FuturePlace Interview Spotlight, Ian Robinson.
Ian Robinson is the Chief Information Officer of WaterNSW, the government-owned statutory corporation responsible for supplying the state’s bulk water needs and operates the river systems and dams in New South Wales. We sat down with Ian regarding the current landscape of cyber vulnerabilities in the infrastructure sector.
FuturePlace: Could you tell us about what led you to your current role?
Ian Robinson: I started my career as an electrical engineer on the railway where I led the state’s northern region communications team. My whole career has been focused on the convergence of field based sensors collecting data on the physical system, assets, and communicating that data back for visualisation for a centralised operator. Increasingly that’s led to large scale analytics use cases across the utility environment supporting either operational or asset maintenance decisions. My current role is CIO of Water NSW, focused on the water delivery and appreciation of where that water is located, how its flowing and what our role is in releasing it and ensuring our assets perform to meet the expectations of the customer.
FP: How do we ensure that infrastructure is properly protected against cyber threats?
Ian: There are multiple layers of protection in the swiss cheese model, which means we don’t rely on single layers or tools, but it comes down to a combination of visibility and hardening in response. Hardening, using techniques such as those prescribed in Essential 8, is an important step to do well.. If we stop executables running, avoid typical malware access points such as email and USBs, patch regularly, build strong identity and access control systems on a segmented network, therefore making it harder for people to accesssystems.. Importantly, having a user base with good cyber training to allow them to pick up attacks, whether it’s phishing or other social engineering type attacks that can occur on individual people is a key defence that limits attack vectors. It’s not necessarily the tools or the controls we put in but the knowledge, processes and expertise of our workforce that makes the difference. It is not just Security Operations people, cyber defence requires the whole company and its contractors to contribute and become more cyber aware.
Additionally, capturing logs and looking for anomalies with tools that are rigorously monitored, and having a security operations centre will help us and will enable us to run some procedures over the methodologies for reviewing those logs to find those anomalies. Making sure we’ve got an incident response process that can react swiftly can have a good command and control structure that enables people to know their role and to get on with it. It’s important to not to be navel gazing and wondering what’s next, and to actually activate a team that can respond to a cyber incident where that occurs.
FP: What policies and procedures are in place to promote accountability for your infrastructure cybersecurity across the organisation?
Ian: We have a large range of policies and procedures, the ones we most focus on the moment is our data classification procedure, particularly given the kind of incidents that occurred last year where protection of personal information became a very strong focus. This procedure identifies and asks what personal privacy data do we need to keep and for how long? And if we do need to keep it and if for a period then how do we protect it?
That starts with classifying and putting into places where the storage controls are understood and not just in people’s personal drives or fragmented data stores. We stop it being able to be sent out, for example, to be removed by people who don’t have access rights.
But we have a lot of procedures on the way which people access our systems, in particular focus on privileged account users and what they can and can’t do and how they gain and revoke those privileges. Ensuring that we give people the right controls and access to systems, how credentials are checked and how we manage third party contracts. There is a lot of focus at the moment on the supply chain and the fact that we need external users to have access to our systems and in some cases, as the developers and really making sure we put good security controls around the way those people operate.
FP: What do you think is the best approach to incident response planning for cybersecurity?
Ian: It’s really crucial for us to simulate our incident response regularly including the base minimum of full fail overs of our DR system, as we run from alternate sites and move our cloud regions for example, from Sydney to Melbourne or immutability of our backups.
FP: What measures are in place to ensure that infrastructure cybersecurity policies and procedures are communicated effectively to all stakeholders who have access to those systems?
Ian: There are two main ways we promulgate policies and procedures. Firstly, we follow a standardised procedure document template and write them using a business management system process that we use for all of our policies and procedures, not just cybersecurity, and make it part of our business management system. In other words, it’s known as the central repository, the library for all staff. It’s accessible on the internet, it’s searchable and when we change a document, which we do to update them regularly, we notify people of the changes in the document and kind of where it where you can find it.
The second way, arguably more important aspect of it, is online induction and mandatory training courses for all employees. We set them up within the context of our procedures, and take people through how that affects their particular job and allow them to understand the procedure. Through examples, to make it more accessible to understand how it might affect their day-to-day work, the things to look out for and the methods they need to use to resolve cyber risk. That training is really important. Phishing simulations really helped us improve the observability by our staff when it comes to phishing attacks, now that they’re more regularly occurring now. There’s been a step change in the capability of our workforce through training and simulation work.
FP: How do we build resilience to heightening cyber risks and protecting databases with infrastructure organizations?
Ian: What we’re seeing with the SOCI Act is quite challenging for us with the shift to an asset centric risk management model. Typically, we’ve had a very strong view about a threat and risk assessment against our critical assets, our crown jewels, but what the SOCI Act is asking us to do is go from every element of our infrastructure, from top to bottom, and consider all hazards approach to each of those assets. Rather than focus on those which we’ve assessed as the most critical assets from a risk point of view and then properly risk assessing those and applying programs to address those on a on a prioritised basis, The Federal Legislation is now asking to do a more holistic view of the assets and the end-to-end vulnerabilities that could occur anywhere in the data flow or the management system that oversees those critical assets.
If you think of a dam including all of its components and the SCADA system that controls some of those components, or has visibility of them, we’re going top to bottom and thinking about every single asset inside that dam and the failure modes that could occur. That’s been the shift and the resilience that you’re talking about is really about being able to step up that level of understanding of risk, to continually improve and to continually invest..
FP: How do you see it going in the next year for the industry?
Ian: I think there will be more attacks. It’s a global phenomenon that’s not going away. It’s a bit more of the journey that companies have been on with organizational safety, where improved management systems still require a level of chronic unease about our risk mindsets. As much as we try hard to close those gaps, the criminals now have far more access to tools into libraries and to the ability to (with very limited knowledge and expertise) build sophisticated attacks that can defeat existing controls.
I think being in a state of chronic unease, as it is with safety, is where we need to be continually improve and understand and learn about what others are experiencing. I really applaud the Australian Government for trying to make the risks more transparent by sharing the knowledge because we only learn by doing and we only learn by failing and through our own and others’ failures. We can then hopefully stop attacks that do occur from happening again. That’s been a strong focus for the cyber industry and typically, no one likes to share the war stories because they show your own vulnerabilities and that’s not human nature. But the reality is when you can get over that psychological barrier, it improves everyone’s outcome.
Cybersecurity for Infrastructure Summit
Ian will be speaking at the Cybersecurity for Infrastructure Summit, taking place on 7 June 2023 in Sydney. It will bring together senior executives responsible for cybersecurity and data protection, technology, governance, legal and compliance leaders, to discuss big themes.