CYBERSECURITY
Building a secure state for critical infrastructure
As part of Australia’s critical infrastructure, food and beverage manufacturing
is subject to federal security legislation that came into effect in April. Michael Murphy from Fortinet outlines how to ensure a secure risk management program.
processes and constantly monitor for cyberthreats.
The best way for food and grocery manufacturers to proactively manage risk is by establishing a cybersecurity risk management framework.
Conforming to an industry- recognised security framework lets businesses proactively manage plans to better identify, assess, evaluate, and deal with commodity and highly sophisticated cybersecurity challenges. This builds operational resilience to prevent disruption, operational downtime, and ultimately, loss of revenue generation.
THREE PILLARS
When it comes to adopting such frameworks, manufacturers need to consider three essential pillars around which to build their frameworks and better protect CI assets and OT from cybersecurity events.
1
As cybercriminals become increasingly sophisticated, food and beverage manufacturers need a high level of visibility into their networks to not only comply with legislation, but to understand what assets need to be protected at all costs.
Not everything in the network
THE food and beverage manufacturing sector is a core component of Australia’s critical infrastructure (CI), which means a cyberattack on an organisation in this industry could compromise food supply and safety.
Consequently, the sector has been included in the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), which came into effect on 2 April 2022 and has led to significant changes relating to cyber resilience requirements for CI operators.
The SLACIP Act amends various infrastructure asset definitions and calls for CI operators to adopt, maintain, update, and comply with a critical infrastructure risk management program.
Further amendments also
require CI operators to report a critical cyberattack within 12 hours and undergo regular cybersecurity exercises.
While reporting critical assets and disclosing cyber security incidents is mandatory, regular cybersecurity exercises are only required if the organisation is deemed a system of national significance that must adhere to enhanced cyber security obligations.
It is important for businesses operating in the food and grocery industry to understand what their obligations are, especially if they fall into this category, which many will.
Even if businesses aren’t subject to mandatory cybersecurity exercises, it is crucial that businesses take steps to strengthen their cybersecurity posture to protect the valuable
assets that they manage as part of their operations.
ESCALATING ATTACKS
Manufacturers are gearing up cybersecurity efforts in the face of escalating attacks on the plant floor. Many of these production sites run on legacy operational technology (OT) that wasn’t designed to connect to the internet and, therefore, doesn’t necessarily have cybersecurity measures built in.
To mitigate risk, many businesses believe that additional technology will solve the problem; however, this approach often increases complexity and creates new gaps for cybercriminals to exploit.
To protect themselves, manufacturers must ensure they have complete visibility into all their systems and
ACHIEVE NETWORK
VISIBILITY
44 | Food&Drink business | September 2022 | www.foodanddrinkbusiness.com.au