E-Yang Tang has been CGI Vice President and CTO of Cyber Security in Australia since 2018.

His passion for law enforcement began during his time as a police Officer with the Singapore Police Coast Guard Division. Following a few years of hot pursuits intercepting traffickers and smugglers, he obtained a first-class honours degree in Computer Engineering, majoring in Public Key Cryptography, from Monash University.

Keeping our Australian Critical Infrastructure (CI) safe is just that, critical to the security and safety of all Australians. And it’s such an important topic that at CGI, we decided to write a new THINGUIDE on the subject. The THINGUIDE to Securing Critical Infrastructure covers the entire topic of what Australian CI is and how to approach it. In its endorsement of this pocket guide, the AISA noted that securing CI is bigger than just cyber security or information security. Indeed, to think of CI in purely cyber security terms is to fail to grasp the full picture. However, I’m convinced of the huge value that your existing cyber security operations can contribute.

Cyber, physical, operational....who should own security in an organisation?

Securing Australian CI is not optional, it’s a requirement. We also believe that you’ll have assets that are as critical to your business’s survival, as our national assets are to Australia’s. This means your board is responsible for securing them and having processes that support them. If you don’t, you’re risking the very survival of your business. Securing Australian CI and your own critical assets involves different types of security - cyber, operational, physical and personnel, as well as needing to cover natural and business continuity risks. Who ultimately runs your security efforts is a decision unique to your organisation, based on ability, need and suitability but, whoever you choose, your cyber security team has to play a major, if not leading, role in your efforts.

Taking my own organisation as an example, at CGI, the cyber security teams take the lead on securing Critical Infrastructure globally. Our direction is determined by two main factors. First of all the fact that IT is so integral to our business and running our organisational infrastructure, our greatest risks are to do with information technology. Cyber intrusion is probably the greatest business risk any organisation currently faces. Every year the number of ‘attacks’, for whatever purpose, increases. The Australian Cyber Security Centre (ACSC) annual report for the 2020-2021 year shows an overall 15% increase in general cybercrime. This is a year-on-year increase.

The growing scope of responsibility for cyber teams

This is a global phenomenon, which brings me to the second factor - at a global level we, in CGI that’s 2000+ cyber security practitioners, have constantly had to expand our remit beyond traditional IT. Cyber Security started with data security, then embraced unstructured data (any human readable information), then operational technology, and trusting the people who have access to it, then the places it’s stored, and so on. With each level of risk, we in the Cyber Security community have had to expand, and prove, our ability to protect anything connected with technology.

The result has been the formalisation of our own methods and expertise at CGI and also the development of a ‘Gold Standard’ of cyber security: ISO/IEC 27001. This has been revised over the years to reflect the growing threats and risks inherent in what was originally ‘Information Security’. Most large, and many small, companies either have or are implementing it; we’re helping many of them to do so. Its coverage is both broad and comprehensive. It’s particularly relevant because it goes beyond obvious cyber security policies, such as information security and communication security and covers risk assessment, asset management, supplier relationships (at a security level), human resources security and even physical (access) security and business continuity. It even has templates for the documentation needed to implement security ‘controls’. It is, I believe, one of the most effective starting points for Australian CI and protecting your own critical assets.

We’re realists, we know that simply handing over Australian CI security, or your own critical asset protection initiatives, to your cyber security team won’t cover everything. Risks or hazards to critical assets are categorised by our Government (and many others) as being: physical and natural, cyber and information security, personnel, and supply chain. Although cyber security experts should be aware of physical hazards, they may not have the same level of expertise as, for example, a plant manager or a hospital administrator.

The subject of supply chain security is something we will cover in an upcoming post. Supply chain cyber security is a cyber security issue; continuity of supply is an equally important, but separate issue.

Only you and your organisation can decide who should lead your efforts to protect your own and, by extension, our Australian Critical Infrastructure. We know that securing CI is not exclusively a cyber security topic but believe that failing to apply cyber security principles, standards and methods will lead to failure. Time to download your copy of our THINGUIDE to Securing Critical Infrastructure; everything will be even clearer once you’ve read it.