Insight,

The risk management program rules under the SOCI Act have now come into force

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

TL;DR

The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) have now been made and came into force with effect from 17 February 2023. Responsible entities for certain critical infrastructure assets must now take steps to adopt (and subsequently maintain) a critical infrastructure risk management program (CIRMP) within 6 months (by 18 August 2023). They must also comply with ISO 27001, NIST or an equivalent standard within 18 months (by 18 August 2024). The first annual reports that must be approved by Boards are due within 90 days after the end of the Australian financial year (by 28 September 2024).

Recap of SOCI Act obligations

The CIRMP is the final part of the regime that the Commonwealth has implemented to better protect the security of critical infrastructure in Australia under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). See our previous alerts on the SOCI Act, here and here. Under the SOCI Act, responsible entities for critical infrastructure assets must:

  • provide ownership and operational information relating to the critical information assets for inclusion in the Register of Critical Infrastructure Assets,
  • notify critical and other cyber security incidents to the Australian Cyber Security Centre’s online cyber incident reporting portal within 12 to 72 hours, depending on criticality,
  • comply with Government assistance measures in relation to cyber security incidents, which can include provision of information, compliance with directions, and in some circumstances, allowing Government to undertake certain actions,
  • if the assets are Systems of National Significance, comply with Enhanced Cyber Security Obligations, which can include undertaking statutory incident response planning, undertaking cyber security exercises or vulnerability assessments and, providing the Australian Signals Directorate with system information, and
  • now, adopt and maintain a CIRMP.

Who must have a CIRMP?

Not every critical infrastructure asset is required to have a CIRMP. The obligation to have one only applies to:

  • a critical broadcasting asset,
  • a critical domain name system,
  • a critical data storage or processing asset,
  • a critical electricity asset,
  • a critical energy market operator asset,
  • a critical gas asset,
  • a designated hospital,
  • a critical food and grocery asset,
  • a critical freight infrastructure asset,
  • a critical freight services asset,
  • a critical liquid fuel asset,
  • a critical payment system, and
  • a critical water asset.

To work out whether or not you fall within any of these asset classes, you will need to review the definitions in the SOCI Act as well as the Security of Critical Infrastructure (Definitions) Rules.  The CIRMP rules also only apply to a subset of critical hospitals (those being ‘designated hospitals’) as set out in Schedule 1 to the CIRMP Rules.   

What is a CIRMP?

A CIRMP is a written risk management program that:

  • identifies each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on a critical infrastructure asset (being an impact on the availability, integrity, reliability or confidentiality of the critical infrastructure asset),
  • so far as it is reasonably practicable to do so, minimises or eliminates any material risk of such a hazard occurring, and
  • so far as it is reasonably practicable to do so, mitigates the relevant impact of such a hazard on the critical infrastructure.

What is a material risk?

Under the CIRMP Rules, a material risk relating to a critical infrastructure asset includes:

  • a stoppage or major slowdown of the asset’s function for an unmanageable period,
  • a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the asset,
  • an interference with the asset’s operational technology or information communication technology essential to the functioning of the asset (e.g. a SCADA system),
  • the storage, transmission or processing of sensitive operational information (including layout diagrams, schematics, geospatial information, configuration information and operational constraints or tolerances information) outside Australia, and
  • remote access to operational control or operational monitoring systems of the asset.

This definition is not exhaustive.  The responsible entity will need to ensure that the CIRMP deals with these material risks and consider other hazards that pose a material risk to the critical infrastructure asset.

The CIRMP Rules do not prohibit the transfer overseas of sensitive operational information, nor do they prohibit overseas access to operational control or monitoring systems. However, the effect of this definition is to require the CIRMP to identify all circumstances in which overseas storage, processing or access could occur, and to set out steps that are reasonably practicable to minimise or eliminate the risk of any such overseas storage or processing or access from having a relevant impact on the critical infrastructure asset.

There are specific requirements that a CIRMP must address

The CIRMP Rules set out specific requirements that a CIRMP for a critical infrastructure entity must comply with. These are broken out by subject matter and encompass key hazard vectors:

  1. General - all hazards (Rule 7). This sets out general processes or systems that must be established and maintained in the CIRMP, including identification of operational context, identification and mitigation of material risks and review and update of the CIRMP.
  2. Cyber and information security hazards (Rule 8). These cover hazards involving improper access or misuse of information or computer systems, or use of a computer system to obtain unauthorised control of or access to the critical infrastructure asset that might impair its functioning. This will include cyber risks to digital systems, computers, datasets, and networks that underpin critical infrastructure systems and includes improper access, misuse, or unauthorised control.
  3. Personnel hazards (Rule 9). This covers the ‘trusted insider’ risk posed by critical workers who have the access and ability to disrupt the functioning of the asset or to cause significant damage to the asset.
  4. Supply chain hazards (Rule 10). This covers the risk of disruption to critical supply chains leading to a relevant impact on the critical infrastructure asset. The threat could be naturally occurring, malicious or purposefully intended to compromise the critical infrastructure asset. It also includes over-reliance on particular suppliers.
  5. Physical security hazards and natural hazards (Rule 11). This covers physical security risks to parts of the asset critical to the functioning of the asset, including physical access to sensitive facilities (e.g., control rooms) or natural disasters.

Some specific call-outs

The CIRMP does not require absolute elimination of risks

Under section 30AH of the SOCI Act, the CIRMP requires that risks be minimised, eliminated or mitigated to the extent practicable. Guidance from the Critical Infrastructure Security Centre is that in considering the material risks to their business, there is no expectation that entities pursue risk mitigation measures that are disproportionate relative to the likelihood and consequences of a particular risk. Entities will have flexibility to determine how to address material risk and relevant impact in relation to their business size, maturity, income and overall asset criticality.

Governance is important

The CIRMP must specifically identify each position in a responsible entity that is responsible for developing and implementing the CIRMP and for reviewing it or keeping it up to date. It must also contain the contact details of that position.

A responsible entity for a critical infrastructure asset must, within 90 days after the end of a financial year, provide the relevant Commonwealth regulator with a report that among other things:

  • states if the CIRMP was up to date at the end of the financial year,
  • identify any hazards that occurred during the financial year and the effectiveness of action taken by the entity to mitigate the relevant impact of that hazard,
  • is approved by the Board or other governing body of the entity.

While the SOCI Act does not specifically requires a Board to approve the CIRMP itself, Boards approval of the CIRMP should be obtained as part of an entity’s normal governance arrangement. It would be difficult for the Board to approve a statement that the CIRMP is up to date without reviewing it. We note that the Critical Infrastructure Security Centre’s guidance on this is that:

better practice is for an entity’s board … to approve the CIRMP once developed. In doing so, it should appropriately balance the costs of risk mitigation measures with the impact of those measures in reducing material risk within their own operational context.

Adoption of the CIRMP is important, given that non-compliance with the CIRMP could lead to civil penalties. 

The first report will not be required until 90 days after 30 June 2024, although the department is encouraging organisations to trial reporting and board engagement following 30 June 2023. 

Responsible entities must comply with ISO 27001, NIST or other equivalent standard within 18 months

The CIRMP Rules require that the CIRMP establish a process or system to comply with a recognised cyber security standard or framework within 12 months after the obligation to have a CIRMP comes into force (ie 18 months after 17 February 2023) or to comply with an equivalent framework to one of those listed within this period. The specified standards or frameworks are:

  • Australian Standard AS ISO/IEC 27001:2015,
  • Essential Eight Maturity Model published by the Australian Signals Directorate (maturity level one),
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America,
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America (Maturity Indicator Level 1), or
  • 2020 21 AESCSF Framework Core published by Australian Energy Market Operator Limited (Security Profile 1).

Updates and changes to these standards or frameworks from time to time are incorporated into the CIRMP Rules automatically.  CIRMPs that benchmark against these standards or frameworks will need to be reviewed to ensure they continue to align. 

Critical personnel must be identified and assessed

The CIRMP must, as part of the process of identifying and mitigating personnel hazards, establish a process or system to:

  • identify the entity’s critical workers, and
  • permit a critical worker access to critical components of the critical infrastructure asset only where the critical worker has been assessed to be suitable to have such access.

The CIRMP Rules (and the AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023authorise, but do not mandate, the use of the Auscheck scheme to assess the suitability of a critical worker. If an alternative means of assessing suitability is used, this must be set out in the CIRMP. The checks or assessment should be completed in time to comply with the access suitability requirement. 

If you use the Auscheck system to assess suitability of critical worker and the critical infrastructure asset has been declared by the Minister of Home Affairs for this purpose, you need to be aware of two important notification obligations:

  • if you are informed that the relevant individual has an unfavourable criminal history or adverse or qualified security assessment, but still decide to give the person access to the critical infrastructure asset, you must notify the Secretary of the Department of Home Affairs within 7 days, and
  • if you decide to revoke an individual’s access to the critical infrastructure asset, you must notify the Secretary of the decision within 48 hours.

What you should be doing

If you are a responsible entity for a critical infrastructure asset that is subject to the CIRMP Rules, you should now be taking steps to establish your CIRMP before 18 August 2023. This includes:

  • reviewing any existing risk management plans that you may already have and modifying them so that they are your CIRMP that complies with the CIRMP Rules. In this regard, financial institutions that will also be subject to CPS 230 (expected to come into force from 1 Jan 2024) will need to consider how the CIRMP is likely to interact with CPS 230,
  • if you do not have a comprehensive all hazards risk management plan, creating a CIRMP that complies with the CIRMP Rules,
  • if you do not comply with ISO 27001, NIST or an equivalent standard, taking steps to ensure that you are able to do so to the specified levels within 18 months or have undertaken a rigorous assessment of the equivalence of your current framework with one of the specified standards,
  • considering third party arrangements, particularly with major suppliers, to determine whether changes are required to enable you to mitigate material risks or the relevant impact of those risks to the extent they may be caused by services provided by those suppliers, and
  • educating your board or other governing body about your CIRMP and the fact that it will need to approve an annual report on it, with the first such report required by 28 September 2024.

Stay tuned for more information!

We will be discussing the CIRMP in more detail in an online seminar with Samuel Grunhard of the CISC on 16 March 2023. Please click here to register for the online seminar. Samuel is the First Assistant Secretary/Deputy Group Manager of the Security Regulation Division of the CISC.

The CISC is also running its inaugural all-day CIS conference on 24 March. Click here for more details.

LATEST THINKING
Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024

Insight
The Australian Food and Agricultural Taskforce (AFAT) has released a position paper, “Land of Plenty – Transforming Australia into a food superpower” (the Position Paper), which highlights that ‘there is a clear opportunity for Australia to become a food superpower and build a second engine of economic growth that mirrors the resources sector’.

19 December 2024

Insight
Employment disputes commonly have confidential or sensitive information front and centre of the matters in issue. Information such as personal details, medical conditions, disciplinary records, family circumstances, commercially sensitive information and workplace dynamics including harassment, bullying or discrimination, or scandalous material seemingly deployed for the purpose of damaging individual reputations – to highlight a few.

19 December 2024