Resilient infrastructure: risk-management program rules under SOCI Act now in force

By Eden Winokur, Alison Baker and Sam Tempone

With the cyber threat landscape for Australian entities expanding and evolving rapidly, last year the Australian Government amended the legislation concerning the availability, integrity, reliability and confidentiality of assets that form part of Australia’s critical infrastructure. In this article, we outline the risk-management program rules that are now in force, as of 17 February 2023, and comment on what’s to come.

Under the Security of Critical Infrastructure Act 2018 (Cth) (the Act or SOCI), one of the key positive obligations on responsible entities of critical infrastructure assets is to establish, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP).

This key positive obligation was formulated with the introduction of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (Rules). Following a period of mandatory consultation, the Rules have come into force with effect from 17 February 2023. Responsible entities will be required to adopt a CIRMP within six months, which is 17 August 2023.

How do I know if I need a CIRMP?

You are required to implement a CIRMP if you are a responsible entity of any of the following types of critical infrastructure assets:

  1. critical electricity assets;
  2. critical gas assets;
  3. critical water assets;
  4. critical data processing or storage assets;
  5. critical broadcasting assets;
  6. critical financial market infrastructure assets (specifically payment systems);
  7. critical domain name systems;
  8. critical liquid fuels assets;
  9. critical hospital assets;
  10. critical energy market operator assets;
  11. critical freight infrastructure;
  12. critical freight services assets; and
  13. critical food and grocery assets.

In our recent article, we provided an overview of the SOCI regime, who it applies to, and the various changes to the Act.

If you are unsure whether your organisation is captured by the SOCI regime, we recommend seeking legal advice as soon as possible.

What do I need in my CIRMP?

What is specifically required in a CIRMP is outlined in the Act and Rules. The Cyber and Infrastructure Security Centre (CISC) has prepared a fact sheet that sets out the requirements. In summary, a CIRMP is expected to:

  • any hazards that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset(s);
  • detecting and responding to threats proactively to prevent risk from eventuating; 
  • by having robust procedures in place to mitigate impact and recover as quickly as possible; and
  • entities are required to provide an annual report, signed by their board, council or other governing body, to the relevant regulator. While it does not need to contain the CIRMP, the report must advise the relevant regulator (likely the Secretary of the Department of Home Affairs) whether the program is up to date.

This month, the CISC published a helpful guide with general guidance, the requirements of a CIRMP, the rules in place, reporting obligations and CIRMP maintenance.

Identifying hazards

While responsibilities must adopt a CIRMP by 17 August 2023, the requirement to adopt processes or systems relating to cyber and information security hazards must be in place within 18 months of the Rules being activated, which is 17 August 2024.

Responsible entities are required to identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset within its CIRMP.

Hazard

Section 3 of the Rules defines the key hazard vectors:

  • such as phishing, malware, credential harvesting and denial-of-service attacks;
  • which include cyber security training for staff, controlling who has access to your critical asset, background checking of critical workers and heightening monitoring of personnel with access to those systems; 
  • including onsite security, infrastructure resilience, installing CCTV or motion detection sensors and implementing other physical access controls;
  • arising from major suppliers who have a significant influence over the security of the entity’s critical asset;
  • it may also include unauthorised access and misuse of privileged access by any provider in the supply chain.

Material risk

Section 6 of the Rules defines material risk. Material risk may include:

  • a stoppage or major slowdown of the asset’s function;
  • a substantive loss of access to a critical component of the asset;
  • an interference to the asset that is essential to its functioning;
  • storage, transmission or processing of sensitive operational information outside Australia; or
  • remote access to operational control.

Relevant impact

Section 8G of the Act defines relevant impact, which is when a hazard impacts (directly or indirectly) an asset’s:

  • availability;
  • integrity;
  • reliability; or
  • confidentiality.

In doing this, the responsible entity’s CIRMP must go as far as it is ‘reasonably practicable’ to:

  • minimise or eliminate the material risks; and
  • mitigate the relevant impact of each hazard.

As with any regulatory or statutory changes, entities ought to make themselves aware of any changes in their obligations (including reporting obligations). While there are grace periods built into the Rules, responsible entities ought to be proactive in identifying whether they require a CIRMP and ensuring that their CIRMP is established before the end of the grace periods.

More changes on the horizon?

In another example of the dynamic pace with which cyber moves, on 27 February 2023 it was announced that the government is considering providing additional powers to the Australian Signals Directorate (ASD) to commandeer the IT systems for companies who suffer cyber attacks.

Currently, the ASD has these types of powers under SOCI in relation to certain critical infrastructure assets of national significance. What is now being considered is adding ‘customer data and systems’ to the definition of critical assets so that the government could take IT systems for a broad range of companies in response to major data breaches like Medibank or Optus. Such a change would materially increase the number of organisations potentially caught by SOCI and expand the ASD’s power in relation to the types of incidents when they could step in.

The cyber team at Hall & Wilcox will be following these developments and provide updates as additional changes to SOCI are made.

Hall & Wilcox can help you understand if and how your business is affected by the changes to the SOCI Act and assist if you experience a cyber security incident. For more information and guidance, please contact our team members listed below.

Contact

Eden Winokur

Eden Winokur

Partner & Head of Cyber

Eden is a leading cyber, privacy, disputes and insurance lawyer who heads the Hall & Wilcox cyber practice.

Alison Baker

Alison has more than 20 years’ experience in a wide-ranging employment and privacy practice.

Related Event

Privacy awareness: an essential update for the education sector

During Privacy Awareness Week, join us for 'If you can’t protect it, don’t collect it'.

Event Details

20230503

1.00pm - 2.00pm

Zoom webinar

You might be also interested in...

Cyber | 17 Feb 2023

Substantial Privacy Act reform: what will this mean for your business?

Proposed changes as part of the long-awaited Privacy Act review will have a significant impact on Australian businesses. We examine the Privacy Act review report.

Cyber | 21 Dec 2022

2022 – A big year for cyber attacks and regulation in Australia

In this article, we provide the latest update on Privacy Act reforms, a wrap-up of the key cyber trends in 2022 and more.