Recent global events have driven home the need to protect Australia's critical infrastructure in an increasingly digitally-connected contemporary world. Even before recent events in Eastern Europe began to unfold, the Australian Federal Government have been working on strengthening the existing Security of Critical Infrastructure (SOCI) Act 2018 legislation, which governs Australia's critical infrastructure assets.
As a result, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) commenced on 2 April 2022. While previous SOCI legislation introduced the requirement to maintain a register of critical infrastructure assets and made reporting of cyber incidents mandatory, SLACIP introduced two key measures:
- a new obligation for responsible entities to create and maintain a critical infrastructure risk management program (RMP); and
- a new framework for enhanced cyber security obligations required of operators of Australia's most important critical infrastructure assets (i.e. systems of national significance (SoNS).
The accelerated timeframes from draft publication to consultation to the passing of the bill demonstrate the importance and urgency the Government has placed around the reforms. We have been placed on high-alert for a malicious critical infrastructure attack – to use the old adage – it is not a matter of if, but when an attack will occur. So what can organisations do to try and mitigate their risks?
Take a strategic view
We recommend organisations use the implementation of the new requirements as an opportunity to undertake a review of their existing risk and resilience environment – not just in relation to cyber issues, but risk more broadly – and identify areas for improvement. Key areas of focus, or questions organisations should address, include:
What are our strategic risks?
Undertaking and regularly updating a strategic level risk assessment can help an organisation to:
- understand its risk profile;
- identify the key threats and issues likely to face the business; and
- align the approach to various facets of risk, such as crisis management, cyber security and operations risk within the business
In relation to the requirements of SOCI, understanding and mitigating the key strategic risks relating to your critical infrastructure assets needs to be your starting point.
Do we have the right structure?
After reviewing the strategic risks, consideration should be given to whether or not your risk management structure appropriately and holistically considers your risks and threat issues that are likely to be faced.
Does the current structure facilitate the prompt escalation of key issues to appropriate stakeholders? Does information flow consistently and transparently throughout the organisations? Is there unnecessary duplication in relation to roles and responsibilities? Are roles the should be aligned for the protection of your organisations people, environment, assets and reputation appropriately aligned?
From the cyber security perspective, consider the idea of a Chief Information Security Officer (CISO) and Chief Security Officer (CSO) operating independently of one another. From an infrastructure perspective, there is a risk of both physical and digital compromise – so these roles need to evolve to consider both physical and network security, with reporting lines that appropriately reflect this evolution.
Organisations also need to ensure that they have a program of education and awareness in place. When it comes to risk, be it cyber or security, the people within an organisation can be its biggest strength, but also its greatest weakness. Appropriate awareness programs and training should be in place, and everyone in an organisation should be aware of their role in managing risk issues.
Organisations that have already integrated cyber risk into their enterprise risk framework will be able to minimise duplication and reduce cost when implementing the requirements.
How do we approach risk governance?
Whether it is of risk in general, or of specific cyber risks, an effective governance model is critical. From a SOCI perspective, the board need to be aware of the potential impact of the SOCI requirements to the organisation, understand the risks and proposed mitigating strategies. Information on risk issues, and particularly cyber risk, needs to be delivered to boards in a clear and transparent way – caution needs to be taken to avoid excessive jargon and to ensure that the message on risk issues presents appropriate mitigation strategies. In turn, the onus is on boards and executives to challenge the information that they are being provided, and upon which it will make a decision.
What do we need to cover?
While the RMPs are not exhaustive of all risks, they do require that plans be put in place across four key domains:
- cyber and information security
- supply chain
- physical and natural hazards
An organisation's RMPs should consider issues such as:
- the types of critical assets and infrastructure that are within its control, and how it has identified these;
- any reliance that exists between its critical assets and other critical infrastructure assets;
- who is responsible for developing and implementing the program, with a view to mitigation of the associated risks; and
- an appropriate methodology for the management of risk and associated programs.
What do we need to do?
While more mature organisations may already have begun to develop and update their risk management approach, some are just beginning this journey now. These organisations should, at a minimum, ensure that:
- they have identified their key risks and assets;
- incident response plans and associated documentation have been updated;
- training exercises are conducted to familiarise staff with relevant documentation; and
- they have addressed potential third-party issues associated with suppliers and contractors.
Once an appropriate, and sufficiently mature, program is in place, organisations need to ensure that they have budget to ensure that the program can function in an ongoing manner. Furthermore, risk priorities should be identified, and continuously assessed to ensure ongoing value and support for the risk management program.
Finally, all organisations should have appropriate training place to ensure awareness of risks within the organisation, to help all people become risk managers and understand their role in owning risk. Organisations need to ensure that they are prepared to face contemporary risk issues, in particular cyber risks – as it is not a matter of if, but when, an attack will occur.