Resilient infrastructure: risk-management program rules under SOCI Act now in force
With the cyber threat landscape for Australian entities expanding and evolving rapidly, last year the Australian Government amended the legislation concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure. In this article, we outline the risk-management program rules that are now in force, as of 17 February 2023, and comment on what’s to come.
Under the Security of Critical Infrastructure Act 2018 (Cth) (the Act or SOCI), one of the key positive obligations on responsible entities of critical infrastructure assets is to establish, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP).
This key positive obligation was formulated with the introduction of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (Rules). Following a period of mandatory consultation, the Rules have come into force with effect from 17 February 2023. Responsible entities will be required to adopt a CIRMP within six months, which is 17 August 2023.
How do I know if I need a CIRMP?
You are required to implement a CIRMP if you are a responsible entity of any of the following types of critical infrastructure assets:
- critical electricity assets;
- critical gas assets;
- critical water assets;
- critical data processing or storage assets;
- critical broadcasting assets;
- critical financial market infrastructure assets (specifically payment systems);
- critical domain name systems;
- critical liquid fuels assets;
- critical hospital assets;
- critical energy market operator assets;
- critical freight infrastructure;
- critical freight services assets; and
- critical food and grocery assets.
In our recent article, we provided an overview of the SOCI regime, who it applies to, and the various changes to the Act.
If you are unsure whether your organisation is captured by the SOCI regime, we recommend seeking legal advice as soon as possible.
What do I need in my CIRMP?
What is specifically required in a CIRMP is outlined in the Act and Rules. The Cyber and Infrastructure Security Centre (CISC) has prepared a fact sheet that sets out the requirements. In summary, a CIRMP is expected to:
- any hazards that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset(s);
- detecting and responding to threats proactively to prevent risk from eventuating;
- by having robust procedures in place to mitigate impact and recover as quickly as possible; and
- entities are required to provide an annual report, signed by their board, council or other governing body, to the relevant regulator. While it does not need to contain the CIRMP, the report must advise the relevant regulator (likely the Secretary of the Department of Home Affairs) whether the program is up to date.
This month, the CISC published a helpful guide with general guidance, the requirements of a CIRMP, the rules in place, reporting obligations and CIRMP maintenance.
While responsibilities must adopt a CIRMP by 17 August 2023, the requirement to adopt processes or systems relating to cyber and information security hazards must be in place within 18 months of the Rules being activated, which is 17 August 2024.
Responsible entities are required to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset within its CIRMP.
Section 3 of the Rules defines the key hazard vectors:
- such as phishing, malware, credential harvesting and denial-of-service attacks;
- which include cyber security training for staff, controlling who has access to your critical asset, background checking of critical workers and heightening monitoring of personnel with access to those systems;
- including onsite security, infrastructure resilience, installing CCTV or motion detection sensors and implementing other physical access controls;
- arising from major suppliers who have a significant influence over the security of the entity’s critical asset;
- it may also include unauthorised access and misuse of privileged access by any provider in the supply chain.
Section 6 of the Rules defines material risk. Material risk may include:
- a stoppage or major slowdown of the asset’s function;
- a substantive loss of access to a critical component of the asset;
- an interference to the asset that is essential to its functioning;
- storage, transmission or processing of sensitive operational information outside Australia; or
- remote access to operational control.
Section 8G of the Act defines relevant impact, which is when a hazard impacts (directly or indirectly) an asset’s:
- reliability; or
In doing this, the responsible entity’s CIRMP must go as far as it is ‘reasonably practicable’ to:
- minimise or eliminate the material risks; and
- mitigate the relevant impact of each hazard.
As with any regulatory or statutory changes, entities ought to make themselves aware of any changes in their obligations (including reporting obligations). While there are grace periods built into the Rules, responsible entities ought to be proactive in identifying whether they require a CIRMP and ensuring that their CIRMP is established before the end of the grace periods.
More changes on the horizon?
In another example of the dynamic pace with which cyber moves, on 27 February 2023 it was announced that the government is considering providing additional powers to the Australian Signals Directorate (ASD) to commandeer the IT systems for companies who suffer cyber attacks.
Currently, the ASD has these types of powers under SOCI in relation to certain critical infrastructure assets of national significance. What is now being considered is adding ‘customer data and systems’ to the definition of critical assets so that the government could take IT systems for a broad range of companies in response to major data breaches like Medibank or Optus. Such a change would materially increase the number of organisations potentially caught by SOCI and expand the ASD’s power in relation to the types of incidents when they could step in.
The cyber team at Hall & Wilcox will be following these developments and provide updates as additional changes to SOCI are made.
Hall & Wilcox can help you understand if and how your business is affected by the changes to the SOCI Act and assist if you experience a cyber security incident. For more information and guidance, please contact our team members listed below.
During Privacy Awareness Week, join us for 'If you can’t protect it, don’t collect it'.
1.00pm - 2.00pm
You might be also interested in...
Cyber | 17 Feb 2023
Proposed changes as part of the long-awaited Privacy Act review will have a significant impact on Australian businesses. We examine the Privacy Act review report.
Cyber | 21 Dec 2022
In this article, we provide the latest update on Privacy Act reforms, a wrap-up of the key cyber trends in 2022 and more.