in Cyber Security
Careers
FAQs
Paul A. Watters
To summarise this article, to keep up with the ever-expanding remit of the federal government over anything remotely relevant to cybersecurity, many organisations will need to have a formal, documented, registered and audited cyber security program. While this is good advice for all large organisations – “large” meaning annual turnover of $3m, thus being subject to the Commonwealth Privacy Act[1] – organisations in any of the 11 “critical infrastructure” industry sectors, owning or operating one of 10 “asset classes”, or developing any technology in one of the 63 “critical technology” classes, have very specific and expanding requirements. The take home message of this article is – if you haven’t already – seek specialist advice that relates to your industry sector, and make sure you comply. As with everything cyber, this is a moving feast, and failing to keep up with regulatory changes, and then suffering a breach, could bring about very unwelcome public attention, government scrutiny and penalties.
What are the new requirements?
Essentially, there are two critical pieces of legislation that need to be considered for Australian entities considered to be operating critical infrastructure – the Security of Critical Infrastructure Act 2018 (SOCI)[2] and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP)[3].
Under SOCI, the two key requirements are to register critical assets and systems and report incidents.
The legislation is based on the government extending its oversight of systems and assets considered to be critical at a national level, through owner/operator registration. So, categories such as freight, hospitals and food/grocery are clearly “critical”. These assets also bring a significant exposure to cyber risks – there have been numerous cases of hospitals being unable to function due to ransomware attacks, as just one example. However, in relation to cyber, there are specific ICT assets named in the legislation – such as broadcasting, the domain name system, data storage and data processing. Operators of these systems must have notified the government of owner and operator information on 8th April 2022, with a 6 month grace period, which has now expired. Additional requirements apply to the telecommunications sector. Note that the industry categories for the reporting obligation is much broader than the categories required to register. These are listed at the end of this blog.
In short – if you are not compliant with registration, you should seek urgent professional assistance to become compliant.
In addition to registration, entities also have mandatory reporting requirements that also came into effect on 8th April 2022, but where there was a 3 month grace period. This reporting[4] is designed to enable an effective national (government-supported) response to critical incidents affecting critical assets and systems. It is perhaps unsurprising, then, to see an increase in publicly reported incidents since the middle of 2022. Again – if you operate critical infrastructure, and you don’t have the capacity to interact with or report to the Australian Cyber Security Centre (ACSC) or other government entities with responsibility for cyber and critical infrastructure, it is critical that you initiate this process immediately. In our experience, common issues that arise in this process are (a) lack of staff with appropriate security clearances and/or probity checks, (b) lack of staff with incident response capabilities; and (c) the absence of 24×7, eyes-on-glass monitoring of critical infrastructure, which can only be achieved through a Security Operations Centre (SOC).
In short – if you are not reporting, or not setup to report – you need to create a SOC now, or engage an MSSP to do this on your behalf.
Under SLACIP, owner/operator obligations have been extended even further. Owners and operators of critical infrastructure must initiate and implement a risk management program, and must implement additional cyber security protections for Systems of National Significance (SoNS). The criteria for which systems will be designated as SoNS remain unclear; however, we suggest that any system covered by the SOCI criteria could potentially be classified as a SoNS. Under SLACIP, the risk management program must maintained and kept up-to-date, and annual reports provided to government. This program must consider methods to identify, manage and reduce risk for natural hazards, personnel hazards, cyber hazards, the supply chain, and physical security requirements. Regularly running cyber exercises and undertaking vulnerability assessments are two of the suggested ways to continuously reduce risk.
It is also a requirement under the draft Risk Management Rules[5] to adopt (within 6 months of the Act coming into effect) a written cyber security risk management plan, and (within 18 months) to have adopted and achieved compliance with one of the following cyber risk frameworks or standards:
· Australian Cyber Security Centre’s Essential Eight Maturity Model at maturity level one;
· AS ISO/IEC 27001:2015;
· The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
· The Cybersecurity Capability Maturity Model (C2M2) at Maturity Indicator Level 1;
· Security Profile 1 of the Australian Energy Sector Cyber Security Framework; or
· an equivalent standard
Our recommendations
If you own or operate a system or asset covered by SOCI and SLACIP for registration or reporting, just from a cyber perspective, we recommend:
· Registering the system or asset with the government as required
· Adopting ONE cybersecurity framework or control set, and achieving auditable compliance with this
· Setting up a SOC, or working with an MSSP to obtain SOC coverage, for the critical asset or system
· Setup a risk reporting system that provides annual reports to government as required, as well as incident reporting as and when needed
· Ensure that all non-cyber aspects of SOCI and SLACIP are complied with; personnel risk, supply chain risk and other hazards may impact the capability of cyber teams to reduce the impact of any attack.
Registration and Reporting Requirements
|
Asset Class / Industry Category |
Must Register |
Must Report |
|
Broadcasting |
Y |
Y |
|
Domain Name Systems |
Y |
Y |
|
Data Storage or Processing |
Y |
Y |
|
Payment Systems |
Y |
N |
|
Food and Grocery |
Y |
Y |
|
Hospital |
Y |
Y |
|
Freight Infrastructure |
Y |
Y |
|
Public Transport |
Y |
Y |
|
Liquid Fuel |
Y |
Y |
|
Energy Market Operator |
Y |
Y |
|
Electricity |
Y |
Y |
|
Gas |
Y |
Y |
|
Banking |
N |
Y |
|
|
N |
Y |
|
Insurance |
N |
Y |
|
Financial Market Infrastructure |
N |
Y |
|
Education |
N |
Y |
|
Aviation – Airports, Air Services, Cargo Agents |
N |
Y |
|
Ports |
N |
Y |
|
Water |
N |
Y |
Further Reading
Lander & Rogers – SOCI Act Explained[6]
Gilbert + Tobin – Final reforms to Australia’s critical infrastructure laws[7]
[1] https://www.oaic.gov.au/privacy/the-privacy-act
[2] https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security-coordination/security-of-critical-infrastructure-act-2018
[3] https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022 [4] https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cyber-security-incident-reporting.pdf
[5] https://www.homeaffairs.gov.au/reports-and-pubs/files/risk-management-program-rules.pdf [6] https://www.landers.com.au/soci-act-explained [7] https://www.gtlaw.com.au/knowledge/curtain-falls-final-reforms-australias-critical-infrastructure-laws
