Security of Critical Infrastructure
Recent changes to Australia’s legislation have introduced stronger regulation for critical infrastructure. CyberCX understands the complexity of new regulatory regimes and is available to provide you with end-to-end support that promotes cyber uplift for your organisation in line with legislative requirements
What is the SOCI Act?
In response to the increasing threat of cyber attacks to critical infrastructure assets, the Australian Government has amended the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) which introduces stronger regulation for critical infrastructure. As a result, responsible entities within identified critical infrastructure sectors must comply with specified ‘obligations’ to better secure their assets.
Who does the SOCI Act affect?
The SOCI Act covers 11 critical infrastructure sectors. This includes communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport and water and sewerage. Responsible entities within these sectors should be aware of three key areas within the SOCI Act – Positive Security Obligations, Enhanced Cyber Security Obligations and Government Assistance.
Positive Security Obligations
The SOCI Act prescribes three ‘Positive Security Obligations’ (PSO) that apply to responsible entities that own critical infrastructure assets. Therefore, it is important that all entities are aware of their new obligations under the SOCI Act. Unless specifically excluded, responsible entities for critical assets are required to comply with three PSO.
Register of Critical Infrastructure Assets
Responsible entities must register their critical assets via the Cyber and Infrastructure Security Centre website. They must also update any changes to their assets.
Mandatory Cyber Incident Reporting
Responsible entities must report cyber incidents to the Australian Cyber Security Centre (ACSC) via phone or the ACSC website. They must also provide a written report of the incident to the ACSC.
Risk Management Program
Responsible entities must implement a written program outlining how they will identify, minimise and mitigate hazards to their assets. The program must consider hazards across four domains including cyber and information, personnel, supply chain and physical and natural hazards.
Enhanced Cyber Security Obligations
The SOCI Act prescribes Enhanced Cyber Security Obligations (ECSO) that may apply to responsible entities that own Systems of National Significance (SONS). SONS are a subset of critical infrastructure assets that have strong interdependencies with other critical assets, and if disrupted would have strong consequences that would arise for Australia’s social or economic stability, defence or national security.
The Minister for Home Affairs is responsible for declaring SONS and will notify the respective responsible entity as such via written notice. Responsible entities for SONS may need to comply with the following ECSO, in addition to their PSO and any sector-specific regulations they are subject to.
Incident Response Plan
Responsible entities must development, comply with, review and update an incident response plan.
Cyber Security Exercise
Responsible entities must undertake a cyber security exercise to test their organisation’s cyber incident response capabilities.
Vulnerability Assessment
Responsible entities must undertake vulnerability assessments to identify vulnerabilities in their system.
System Information
Responsible entities must provide system information to contribute to the development and maintenance of a near-real time threat picture.
Government Assistance
Government Assistance provides the Australian Government with the ability to provide assistance to critical infrastructure entities in response to serious cyber-attacks on Australian systems. These powers will only be used in rare or emergency circumstances where an entity is unwilling or unable to conduct their own incident response, and when there is no other regulatory mechanism in place to resolve the incident. The GA framework within the SOCI Act provides the Minister with the power to authorise the Secretary of Department of Home Affairs to do any or all of the following things in response to a cyber security incident:
Information Gathering Directions
Gather information to determine if another power in the SOCI Act should be exercised.
Action Directions
Direct an entity to do, or refrain from doing, a specified act or thing.
Intervention Requests
Request the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) to provide support to the entity, with agreement from the Prime Minister and Minister for Defence.
Why is uplift important?
Business Operations: A successful cyber security attack could cause major impact to maintaining business as usual if your organisation’s assets are affected. This may amount to a significant disruption to business operations and ultimately cost your organisation reputational risk and financial loss.
Non-Compliance Penalties: Failure to comply with the SOCI Act requirements may attract legal proceedings and civil penalties. Infringement notices with significant financial penalties can also be issued for non-compliance with these obligations.
Reputational and Safety Risk: A significant cyber incident that impacts your organisation could affect critical infrastructure, nationally significant systems, assets and data impacting customers, Australia’s national security, defence, healthcare, economy and society. This may also result in major damage to your organisation’s reputation and national safety.
Resilience and Continuity: If your organisation does not have a baseline of security in place to protect their critical assets, you may be left unprotected against major cyber incidents and be unable to detect, respond and recover in a timely manner. As a result, there may be system outages and an inability to recover critical assets and key business data, systems and operations.
Why partner with CyberCX?
CyberCX has a unique understanding of the SOCI Act and seeks to support organisations in navigating the complexity of these new and developing requirements. We recognise that meeting SOCI obligations is an iterative and ongoing process, and that the threat environment is constantly evolving alongside changing regulatory obligations. CyberCX are available to provide you with industry-leading expertise and end-to-end support that promotes cyber uplift in line with the legislative requirements outlined in the SOCI Act.
