Skip to content

Critical infrastructure: managing your supply chain risk

Managing risks within your supply chain is applicable to all organizations, but carries extra weight when it comes to critical infrastructure. This can include regulatory obligations, such as the imminent risk management rules in Australia for covered sectors. Regulators in the US are also increasingly focused into supplier risk – as highlighted by the recent advice from the US Treasury to financial institutions concerning IT suppliers – so it makes sense to get ahead of future changes and adopt best practice now.

In this blog we will take a look at:

  • Supply chain risk management rules in Australian critical infrastructure
  • Compliance versus risk-based approach
  • What it means for critical infrastructure holders
  • What it means for those in the supply chain

What is the obligation?

The Australian Government has defined 22 asset classes, with 13 of those covered by proposed risk management rules – however many of the other classes will already be covered by similar obligations.

The rules require that a covered entity must have in place processes or systems to eliminate, minimize or mitigate the material risk of a range of supply chain impacts. These include:

  • Unauthorized access or interference of the asset’s supply chain
  • Misuse of privileged access to the asset by a provider in the supply chain
  • Disruption and sanctions of the asset due to an issue in the supply chain
  • Threats to people, assets, equipment, products, services, distribution and intellectual property within supply chains
  • High risk vendors
  • Failure or lowered capacity of other assets and entities in the entity’s supply chain

The Cyber and Infrastructure Security Centre (CISC) provide some additional guidance which elaborates on some of these requirements.

Compliance versus risk-based approach

While the rules are focused on security (understandably), the important outcome is the ongoing performance and availability of your critical asset. During consultation, CISC have been vocal that they are less interested in strict compliance than they are on good security outcomes. The use of the word ‘threat’ might imply some intentional external action, but don’t discount things just ‘going wrong’ in your supply chain when considering your risk scenarios.

In practice, risks are often interrelated, and causal chains can be complex. Incidents might play out across multiple items in the above list, as well as cross into other risk domains covered by the rules – or risks that the rules don’t contemplate at all.

There are a few different lenses through which you can view supply chain risks:

  • Direct physical disruption – If my critical asset requires physical goods or components to operate effectively, which vendors or third parties supply those goods? What happens if they can no longer provide those goods? Do I have alternate providers in place? If they are disrupted, how much time do I have before I am impacted? This also extends to specialist providers or technicians who maintain or replace the physical components of your critical services.
  • Direct digital disruption – Which vendors or third parties do I rely on to provide digital services in order to maintain operation of my critical asset? What are their security practices? What are their change management practices? Beyond cyber threats in the supply chain, you also don’t want to be disrupted due to misconfiguration or failed system updates.
  • Indirect digital – If your critical assets are supported by internally developed applications, how are you managing software supply chain risk? Find out more in our earlier blog.

If you aren’t already, it’s time to get intimate with your vendors and suppliers in your supply chain, and make sure they aren’t the weakest link that could result in a disruption to your critical asset.

What it means for critical infrastructure holders

Here are a few steps you can follow to help identify the key areas of focus in your supply chain:

  • Identify all the resources required to maintain operation of your critical asset (these could be physical, IT infrastructure, applications, data sources or people)
  • Perform risk assessments and identify scenarios which would disrupt those resources
  • For each resource, identify those which are provided or supported by vendors
  • Tier your vendors based on the outputs of your risk assessments and which resources would be affected
  • Identify specific due diligence requirements for each of those vendors, based on their services provided and the effect disruption would have on your critical asset
  • Identify controls that you need to implement to ensure performance of that vendor
  • Identify controls the vendor should have, and establish an assurance program

To support and enhance the above, you may need to review and update contracts that you have in place with your vendors to ensure they meet your minimum standards on an ongoing basis – standards that may have increased in light of these risk management rules.

What it means for the supply chain

With critical infrastructure operators being required to demonstrate their risk management practices – including reporting to government on their risk management program – it will drive some additional due diligence further into the supply chain. This might include:

  • Evidence of your own vendor risk management practices
  • Providing results of risk management activities related to the services being provided
  • Controls assurance or audit requirements that may be enforceable by contract
  • Evidencing your business continuity arrangements, or participating in exercises
  • Evidencing your cyber security posture, which might include a requirement to meet one the cyber security frameworks listed in the rules
  • Demonstrating your HR practices to manage personnel risks

Of course, you might be an operator of a critical asset while also providing services to another operator of a critical asset. As a rule of thumb, if you are thinking about asking your vendors for more information as part of your due diligence, you should make sure you have the same information to provide to the critical infrastructure operators you serve.

Conclusions

Understanding and managing supply chains is becoming more complex, with an increased focus on ensuring those within our supply chain can continue to provide consistent services in an uncertain world.

Next steps for your organization

Protecht recently launched the Protecht ERM Operational Resilience module, which helps you identify and manage potential disruption so you can provide the critical services your customers and community rely on.

Find out more about operational resilience and how Protecht ERM can help:

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.