Wednesday, November 13, 2024

2:30 PM - 3:30 PM

Nicholls Theatre

---

Details

The integration of new capabilities into the Hobart class DDGs to upgrade the Harpoon capability presents a critical opportunity and challenge for Defence, Navy, and the Maritime Explosive Ordnance System Program Office (MEOSPO). This presentation, approved by the Project Manager at MEOSPO, focuses on the pivotal role of Cyber Security Assessment & Authorisation (A&A) in ensuring the safe integration of the Naval Strike Missile (NSM) capability. The purpose is to protect Defence information systems and data assets from emerging threats and manage risks in the threat surface of our IT/OT systems. See the video of the successful firing test of the NSM (18-July-2024).

• https://images.defence.gov.au/assets/Home/Search?Query=S20241195%20VNR%20Naval%20Strike%20Missile%20Successful%20Firing.mp4&Type=Filename

Defence increasingly relies on digital technologies to enhance its capabilities. However, this reliance also exposes Defence to potential exploitation by threat actors, who may target Information Technology (IT) and Operational Technology (OT) in Explosive Ordnance (EO) systems. The presentation will discuss how the Cyber Security A&A process is crucial in managing these risks, ensuring that new and existing systems operate at an acceptable level of risk. The Defence Cyber Security A&A Framework (the Framework) is designed to implement appropriate cyber security controls, protecting Defence’s systems and data assets. This Framework aligns with the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM), providing a structured, six-step, risk-based approach to assessing and authorising systems. The new A&A process was approved in April 2024 and replaced the process formerly known as Certification & Accreditation (C&A). The Framework’s six-step process includes defining the system, selecting security controls, implementing them, assessing these controls, authorising the system, and continuous monitoring. There are two key elements of the Framework:

• Assessment. A thorough documentation of the cyber security controls for a system, considering its environment and operating context. This assessment determines if the controls are appropriate, properly designed, implemented, or functioning as intended. This is documented in a Security Documentation Pack that enables the entire process for a Security Assessor to review. Producing these documents is limited by the available information provided by the OEM, and the time it takes to develop the documents tailored to the Commonwealth of Australia (CoA) needs.
Authorisation. The formal acceptance of residual risk associated with the system, based on the Assessment outcomes. The Authorising Delegate, depending of capability ownership, decides whether the system: can operate, must operate with conditions, or is denied operation.

All new Systems, just like the NSM, must undergo A&A before processing, storing, or communicating information, ensuring compliance with security standards for systems managing classifications from OFFICIAL to SECRET. At some point, all Information Systems may require re-assessment and re-authorisation due to policy changes, emerging threats, or ineffective security measures. The Framework plays a key role in managing risk and threat exposure, ensuring that Defence’s IT&OT EO systems, whether newly introduced or already embedded, operate at an acceptable level of risk.

---

Speaker