View by Author

Most Recent Articles

Wind farm and solar farm

Critical Infrastructure Act – What’s Changing & How To Prepare

By Published On: 30 September 2021Categories: Critical Infrastructure

Once passed, the changes to the Security of Critical Infrastructure Act (SOCI) will significantly expand the scope and definition of Critical Infrastructure. The question is, what can you do today to prepare?

Share This Article:

Larger critical infrastructure operators are no doubt aware of changes to the Security of Critical Infrastructure Act (SOCI) proposed in December 2020. These amendments to the Bill, when passed, significantly expand the scope and definition of Critical Infrastructure providers.

Under the changes, a wide range of new industries will fall under the definition of critical infrastructure, including data processors, domain name systems, telecommunications providers, broadcasting services, food supply, and logistics, to name but a few.

The proposed SOCI changes are also expected to impact many small to medium operators who form part of that overall critical infrastructure sector and supply chain.

What is changing?

Included among the amendments are a range of ‘Positive Security Obligations’, which will be imposed on entities that are responsible for specified critical infrastructure assets to ensure cyber risk is effectively managed.

I have been lucky enough to be engaged in the co-design forums for the energy sector and it has been interesting to see the approach taken by various representatives within these businesses. The representatives range from people in operational roles to risk-focused professionals and, although I believe there could be more prescription around the new rules, they are nonetheless likely to bring about maturity uplifts across Australia’s critical industries.

Looking at the excellent work the Australian Energy Market Operator (AEMO) has done with their Australian Energy Cyber Security Framework (AESCSF), I expect to see similar industry-tailored frameworks replicated across various industries.

If we look closer at the specifics of the Act, we can see these obligations outlined:

  • An obligation to provide information to a critical infrastructure register;
  • An obligation to notify the Secretary of Home Affairs of certain notifiable incidents;
  • An obligation to have, maintain and comply with critical infrastructure risk management programs;
  • An obligation to notify the Australian Signals Directorate (ASD) of cyber security incidents in relation to critical infrastructure assets; and
  • Enhanced cyber security obligations on particular assets which are deemed by the Commonwealth Minister for Home Affairs to be “systems of national significance”.

The amended SOCI Act will also include powers for the Minister to give directions in response to certain security incidents.

Once the Act is passed there will be limited timeframes for organisations to meet the requirements – in the case of the energy sector, a grace period of 60 months is expected before certain maturity levels must be met.

Staying in front of these changes is challenging, but understanding your organisation’s critical assets and associated risk management processes will prepare you for the changes to come. Although it may be another six months before these changes come into effect, being proactive will ensure timely compliance with the new legislation and will also avoid any fines or other consequences.

The question is, what can you do today?

Review your current security posture

If you understand your critical assets and targets for organisational and operational resilience, you can apply that lens to core areas, such as security tooling, response, architecture, risk, and governance, with a goal to finding areas of improvement and plotting a course to meet the new targets.

Assess your security reporting processes

The draft Bill introduces positive security obligations that may require you to adopt, maintain and regularly review how your security measures stack up against the newly formed critical infrastructure risk management program. Ahead of the introduction of this program and its official requirements, you should assess your current security reporting processes to identify where improvements may be made in line with the proposed Amendment.

As it stands, the SOCI Act 2018 requires critical industries to provide interest and control information to the Secretary of the Department of Home Affairs on an ongoing basis. According to the Act, once an entity is aware of a cyber incident it must be reported within either, 12 hours of a significant impact on the availability of the asset, or 72 hours if it has a relevant impact on the availability, integrity, reliability, or confidentiality of an asset.

As new critical industries fall under this Act, now is the time to adjust or upend your incident reporting structure to ensure you are able to meet these timeframes in the event of an incident, and are up to standard. You can do this by setting up organised team structures that follow a detailed step-by-step guide on how to monitor and report potential incidents.

Improve your cyber risk management

Regularly assessing your cyber risk ensures relevant risks are managed down and, where necessary, escalated to provide visibility to the Board and Executives.

Isolating technical risk from business risk can be challenging, but is important to ensure robust processes, forums and recording mechanisms.

Smaller and newer industries that now fall under the SOCI Act must consider how they can optimise their risk management and reporting functions to be as effective as possible.

If you need assistance…

We have critical infrastructure security experts across a number of industries and are here to help. Book a free consultation with any one of our specialists to learn more about the SOCI Security Legislation Amendments.

Once passed, the changes to the Security of Critical Infrastructure Act (SOCI) will significantly expand the scope and definition of Critical Infrastructure. The question is, what can you do today to prepare?

By Published On: 30 September 2021Categories: Critical Infrastructure

Share This Article:

Categories

Subscribe

Subscribe to our newsletter and get the latest news and information from Anchoram.

View by Author

Most Recent Articles

Author Profiles