Australia rolls out risk assessment advisory for food and grocery sector, as threat landscapes continue to evolve

Australia rolls out risk assessment advisory for food and grocery sector, as threat landscapes continue to evolve

Close to the heels of its risk assessment advisory for critical infrastructure across the energy sector, Australia’s Cyber and Infrastructure Security Centre (CISC) released similar guidance for the food and grocery sector. It assesses that the international and domestic threat landscapes continue to evolve; natural hazards are becoming more prevalent with longer-lasting impacts, and critical infrastructure networks continue to be targeted globally by both state and criminal cyber actors. 

“As a result, stakeholders within Australia’s Food and Grocery Sector must adapt their risk management strategies to ensure risks to the operation of assets critical to the nation’s economic and social well-being are being appropriately captured,” the CISC said in its latest document. Through the provision of suggested risk assessment approaches, the material aims to assist sector stakeholders to adapt existing risk practices and help organizations understand risks within the broader national critical infrastructure context.

The document highlights that features of risks in the food and grocery sector include critical to Australian prosperity in keeping Australians fed, and as a contributor to the economy through imports and exports; susceptibility to environmental forces that can destroy crops before harvesting, in storage, or transport; and certain aspects are highly regulated with strict safety standards to protect food from contamination and to maintain its quality in transit/storage. 

It also included dependence on large labor resources as both grocers and farmers are employers of primarily young, high-turnover, seasonal workforces, and increasing use of new technology for providing transparency in the supply chain, and artificial intelligence for growing, harvesting, processing, and distribution of food; and in the supply chain from harvesting to shelves. The assessment also included food security an ongoing concern as Australia’s population grows and is subject to geopolitical headwinds impacting supply chains.

The CISC assessed that risk in the context of critical infrastructure is related to Australia’s national and societal resilience, which may differ from the way entities have viewed risk in the past. Risks that have the greatest impact on the social or economic stability of Australia or its people, the defense of Australia, or national security, also need to be considered and framed within critical infrastructure entities’ existing risk management strategies.

For critical infrastructure organizations, an all-hazards approach to determining risk is recommended. All-hazards is an integrated approach to risk management, preparedness, and planning that focuses on businesses enhancing their capacities and capabilities across a full spectrum of threats and hazards to Australia’s critical infrastructure. All-hazards risk assessment considers both threats (human-induced) and natural and environmental hazards that could impact a critical infrastructure entity and its operations. 

Australia’s critical infrastructure risk environment continues to evolve and an all-hazards approach is best placed to consider the potential converging of the wide-ranging threats and natural hazards it confronts, which could result in multiple, and cascading effects on national resilience.

“Sector-wide convergence risks eventuate due to interdependencies within and across critical infrastructure sectors, as well as through other links, such as supply chain relationships,” the CISC said. “Furthermore, convergence risks could exist within organisation due in part to internal silos or lack of integration of risk management capabilities. Adopting an all-hazards risk management approach is a strategy to combat convergence risks and ensure responses are comprehensive and integrated. This requires collaboration between all stakeholders, including internal business units, sector and supply chain stakeholders, law enforcement, and emergency services.” 

The agency added that organizations should leverage information from government stakeholders to appropriately consider appropriate threats and hazards. Adopting multidisciplinary approaches, collaboration and integration is a good approach for inclusion in a critical infrastructure entity’s risk assessment. 

For food and grocery sector critical infrastructure providers, determining which sites and components of an asset should be considered critical involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards, CISC said. 

“This process is vital for all hazards risk management, providing input into the identification of plausible risk scenarios that may impact operations,” according to the document. “The critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s national security interests. Establishing criticality is designed to provide guidance on the allocation of resources to best protect the operational capability of the asset,” it added. 

The Australian Government’s national intelligence community collects and analyses information to constantly monitor, assess and provide advice on threats to Australia. The CISC said much of this information is classified and not made available to the general public; however, as part of their mandate, the following portals provide open-source information, assessments, and advice designed to support critical infrastructure sectors. Organizations can contribute to the process of monitoring and assessing threats through internal risk assessments. 

It added that by identifying emerging risks, organizations are able not only to directly improve their security stance but share this information with external security bodies. 

“The Food and Grocery Sector is an upstream dependency of a number of other critical infrastructure sectors; as much as other sectors rely on its downstream services,” CISC said. Dependent on the asset, system, and/or network could have significant economic and/or societal implications, depending on the asset, system, or network affected. Impacts could be significant in their severity, depending on the geographic breadth of the outage, and the detriment of the impact on the broader water network, it added.  

The document also included that an all-hazards risk assessment considers both human-induced and natural threats and hazards. Given its role in critical infrastructure, the food and grocery Sector is an attractive target for threat actors seeking societal disruption; and natural hazards can severely damage the infrastructure and the food itself. Additionally, threats will increase and the food and grocery sector, driven by improvements in technology and the need to meet commercial outcomes, will become more interconnected. This means that stakeholders in the food and grocery sector need to evaluate risks regularly.

“Due to interdependencies among different critical infrastructure sectors and assets, it is necessary to manage many risks collectively. Many risks may be poorly addressed because their causes or effects are still misunderstood, they are novel, or there is a lack of guidance on how to address them,” the CISC said. “Accountabilities for addressing some risks may also be unclear. Some risks may be too rare to justify allocation of resources to mitigate them. Finally, the consequences may be too large for any entity to address by itself.” 

The document added that for a given food and grocery sector asset, the disablement of its resources will cause issues downstream issues in other sectors that are potentially vast and more detrimental to other industries than the direct damages to the asset. Ongoing analysis of risks can lead to a better understanding of mitigation strategies, including their application at the source.

Last November, the U.S. administration released a National Security Memorandum that works on strengthening the security and resilience of the nation’s food and agriculture sector, in response to the possibility of high-consequence and catastrophic incidents. The federal government is set to identify and assess threats, vulnerabilities, and impacts from these high-consequence and catastrophic incidents.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related