
OT vs IT
As OT and IT systems continue to converge, the threat of cyberattacks will increase. One important factor that all organizations need to understand is that defending OT environments from cyber incidents will require a different set of strategies and tools than are currently used to protect IT systems.
Cybersecurity measures commonly deployed to protect IT – such as patching and antivirus management, secure file transfer, end-point monitoring, threat detection and response, and network hardening—are conspicuously absent in the OT realm. People may ask why? In many cases, OT systems and networks were designed and budgeted to provide base requirements for system operation and functional reliability and not with a cybersecurity-by-design approach.
Often, there is not adequate understanding or visibility of the growing OT cybersecurity risk. Even more, there is a significant shortage of cybersecurity professionals with domain expertise in the O.T. space.
How to spot malware
The crucial question arises: How can an organization distinguish an active OT cyber threat from traditional equipment failure?
Consider an air conditioning control system. There might be a failure with the unit, such as a belt snapping on the fan motor or an issue with one of the variable speed drives or a faulty temperature sensor. How would the organization know what’s causing the issue? After all, it might not be a run-of-the-mill equipment failure but rather a piece of malware downloaded to the network that is interfering with the control system.
The reality is that it’s hard to know for sure.
Leading the charge
This is where Honeywell can help. Honeywell’s remotely connected building operations center, located and hosted in Australia, is designed to monitor end-to-end OT environments, combining OT and cyber analytics, data and alerts to help identify and resolve issues as they arise. Key features include real-time device discovery, real-time threat monitoring, and remote cyber and OT alarms. The remote service also provides automation and assists enabling a fixed reporting process to notify the government within the required 72 hours.
Honeywell can also help organizations establish a critical infrastructure risk-management program (CIRMP). This holds significance because, according to SOCI, critical infrastructure organizations are required to have already devised and executed a CIRMP. What’s more, by August 2024, organizations must be prepared to meet and comply with the cybersecurity framework identified in their CIRMP.
Honeywell’s cyber practice provides a range of professional services coupled with state-of-the-art technology designed to help identify and mitigate potential operational tech cyber risks specifically relating to people, processes and technology. This makes it possible to quantify risks associated with your OT environment and provide greater confidence of compliance to the board. Honeywell solutions can be tailored to suit any organization, starting from any level of maturity.
Unlike traditional cybersecurity geared to IT networks, Honeywell solutions are designed for the OT environment. These vendor-agnostic solutions identify threats, anomalous behavior and vulnerabilities to help organizations reduce and manage cybersecurity risks across all their sites. With Honeywell, operators of critical infrastructure can run their OT environments more securely, avoid disruptions and reduce threats to safety.
Connect with a Honeywell cybersecurity expert today to learn more.
[i] Australian Government Department of Home Affairs, Security of Critical Infrastructure Act 2018, [Accessed April 17, 2024]
[ii] The Guardian, US invokes emergency powers after cyber-attack on fuel pipeline, [Accessed May 1, 2024]
[iii] Federal Register of Legislation, Security of Critical Infrastructure Act 2018, [Accessed May 17, 2024]
