In recent weeks, owners and operators of critical infrastructure assets in Australia have faced more challenges.
The massive Optus outage was reportedly triggered by its routers receiving incorrect settings from overseas as part of a software upgrade[1]. The incident caused havoc across Australia when the network, Australia’s second largest telecommunications critical infrastructure asset, went down for at least 14 hours. Reportedly, the outage may be attributed to third-party providers not properly checking routing changes.[2]
A cyberattack on the logistics company DP World, that manages almost 40% of the goods flowing in and out of Australia, have stranded 30,000 shipping containers and caused significant supply chain disruptions, with economic, financial and reputational damage still to be fully identified.
Both companies, Optus and DP World, are subject to the recently amended Security of Critical Infrastructure Act 2018 (SOCI Act) that requires owners and operators of critical infrastructure assets to develop and maintain a written Board (or Governing Body)-endorsed critical infrastructure risk management program (CIRMP).
The CIRMP enables the identification of risks and serves as a tool to inform investment in measures to protect critical infrastructure against likely threats. The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (Rules), that commenced on 18 August 2023, outline the baseline security standards that a critical infrastructure entity should meet.
The CIRMP must address risks across four key hazard vectors: cyber and information, personnel, supply chain, physical and natural hazards. It is essential, under the Rules, for critical infrastructure entities to establish and maintain processes or systems that minimise, mitigate or eliminate potential impacts arising from these hazards.
Optus, an owner and operator of critical telecommunications assets, is currently not subject to the Rules to maintain a CIRMP. However, in the wake of the Optus outage the Home Affairs Minister Clare O’Neil declared that telecommunication companies will be brought under the Rules umbrella shortly.
It is a different scenario for DP World, a critical freight services asset operator, which is subject to both the SOCI Act and the Rules, however, reportedly indicated uncertainty on whether the company is required to comply with the SOCI requirements.
So, how can you identify whether your entity is subject to the SOCI Act?
The obligations of the SOCI Act apply to 11 critical infrastructure sectors and 22 critical infrastructure asset classes, with only 13 asset classes currently being subject to the CIRMP requirements. The nuanced definitions for each asset class are spread across the SOCI Act, the Rules and the Security of Critical Infrastructure (Definitions) Rules 2021. The explanatory material to these legislative instruments offers further guidance.
These recent events have served as a reminder that critical infrastructure assets are fundamental to people’s lives and the function of Australia’s society and commerce: electricity, water, health care, telecommunications, transport, food, finance and more. Critical infrastructure is vulnerable to an array of hazards, including threats from people with malicious intent and also people who make mistakes. Building resilience and protecting the operation of SOCI assets is good for business.
[1] Australian Financial Review, 14 November 2023, page 8 [2] Australian Financial Review, 14 November 2023, page 8