18 Apr Critical Infrastructure – Risk Management Programs
The Australian Government through the Cyber and Infrastructure Security Centre is dedicated to enhancing the security and resilience of Australia’s critical infrastructure and systems of national significance.
In December 2021, the Australian Government passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI) building on safeguards established within the Security of Critical Infrastructure Act 2018 (Cth) (SOCI), in response to increasing threats facing Australia’s critical infrastructure and economy.
In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) was passed, which finalises the package of legislative amendments to the SOCI Act, first introduced into Parliament in December 2020.
The SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes that SOCI applies to, and to introduce new obligations. It now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry.
The SOCI Act developed in conjunction with industry includes definitions that outline each of the 11 critical infrastructure sectors and articulates what would constitute a critical infrastructure asset within each of these sectors.
The new requirements apply to owners and operators of critical infrastructure assets and to those businesses who have a direct interest in critical infrastructure assets.
The later amendments to SOCI under SLACIP introduced the following requirements:
-
-
-
- a new obligation for responsible entities to create and maintain a critical infrastructure risk management program,[1] and
- a new framework for enhanced cyber security obligations required for operators of systems of national significance (SoNS), Australia’s most important critical infrastructure assets[2].
-
-
These reforms seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets, and also, to improve information exchange between industry and government to build a more comprehensive understanding of threats.
Risk Management Program – Requirements
The SOCI Act as amended in December 2021 contained two “positive security obligations” imposed on owners and operators of critical infrastructure assets, namely (i) a requirement to report ownership and operational information relating to critical infrastructure assets to “the Secretary” for inclusion in a Register under Part 2, and (ii) the requirement to notify the “relevant Commonwealth body” about cyber security incidents under Part 2B.
The purpose of the risk management program is to enable entities to identify hazards that present a material risk to the availability of their critical infrastructure assets, and to proactively minimise or eliminate the risk of such hazards occurring:
-
-
- The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies).
- The purpose of a critical infrastructure risk management program is to do the following for each of those assets:
-
(a) identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset;
(b) so far as it is reasonably practicable to do so—minimise or eliminate any material risk of such a hazard occurring;
(c) so far as it is reasonably practicable to do so—mitigate the relevant impact of such a hazard on the asset.
-
-
- A responsible entity must give an annual report relating to its critical infrastructure risk management program. If the entity has a board, council or other governing body, the annual report must be approved by the board, council or other governing body.
-
At the time of publication of this article the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (RMP Rules) are only in a draft form.
The exposure draft of the RMP Rules provides that the risk management program obligations will initially apply to the following ten critical infrastructure assets:
-
-
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical hospitals
- critical energy market operator assets
- critical water and sewerage assets
- critical electricity assets
- critical gas assets
- critical liquid fuel assets
- critical financial market infrastructure assets that are a critical payment system
-
Timing for compliance
The draft RMP Rules contemplate a six-month grace period following the later of (i) the commencement of the Rules and (ii) the date that the asset becomes a critical infrastructure asset, and in some cases, this grace period extends to 18 months[3].
Risk Assessments – International standards and best practice
International standards and best practices on cybersecurity and critical infrastructure increasingly rely on risk assessment as the core engine to drive the organisational and technical measures that an organisation decides to put into place.
In consequence, choices for one or another measure as well as details of the relevant policy documents will follow from the assessed risks. Because the risks, in turn, stem from the currently applied measures, the circularity of the management process of cybersecurity and critical infrastructure becomes apparent.
Importantly, the regulatory compliance requirements in relation to critical infrastructure reforms are inseparable from sector specific laws and obligations upon directors and officers under the Corporations Act 2001 (Cth), and tie directly to organisational strategy and risk management beyond the limitations of critical infrastructure. At the same time, privacy and data protection need to be taken into account, thereby giving scale to the scope of undertaking a risk management assessment for the purposes of SOCI.
Ultimately, risk management is made operational through worldwide-relevant standards such as the NIST Cyber Security Framework and Standards, ISO 27000 and 31000, and others. In Australia, we must in addition, localise to the Australian Cyber Security Centre (ACSC) Essential 8, and apply industry sector standards. The result is complex and needs specialist multi-disciplinary expertise.
Here to help
ICTLC has a unique ability to provide the ‘best of breed’ in law, cyber security and data protection through ICT Legal Consulting and ICT Cyber Consulting. We are here to help you navigate your way through the complexities.
[1] Part 2A – Critical Infrastructure Risk Management Programs. The Minister for Home Affairs will consult with industry before the rules are made setting out the requirements for a risk management program. Existing Rules include: Security of Critical Infrastructure (Australian National University) Rules (LIN 22/041) 2022, Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, and Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022.
[2] The Minister for Home Affairs will consult with impacted entities before any declarations are made.
[3] The obligations are expected to extend to critical food and grocery, critical freight services and critical freight infrastructure assets in early 2013