Australian critical infrastructure is increasingly under threat. Owners and operators are facing multiple challenges in attempts to secure operation of their critical assets in the environment of heightened geopolitical tension, increasing number of destructive and costly cyber attacks and greater disruption of global supply chains.
The legislative obligations of the Security of Critical Infrastructure Act 2018 (the SOCI Act) are driving the urgent need for new protective security measures and risk management protocols.
So, let us explore the key dates for 2024 and what would be required to keep up with the SOCI legislative obligations.
Background
The SOCI Act provides a framework for managing risks relating to critical infrastructure and requires responsible entities for critical infrastructure assets to establish and maintain processes or systems that minimise, mitigate or eliminate potential impacts arising from hazards as far as is reasonably practicable. Amongst other matters, responsible entities are required to develop and maintain a written critical infrastructure risk management program (CIRMP).
The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 (Rules) details the mandatory baseline security standards for CIRMP. The CIRMP must address risk across nominated hazard vectors: personnel, cyber and information, physical and natural, and supply chain. The CIRMP process enables the identification of assets, relevant threats and management of risk.
Requirement to adopt and maintain a CIRMP (s 30AC of the SOCI Act)
Existing critical infrastructure assets
If a responsible entity’s asset became a critical infrastructure asset prior to 17 February 2023 (date the Rules commenced), you should have met all CIRMP requirements by 18 August 2023, apart from the cyber and information security hazards component of the Rules. You should meet the cyber and information security hazards requirement of the Rules by 18 August 2024.
In-development assets
If a responsible entity’s asset becomes a critical infrastructure asset after 17 February 2023 (date the Rules commenced), the responsible entity must meet CIRMP requirements within 6 months of the day the asset becomes a CI asset and the cyber and information security hazards component of the Rules within 18 months of that day.
For example, if an asset becomes a critical electricity asset on 1 March 2024, a responsible entity would be required to fully meet the CIRMP requirements by 1 September 2024 and achieve compliance with cyber and information security hazards component by 1 September 2025.
Requirement to submit annual report (s 30AG of the SOCI Act)
A responsible entity for a critical infrastructure asset must provide an annual CIRMP report to the Department of Home Affairs (DHA) (or another relevant regulator). The report is an in-house assessment of the effectiveness and maturity of the entity’s risk mitigation measures as set out in the CIRMP. This annual report must be approved by the entity’s Board or governing body.
The first Board-approved annual CIRMP report is due between 30 June and 28 September 2024.
The annual CIRMP report will require the Board to:
- attest the CIRMP is up to date
- identify any hazards that occurred in the reporting period and the effectiveness of action taken by the entity to mitigate the impact
- approve the annual CIRMP report for submission to the regulator.
Note that while the explicit legislative requirement is approval of the annual CIRMP report, this obligation implies that in practice the CIRMP should be subject to a review as well as approval by the Board.
Review of the CIRMP (s 30AE of the SOCI Act)
If you are a responsible entity for one or more critical infrastructure assets and has adopted a CIRMP, you must review the program on a regular basis. The legislation does not reference the definite timeframe for the review; however, the explanatory material specifies that CIRMP should be reviewed once every 12 months to ensure it is current.
That means that if you have adopted your CIRMP by 18 August 2023, it is due for an annual review by 18 August 2024.
We recommend establishing a process for annual review, update, and variation of the CIRMP that will:
- identify who will be responsible to conduct the CIRMP review (linking to your governance structure)
- reference out-of-cycle triggers for the CIRMP review (e.g., CIRMP to be reviewed in relation to any significant organisational change / newly emerged risks / threats / hazards etc.)
- reference the definite timeframe / frequency for a regular CIRMP review (consider integrating into the Enterprise Risk Management process)
- identify performance measurement process (with the frequency for measuring and monitoring the performance measures being proportional to security risks and threats)
- reference any regular internal audits planned for CIRMP
- link CIRMP review with annual reporting requirement.
Table A: Key SOCI-related dates to note for 2024
18 August 2024 |
30 June – 28 September 2024 |
18 August 2024 |
18 August 2024 |
Commencement of Critical Infrastructure Risk management Program obligations (all but cyber) |
First Board-approved annual report due to the regulator (must be submitted within 90 days after the end of the financial year) |
Annual review of the CIRMP to ensure it is up to date (update or variation if required) |
Commencement of the cyber security component of the CIRMP Rules against a recongnised framework (ISO27001, AESCSF, NIST, E8, or equivalent) |
Learn more! Join our upcoming free workshops and webinars to gain practical advice about how to achieve compliance with the regulatory obligations of the SOCI Act: get ready for an annual CIRMP review and reporting, meet cyber security obligations, introduce early detection capability to mitigate insider threat to your critical infrastructure assets using OSINT – Register here