Background

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 introduced amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) which included additional positive security obligations on responsible entities for certain critical infrastructure assets to maintain a Risk Management Program (RMP) that comply with the Risk Management Program Rules.

The final version of the Critical Infrastructure Risk Management Program Rules (being the CIRMP Rules) have now been registered following stakeholder consultation which closed late last year. Responsible entities for the classes of critical infrastructure specified in the CIRMP Rules must ensure they have a compliant risk management program in place by 17 August 2023 and implement appropriate cybersecurity systems and processes in line with industry standards by 17 August 2024.

Applicability of the new rules

The new CIRMP Rules apply to the following classes of critical infrastructure (amongst others):

Key SOCI obligations regarding risk management rules

Broadly speaking, responsible entities for the classes critical infrastructure assets mentioned above must have a risk management program that:

• identifies each hazard where there is a ‘material risk’ that the occurrence of the hazard could have a ‘relevant impact’ on the asset (being an impact on the availability, integrity reliability, or confidentiality of the information about the asset);
• so far as it is reasonably practicable to do so - minimise or eliminate any material risk of such a hazard occurring; and
• so far as it is reasonably practicable to do so - mitigate the relevant impact of such a hazard on the asset.

(SOCI Act, section 30AA).

‘Material risk’ includes, but is not limited to the following:

• a stoppage or major slowdown of the critical infrastructure asset’s function for an unmanageable period;
• a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the critical infrastructure asset;
• an interference with the critical infrastructure asset’s operational technology or information communication technology essential to the functioning of the asset;
• the storage, transmission or processing of sensitive operational information outside Australia; and/or
• remote access to operational control or operational monitoring systems of the critical infrastructure asset.

(CIRMP Rules, section 6).

Examples of risk mitigation processes include (but are not limited to) conducting background checks on key personnel, restricting physical access to critical infrastructure components to critical workers, implementing automatic patches and web/email content filtering within an organisation’s systems. The Australian Cyber Security Centre (ACSC) has published guidance on strategies to mitigate cyber security risks (available here) which may be of assistance to organisations seeking to develop their risk management programs.

Additionally, responsible entities must review the risk management plan on a regular basis, take all reasonable steps to ensure their risk management program is up to date and submit an annual report to the Department of Home Affairs/ACSC within 90 days after the end of each financial year in relation to the risk management plan. The first annual report is due 90 days after the end of FY 2024 (30 June 2024), although voluntary submission is encouraged for FY23.

Further, the risk management program must be signed off by the responsible entity’s board (or other governing body/council).

Cyber and information security hazards

The CIRMP Rules require responsible entities to establish and maintain a process of system in their risk management plans in relation to all hazards, which:

• identifies the operational context and material risk to each critical infrastructure asset;
• minimises or eliminates the material risks; and
• mitigates the relevant impact of each hazard on the critical infrastructure asset.

Additionally, an entity’s risk management plan must address hazards from the following four categories: ­­­­­­

Importantly, in relation to cyber and information security, responsible entities are required to comply with a cybersecurity framework set out in the CIRMP Rules (or an equivalent framework) by 17 August 2024. The relevant cyber frameworks are:

Further changes to cybersecurity laws on the horizon

On 27 February 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy Discussion Paper (Discussion Paper) for consultation. The consultation seeks the views of the public on how the Government can achieve its objectives under the 2023-2030 Australian Cyber Security Strategy which include:

• increasing whole-of-nation cyber security efforts to protect Australians and the economy;

• ensuring critical infrastructure and government systems are resilient and cyber-secure;

• building sovereign capabilities to take cyber threats and manage emerging threats to the economy;

• strengthening and expanding Australia’ international engagement capacity building efforts; and

• growing and sustaining a national cyber workforce, focusing on education, skills and training.

Consultation on the Discussion Paper closes on 15 April 2023.

Next steps

Responsible entities of the relevant classes of critical infrastructure have a grace period of 6 months to ensure its risk management program adequately identifies all relevant hazards and proposed mitigation strategies (in particular, hazards from a cybersecurity, personnel, supply chain and physical security perspective). Responsible entities must also ensure that they have implemented appropriate cybersecurity systems and processes in line with industry standards such as ISO/IEC 27001:2015 (or equivalent) by 17 August 2024.

Additionally, entities should be aware of their ongoing legislative obligations to review, update, and report on their risk management plans, and to ensure that their risk management plans are signed off by the entity’s board (or other governing body/council).