Introducing The SLACIP Act And Systems Of National Significance
Hot off the press in March 2022, the Security of Critical Infrastructure Protection Bill (SLACIP) has been passed by the Commonwealth.
Share This Article:
These amendments to the Security of Critical Infrastructure Act 2018 (SOCI) introduce new obligations for critical infrastructure owners and operators requiring a risk management program, and new frameworks for operators of systems of national significance (SoNS).
The goal of the SLACIP Act is to make risk management, resilience, prevention, and preparedness core requirements to ensure that information is exchanged between industry and the Commonwealth to build a picture of the threats to the critical infrastructure sector.
What are the specifics?
Establish a Risk Management Program
Compliance with the SLACIP Act advises that critical infrastructure asset owners and operators must have and follow a risk management program for their critical infrastructure. The detailed requirements of the risk management program are currently still in draft format, so should be interpreted as guidance only.
The draft rules focus on ensuring that critical infrastructure entities consider various hazards including, but not limited to:
- Cyber and information security hazards
- Supply chain hazards
- Physical and natural hazards, and
- Personnel hazards.
The goals of the risk management program are to ensure that the focus remains on the AIC triad: availability, integrity, and confidentiality. This is the reverse of traditional IT security CIA concept of confidentiality, integrity, and availability, which talks to the nature of the operational technologies that underpin critical infrastructure systems. These requirements are critical to maintaining operations and resiliency to adverse cyber events.
Do I operate a system of national significance? (SoNS)
If you are unsure, then the answer at this late stage is most likely no. However, this subset of systems is not necessarily based on the size of the system but is more likely to consider the impacts on the Australian population and economy if the system was unavailable due to a cyber event.
The interdependence of the system across sectors such as electricity generation, transmission and distribution will provide a good idea of how these are categorised. Electricity is undeniably the core for most systems to function, and the diagram below illustrates how a SoNS may be determined.
How will systems of national significance be identified and declared?
Under the Act, the Minister for Home Affairs will privately declare an asset to be a SoNS and once this is determined, it should not be disclosed. To make this determination, the Minister will consider the interdependencies with other CI assets including the consequences for Australia’s social or economic stability, defence, or national security if a cyber event were to impact the asset.
It is with this in mind that the enhanced cyber security obligations will apply to SONS.
What are the Enhanced Cyber Security Obligations?
Incident response plans
Incident response plans should be designed to ensure that the organisation has prepared for and can respond to cyber events when they occur. These plans should specifically focus on the aspect of the critical infrastructure systems to gain the most value. Generic ICT or Business systems response plans will generally not be suitable as they will not consider concepts such as the operational imperative and safety.
Cyber security exercises
The organisation will also need to ensure that they perform regular cyber security simulations or exercises to test the preparedness and ability to mitigate cyber events that are affecting the critical infrastructure systems. This includes how the cyber response processes function, mitigating any involvement with operational teams and may even include external agencies and support staff.
Following an activity, a report should be prepared which provides the organisation’s management and the government a detailed understanding of how the organisation performed and to gauge how effective the ability to respond will be during a real event.
Vulnerability assessments
Understanding where technologies are vulnerable is generally the first step in mitigation. Assessing critical infrastructure systems to ensure any technical gaps or exposures are understood and subsequently managed will help organisations understand where critical infrastructure systems are exposed. This may be uncovered through ongoing testing via a software tool and could also include documentation-based reviews of the designs of systems, interactions with business systems or any potential vectors where a vulnerability has the potential to impact system operations.
Access to system information
The Secretary of Home Affairs may request information where a specific cyber event has occurred, which could be at a point in time or ongoing. This information may be system-specific data, security, diagnostic or monitoring data covering any component of the system including metadata.
This request would not include personal information but will allow the Commonwealth to establish an understanding of what the sources of these cyber events are and how this data (when anonymised) may assist other entities within the critical infrastructure industry.
Looking for more assistance?
The Anchoram team has been working with the Commonwealth in various forums to represent the needs of critical infrastructure operators and can provide specific guidance and advisory services through our Integrated Security Services team. Our team are entirely security cleared by AGSVA and have the real-world experience to provide strategies and recommendations to ensure compliance with these new regulations.
For a confidential and no-obligation discussion about your needs reach out to any one of our staff.
Hot off the press in March 2022, the Security of Critical Infrastructure Protection Bill (SLACIP) has been passed by the Commonwealth.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.