The Critical Infrastructure Risk Management Program (CIRMP), which commenced on 17 February 2023, is a comprehensive risk management approach designed to identify and mitigate potential threats to critical infrastructure assets. The goal is to ensure the availability, reliability, integrity, and confidentiality of these assets while minimising the risks and their impacts. CIRMP must include processes for hazard identification, risk minimisation, and mitigation. The CIRMP is mandatory for various critical infrastructure sectors in Australia, and recent amendments to the Security of Critical Infrastructure (SOCI) Act 2018 have expanded its scope to include additional sectors, imposing enhanced cybersecurity measures on operators of Systems of National Significance (SoNS). While compliance may lead to increased costs for businesses, it aims to enhance the security and resilience of Australia's critical infrastructure assets.
As a protective measure for the nation's most essential services and systems, the Australian Government introduced the Security of Critical Infrastructure Act (SOCI Act) in July 2018. This act established a mandatory compliance framework for all critical infrastructure sectors and assets. Since its implementation, the government has carried out two stages of reform, significantly expanding the Act's scope. A crucial amendment requires critical infrastructure asset owners and operators to develop, maintain, review, and update a Critical Infrastructure Risk Management Program (CIRMP) by 17 August 2023. The CIRMP Obligations fall under a broader set of compliance obligations for Critical Infrastructure entities and direct interest holders, that are summarised in Table 1. A useful reference that summarises all of the obligations under the Security of Critical Infrastructure Act 2018 is the General Guidance for Critical Infrastructure Assets.
CIRMP Significance and Requirements
The specific rules for the CIRMP are elaborated in LIN 23/006 Security of Critical Infrastructure Rules 2023. The CIRMP is a comprehensive risk management approach that aims to identify potential threats to critical infrastructure assets. The goal is to pinpoint any hazard that may materially impact the asset's availability, reliability, integrity, or confidentiality and, as much as is reasonably practicable, minimise and mitigate the resulting risk and relevant impact.
A well-crafted CIRMP must detail the processes or systems for:
- Identifying each hazard that presents a material risk to an entity's critical infrastructure asset.
- Minimising and mitigating, as far as is reasonably practicable, the material risk and relevant impact of such hazards.
- The CIRMP must be approved and regularly reviewed by the asset owner's or operator's governing body. Entities are also obliged to submit an annual report detailing their CIRMP's effectiveness in managing hazards and any variations made to the program.
Who Needs to Comply
The SOCI Act and its associated CIRMP obligations apply to various critical infrastructure assets. These include:
- Domain Name Systems
- Data Storage or processing
- Energy Market Operator
- Liquid Fuels
- Payment Systems
- Food and Grocery
- Designated Hospitals (listed in Schedule 1 of the CIRMP Rules)
- Critical Freight Infrastructure (Under the SOCI Act only intermodal facilities listed in Schedule 1 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 are Critical Freight Infrastructure assets)
- Critical Freight Services
New obligations and enhancements, such as strengthened cybersecurity measures, have been added for operators of Systems of National Significance (SoNS), enhancing the resilience of Australia's most crucial infrastructure assets.
Impact and aim of the SOCI Act Amendments
The updated SOCI Act affects businesses that own or operate critical infrastructure assets, requiring them to create and maintain a CIRMP and comply with enhanced cybersecurity obligations. The amendments have broadened the scope to include sectors like communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.
These changes aim to make risk management, preparedness, prevention, and resilience standard practice for the owners and operators of critical infrastructure assets. The government seeks to enhance the exchange of information between industry and government to facilitate a deeper understanding of threats, potentially increasing costs as businesses implement necessary compliance measures. However, it should also lead to improved security and resilience for these businesses and their assets.
Implications for Australian Businesses
The expanded obligations under the SOCI Act and the requirement for a CIRMP have significant implications for businesses that own or operate critical infrastructure assets across a broad range of sectors.
- Increased Responsibility: Business entities now have a greater responsibility to ensure their assets' security, reliability, integrity, and resilience against material risks and hazards. This increased responsibility necessitates a dedicated focus on risk management and the establishment of robust systems and processes.
- Enhanced Cybersecurity Measures: If businesses operate systems of national significance (SoNS), they will need to comply with enhanced cybersecurity obligations. This will require investment in robust digital security measures, updating technology infrastructure, and potentially hiring dedicated cybersecurity personnel.
- Annual Reporting: Businesses are required to provide annual reports detailing the effectiveness of their CIRMP and any modifications made. This may necessitate additional resources for consistent monitoring, data collection, and reporting.
- Increased Compliance Costs: With the expanded scope and requirements of the SOCI Act, businesses may face increased costs associated with developing, maintaining, and updating their CIRMP. These costs may relate to system updates, personnel training, regular risk assessments, annual reporting, and the implementation of enhanced cybersecurity measures.
- Possible Penalties for Non-compliance: Failure to comply with the SOCI Act's obligations may expose businesses to potential penalties, which could include substantial fines. Non-compliance can also lead to reputational damage, which may affect a business's relationship with stakeholders and customers.
- Greater Collaboration: The government is aiming to foster a more comprehensive information exchange between industry and government, which will require businesses to engage in greater collaboration and transparency. This can lead to new partnerships, but it also means sharing more information with government bodies.
- Beneficial Outcomes: Despite the potential increase in costs and responsibilities, these obligations aim to foster stronger resilience in Australia's critical infrastructure. As businesses improve their risk management strategies and cybersecurity measures, they will be better prepared to handle threats. This can potentially reduce the cost and impact of disruptions in the long run, providing a safer, more secure environment for the business to operate and grow.
The Security of Critical Infrastructure (SOCI) Act and the Critical Infrastructure Risk Management Program (CIRMP) are crucial components in safeguarding Australia's critical infrastructure assets from potential threats and disruptions. By identifying and mitigating hazards, businesses can enhance their resilience and protect their assets, ensuring continuity and reliability. The recent amendments to the SOCI Act have broadened the scope of compliance, encompassing various sectors and imposing enhanced cybersecurity obligations on operators of Systems of National Significance. Though this expansion may come with increased compliance costs and responsibilities for businesses, the ultimate goal is to foster a safer, more secure environment for critical infrastructure operations.
As businesses work towards meeting the requirements of the CIRMP and SOCI Act, collaboration with government bodies and transparency in information exchange will become essential. Engaging in such collaboration will not only support compliance efforts but also facilitate the development of stronger risk management strategies and cybersecurity measures.
At Lote Consulting, we understand the complexities of complying with the SOCI Act and CIRMP requirements. Our comprehensive consulting services can assist businesses in understanding the regulations, developing effective CIRMPs, and ensuring full compliance. By embracing these obligations, businesses can be better prepared for future threats and disruptions, creating a more resilient critical infrastructure landscape in Australia. Get in touch with us today to discuss how we can support your compliance journey with the SOCI Act and enhance the security of your critical infrastructure assets.
Table 1 — SOCI 2019 Compliance Obligations Summary