Prolific attacks on our most essential assets demonstrate how vulnerable critical infrastructure is. And so, policymakers have intervened to protect assets against bad actors.
Now, major critical infrastructure protection deadlines approach.
Where, and which ones? Read on to find out.
Australian critical infrastructure entities must act soon
Australia stands out among its peers, having passed robust legislation to protect its critical infrastructure assets.
The effect of the Security of Critical Infrastructure Act (SoCI), however, is to shift the burden of protection onto critical infrastructure entities themselves.
These organizations now face looming critical infrastructure protection deadlines.
In August, they will have to show compliance with one of a set number of cybersecurity frameworks, e.g., ISO 27001, Essential Eight (E8), or NIST.
In the case of ISO 27001, for instance, the frameworks themselves are meant to promote a holistic approach to information security, including vetting people, policies, and technology.
The legislation also accounts for updates to the frameworks, as well. To that end, Australian critical infrastructure entities must demonstrate continued compliance.
Critical Infrastructure Risk Management Program (CIRMP) deadline approaches
Is that it? Far from it.
In many respects, one of the centerpieces of the SoCI Act is the requirement to build out a critical infrastructure risk management program (CIRMP).
Certain asset classes of critical infrastructure must implement and comply with this risk management program, and then ensure they regularly review and maintain it. Those classes include the following:
- Critical broadcasting assets
- Critical domain name systems
- Critical data storage or processing assets
- Critical electricity assets
- Critical energy market operator assets
- Critical gas assets
- Designated hospitals
- Critical food and grocery assets
- Critical freight infrastructure assets
- Critical freight services assets
- Critical liquid fuel assets
- Certain critical financial market infrastructure assets
- Critical water assets.
What is the CIRMP obligation?
But what is the obligation itself, and why is it important?
The gist of the obligation is that responsible entities must develop a written risk management program that manages the material risk of a hazard occurring that could have a relevant impact on the critical infrastructure asset.
To demonstrate compliance, the responsible entity must:
Identify material risks
Responsible entities should identify each hazard where there is a material risk that the occurrence of a hazard could have a relevant impact on the asset
Minimize and eliminate material risks
Responsible entities should minimize or eliminate the material risk of such hazard occurring, so far as is reasonably practicable to do so
Mitigate relevant impact of the hazard
Responsible entities should mitigate the relevant impact of such a hazard on the asset, so far as is reasonably practicable to do so.
But why?
Well, establishing and maintaining a CIRMP are considered means of ensuring responsible entities take a holistic and proactive approach toward identifying, preventing, and mitigating their risks.
Deadline for regulators to shift to enforcement action
Regulators are set to crack down, as well. For instance, one of the major federal regulators, the Cyber and Infrastructure Security Centre (CISC) will be moving to a compliance and enforcement posture.
As a result, entities looking to get ahead of potential enforcement actions must kick their capabilities to ensure SOCI compliance into high gear.
To learn what specific measures that entails, read our article: Major Deadlines for SoCI Law Compliance Loom.