The Australian government has recently introduced new legislation that outlines the responsibilities around cybersecurity for critical infrastructure operators. The Security Legislation Amendment (Critical Infrastructure) Act 2021 and the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 focus on redefining cybersecurity requirements for critical infrastructure operators across industries, including retail.

The outcome of a cyberattack on critical infrastructure could be catastrophic. Retailers could be affected if point of sale (POS) or enterprise resource planning (ERP) systems went down, preventing them from being able to operate. Even a simple internet outage could mean that people would be unable to purchase groceries and other necessities of life. This could quickly lead to significant issues within the community, making retailers a potential target for malicious actors. Therefore, it must be a top priority for retailers to develop a cybersecurity plan and demonstrate its effectiveness according to the legislation.

However, securing critical infrastructure is a more complex issue than simply securing local IT networks, largely due to the nature of the unique operational technology (OT) that underpins these assets. Therefore, critical infrastructure operators must create a cybersecurity program that specifically addresses key risks.

To create this plan, business leaders must embrace the following six steps.

1. Begin with a risk assessment
To create a cohesive cybersecurity plan, all potential threats must be identified. A risk assessment provides visibility across operations technology architecture and should define terms of reference, a scoring system, and industry data, as well as any additional information that could be generated from organisational equipment.

2. Discuss strategy and governance
After the initial risk assessment has been completed, impending projects, funding and timelines should be mapped out for board sign-off. These programs should clearly outline goals in business terms so that board members can assign the correct level of governance to each task. This will ensure that projects are delivered to deadline and within budget, keeping executive members informed and leaving options open regarding allocating further resources.

3. Capture documentation and standards
At a base level, security documentation must confirm all the controls that need to be deployed to meet security objectives in line with business requirements. This documentation phase is often comprehensive and can include a number of supporting models to protect classified data. These models will typically require input from external and internal resources as organisations look to mitigate and manage risks.

4. Conduct security testing
Once the three steps above have been completed, the build of the security architecture in its physical form can begin. This process will typically include four key phases: proof of concept; factory acceptance testing; site acceptance testing; and security testing. This penetrative testing may continue as developers continue to seek out potential vulnerabilities.

5. Monitor to prepare for threat intelligence and incident response
With the architecture in place, security teams must be vigilant in monitoring platforms and collecting valuable data. This data can provide businesses with insight into the risks they face, the vulnerabilities that are present in their architecture, and how security controls may need to be adjusted to improve protection.

6. Continued training
The best cybersecurity plan in the world won’t be nearly effective enough without a culture of digital wariness within an organisation. Digital training for general staff should be conducted regularly, and IT and OT staff should be exposed to richer, more in-depth courses for personal development.
Although the threat of cyberattacks continues to evolve, so too do the measures available for robust cybersecurity programs. Acting now and establishing a strong posture of resilience is key for retailers that are looking to reach a level of cybersecurity maturity. By embracing the steps above, retailers can establish a program that protects critical infrastructure assets and complies with impending legislature.

Jon McGettigan is regional director Australia, New Zealand, and the Pacific Islands at Fortinet.