The Minister for Home Affairs has commenced consultation on the proposed risk management program (RMP) under the new Part 2A of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).
Part 2A of the SOCI Act provides that the responsible entity for one or more critical infrastructure assets must have, and must comply with, a critical infrastructure RMP, unless an exemption applies. In summary, an RMP must address the following overarching obligations:
- Identifying 'material risks'. Responsible entities must identify risks, including both natural and human induced hazards, that may affect the availability, integrity, reliability and confidentiality of their critical assets.
- Minimising risks to prevent incidents. Responsible entities must have appropriate mechanisms in place to minimise the chance of any identified risks occurring.
- Mitigating the impact of realised incidents. Responsible entities must have robust procedures in place to mitigate impacts in the event of an identified risk occurring and to recover as quickly as possible. This may include having backups of key systems, adequate stock on hand, redundancies for key inputs, out-of-hours processes and procedures, and communications protocols.
- Ensuring effective governance. To increase proactive risk management, responsible entities must have appropriate risk management oversight arrangements in place, including evaluation and testing.
The Minister for Home Affairs has released and is seeking feedback on its draft version of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022 (RMP Rules). When finalised, it will determine the application and operation of Part 2A of the SOCI Act – effectively 'switching on' these obligations. Submissions will be received until 18 November 2022.
Application of Part 2A of the SOCI Act
The draft RMP Rules specify that obligations in Part 2A of the SOCI Act will be ‘switched on’ for responsible entities of all of the following asset classes:
- critical electricity assets;
- critical energy market operator assets;
- critical gas assets;
- critical liquid fuels assets;
- critical water assets;
- critical financial market infrastructure assets used in connection with the operation of payment systems;
- critical data storage or processing assets;
- certain critical hospitals;
- critical domain name systems;
- critical food and grocery assets;
- critical freight infrastructure assets;
- critical freight services assets; and
- critical broadcasting assets.
Interestingly, a previous version of the draft RMP Rules that was released with the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) indicated that, due to the impact of the COVID-19 pandemic, there would be an additional delay in the obligations being turned on for critical freight services assets, critical freight infrastructure assets and critical food and grocery assets. However, that proposal has not been reflected in the draft RMP Rules (presumably because there has been a longer than anticipated delay in the RMP Rules taking effect more broadly).
In addition, the draft RMP Rules now indicate that only certain critical hospitals will be required to establish and maintain a critical infrastructure RMP. These hospitals will be specified in a further iteration of the RMP Rules, subject to further consultation.
Further guidance on RMP obligations
The draft RMP Rules provide further guidance on the meaning of the term 'material risk', which is now defined to include risks of any of the following impacts:
- an impairment of the asset that may prejudice the social or economic stability of Australia or its people, the defence of Australia or the national security of Australia;
- any hazard that would cause the stoppage or major slowdown of the asset’s functioning for an unmanageable period;
- the substantive loss of access to or deliberate or accidental manipulation of a critical component of the asset;
- interference with the asset’s operating technology or information communication technology essential to the functioning of the asset;
- the relevant impact on the asset resulting from the storage, transmission or processing of sensitive operational information outside Australia;
- the relevant impact on the asset resulting from remote access to operational control or operational monitoring systems of the asset;
- any other material risks as identified by the entity that affect the functioning of the asset.
The draft RMP Rules also sets out requirements for what is to be included in a responsible entity's RMP, including in respect of hazards relating to:
- cyber and information security;
- personnel;
- supply chain risks; and
- physical security.
Transition periods
Within six months of the finalised version of the RMP Rules coming into force, responsible entities will be required to have in place and comply with an RMP in accordance with Part 2A of the SOCI Act and the RMP Rules. Notably, however, responsible entities will be afforded a further 12 months, commencing at the end of the initial six month grace period, to satisfy requirements relating to compliance with at least one of the following cyber and information security standards and frameworks:
- the Australian Cyber Security Centre’s Essential Eight Maturity Model at maturity level one;
- AS ISO/IEC 27001:2015;
- the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity;
- the Cybersecurity Capability Maturity Model (C2M2) at Maturity Indicator Level 1;
- Security Profile 1 of the Australian Energy Sector Cyber Security Framework; or
- an equivalent framework.
Next steps for those impacted by the RMP Rules
Organisations that will be impacted by the RMP Rules are encouraged to engage with government on the proposals, either through submissions or at the scheduled virtual Town Halls.
Impacted organisations should also take the opportunity to consider their risk management plans more generally, even if only a part of their business is subject to the SOCI Act. Given the potentially far-reaching impact of Part 2A of the SOCI Act and the RMP Rules, it may be difficult to prepare a RMP for only those assets affected by the SOCI Act. Accordingly, in taking steps to give effect to these changes, and in light of the proposed transition periods, organisations should consider what organisation-wide uplifts may be required to their existing policies, procedures and processes, as well as in their contracts with third parties across their supply chain.
For more information about recent far reaching amendments to the SOCI Act, see our previous articles below: