SOCI CIRMP – are you ready?
15 July 2024
What your need to know
The Security of Critical Infrastructure Act 2018 (SOCI Act) requires responsible entities to have a Critical Infrastructure Risk Management Program (CIRMP) in place. Significant deadlines in relation to CIRMPs are fast approaching:
- 18 August 2024 – the last day for a CIRMP to adopt and be compliant with a prescribed cyber and information security hazards framework.
- 28 September 2024 – the due date to submit the first annual report on an entity's CIRMP to the Cyber and Infrastructure Security Centre (CISC).
What you need to do
Make sure your CIRMP complies with a cyber and information security hazards framework and, if you are responsible for obtaining annual report sign off within your organisation, start thinking about what the board might want to see in order to provide the relevant approval.
1. To Recap
The SOCI Act is designed to manage risks to critical infrastructure assets (CI assets) by ensuring:
- owners and operators of CI assets are taking appropriate steps to secure their assets; and
- the Federal Government has the information required to manage national security risks and has the power to respond to those risks.
Responsible entities are encouraged to adopt an 'all hazards' approach towards managing their CI assets. The Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (LIN 23/006) 2023 (the Rules) outline the specific areas that a CIRMP has to address. The 'all hazards' approach goes beyond a simple box ticking exercise, and requires responsible entities for CI assets to consider all possible risks to the asset and what can be done within reason to mitigate those risks.
2. CIRMP Key Requirements
A recap
A responsible entity must have and maintain a CIRMP. These programs have no prescribed format and are intended to incorporate existing risk management frameworks and processes.
A CIRMP must identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset. The CIRMP should outline the processes/systems in place to, as far as reasonably practicable, minimise risks and mitigate the relevant impacts of each hazard.
A material risk includes:
- a stoppage or major slowdown of the asset's function for an unmanageable period;
- a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the asset;
- an interference with an asset's operational technology or information communication technology essential to the functioning of the asset;
- the storage, transmission or processing of sensitive operational information outside Australia; and
- remote access to operational control or operational monitoring systems of the asset.
The four defined (and non-exhaustive) hazard categories (and potential examples of each) are:
Cyber and Information Security Hazards | Personnel Hazards | Physical Security and Natural Hazards | Supply Chain Hazards |
Phishing | Malicious or negligent employees who have access to CI assets | Unauthorised access to, or interference with, a CI asset | Unauthorised access, interference or exploitation of a CI asset's supply chain |
Malware | Off-boarding processes for outgoing employees and contractors | Fire, flood, cyclone, storm, heatwave, earthquake, tsunami, space weather, or biological health hazards | Misuse of privileged access to the CI asset by any provider in the supply chain |
In addition to each hazard, the following must also be included in a CIRMP:
- an entity's risk management methodology for each identified hazard;
- all critical components of a CI asset; and
- the person/s responsible for developing, maintaining and reviewing the CIRMP.
A CIRMP should emphasis proactive and broad risk mitigation approaches. Entities should not limit themselves to considering issues directly within the vacuum of their own asset, and instead need to consider the broader hazards which could potentially affect their asset.
This includes risks emanating from third parties, unrelated industries, or even interdependencies with other critical assets, even if those assets are owned or operated by other entities.
Cyber and Information Security Framework Compliance
By 18 August 2024, entities will need to update their CIRMPs in order establish and maintain a process/system which complies with one of the cyber and information security frameworks nominated by the Rules:
Document | Condition |
Australian Standard AS ISO.IEC 27001:2015 | |
Essential Eight Maturity Model published by the Australian Signals Directorate | Meet maturity level 1 as indicated in the document |
Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America | |
Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America | Meet Maturity Indicator Level 1 as indicated in the document |
The 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327) | Meet Security Profile 1 as indicated in the document |
Alternatively, entities can choose to implement an alternative framework if they consider that it better addresses the risks affecting the entity's critical assets. Equivalent frameworks need to, at a minimum, meet the standards of the above frameworks. The CISC recommends that any chosen alternative frameworks are promulgated by a government or international organisation, and that their equivalency to one of the frameworks identified in the Rules is justified in their CIRMP.
3. Annual report
Responsible entities have an obligation to submit an annual report in relation to their CIRMP.
The first annual reports on CIRMPs are due to be submitted any time between 1 July 2024 to 28 September 2024. The annual report has to be submitted using an approved form, which is located on the CISC website.
The annual report needs to address the following requirements:
- a declaration that the CIRMP was, or was not, up to date at the end of the Australian financial year; and
- to specify if a hazard occurred which had a significant relevant impact on an asset during the year, in which case the annual report needs to:
Identify the hazard |
Evaluate the effectiveness of the CIRMP in mitigating any significant relevant impact that the hazard may have had on the CI asset |
Specify whether any variations were made to the CIRMP during the year as a result of the occurrence of the hazard |
If the responsible entity has a board, council or other governing body, then they need approve the report. To do so will require the board, council or other governing body to take steps to satisfy itself that the CIRMP has been developed in accordance with the requirements of the SOCI Act and is appropriately managing risks associated with the CI asset. This is the critical part of the process – if you are responsible for obtaining this sign off within your organisation, you need to start thinking about what the board might want to see in order to provide the relevant approval.
CIRMPs do not need to be submitted alongside the annual reports, but the regulator may review a responsible entity's CIRMP as part of a compliance audit.
4. Key takeaways
The importance of CIRMPs must not be underestimated. They are a vital document for assessing how risk is being managed.
Now is the time for responsible entities to make sure their CIRMPs are up to date, compliant with an appropriate cyber and information security framework and ready for the annual reporting process. It will be important for am organisation to understand what level of comfort their board might require in order to approve the annual report.
Want to know more?
- Clarifying the protected information regime under the SOCI Act (22 February 2024)
