For some time now, attacks on critical infrastructure have been prolific. Australia stands out, though, as one of the few G20 countries to advance targeted legislation to directly address critical infrastructure vulnerability.
The resultant Security of Critical Infrastructure Act (SoCI), passed in 2018 and then updated a few years later, however, shifts the burden of protection to critical infrastructure entities themselves.
Now, major SoCI law compliance deadlines loom for these organizations. As a result, they will have to act quickly if they want to stay within the letter of the law.
Deadline to demonstrate compliance with SoCI Act cybersecurity sections
So, what’s going on?
Starting things off, Australian critical infrastructure entities, in mere months, will have to show compliance with one of a set number of cybersecurity frameworks, e.g., ISO 27001, Essential Eight (E8), or NIST.
But what would compliance this 18th of August signal? In the case of ISO 27001, for example, conformity would indicate that the critical infrastructure entity has put in place a best-practice information security management system (ISMS) to manage risks related to the security of data owned or handled by the company.
But critical infrastructure entities can’t just relax after meeting that 18 August deadline, though.
Indeed, compliance with any of the cybersecurity frameworks will have to be continuously demonstrated. That means the entity will have to make changes when the framework itself is updated by the issuing body.
What’s more, all relevant changes will have to be documented in the entity’s critical infrastructure risk management program (CIRMP). More on those requirements later.
Deadline on status of CIRMP
Nor is 18 August the only looming deadline for SoCI compliance. Critical infrastructure entities have an even more important deadline slated for 28 September 2024.
What’s happening then?
Well, 28 September is the date when critical infrastructure organizations must submit an annual report to the government on the status of their CIRMP.
That report must include details about the critical infrastructure asset, an overview of the approach and process to managing its risks, as well as a status update on whether a hazard has had a significant impact on the asset during the relevant period.
What is a CIRMP?
If that sounds like a lot, it is.
After all, the CIRMP requirement is one of the centerpieces of SoCI compliance. The requirement itself is intended to uplift core security practices that relate to the management of certain critical infrastructure assets.
Why’s that?
Well, establishing and maintaining a CIRMP are considered means of ensuring responsible entities take a holistic and proactive approach toward identifying, preventing, and mitigating their risks.
So, what’s a CIRMP, exactly?
The CIRMP itself is a written risk management program that manages the material risk of a hazard occurring that could have a relevant impact on the critical infrastructure asset. Here, material risks include the risk of impairment, stoppage, loss of access to, or interference with the asset.
The CIRMP obligation under SoCI
Given its intention, the CIRMP requirement is broad.
Per the law, responsible entities must identify, and as far as is reasonably practicable, take steps to minimize or eliminate material risks that could have a relevant impact on their asset.
Both direct and indirect, relevant impacts are more serious than a reduction in the quality of service being provided. They are defined in the statute as impacts on the availability, integrity, and reliability of an asset, as well as the impact on the confidentiality of information about the asset, information stored in the asset (if any,) and, if the asset is computer data, the computer data.
Further CIRMP requirements include:
Identify material risks
Entities will have a responsibility to take an all-hazards approach when identifying hazards that may affect the availability, integrity, reliability, and confidentiality of their critical infrastructure asset.
Minimize risks to prevent incidents
Entities will be required to consider risks to their critical infrastructure asset and establish appropriate strategies to minimize or eliminate the risk of hazards occurring, so far as is reasonably practicable.
Entities should consider both proactive risk management as well as establishing and managing processes to detect and respond to threats as they are being realized to prevent the risk from eventuating.
Mitigate the impact of realized incidents
Entities will be required to have robust procedures in place to mitigate, so far as is reasonably practicable, the impacts of a hazard, and recover from that impact as quickly as possible.
Maintain effective governance
Entities are required to provide an annual report that has been signed by their board, council, or other governing body, to the relevant regulator, which in most instances is the Secretary of the Department of Home Affairs.
The report must be in the approved form. The annual report does not need to contain the CIRMP but must advise the relevant regulator whether the program is up to date.
Regulator to shift to enforcement actions
A final compliance milestone to highlight is the shift in posture of regulators. What’s happening on that front?
One of the major federal regulators, the Cyber and Infrastructure Security Centre (CISC) will be moving to a compliance and enforcement posture.
As a result, entities looking to get ahead of potential enforcement actions must kick their capabilities to ensure SOCI compliance into high gear. That entails:
- Working in partnership with security vendors or managed service partners
- Understanding the importance of cybersecurity and the necessary steps that need to be taken
- Building robust incident programs to identify, protect, detect, respond, and recover from any potential cyber attacks across networks, personal systems, cloud infrastructure and data
How Noggin helps organizations comply with SoCI
To that end, critical infrastructure organizations should reach out to integrated resilience management software partners like Noggin.
Noggin, for instance, empowers organizations to meet their SoCI obligations in a single, integrated resilience workspace where teams can work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience.
Key platform features include:
Critical infrastructure management
Consolidate information about critical infrastructure and operators including descriptions, locations and key functions. Generate automated notifications when information changes to ensure updates are shared with the regulator in a timely manner to meet SOCI reporting obligations.
Risk management
Take a proactive approach to identifying and mitigating material risks including cyber and information, personnel, supply chain, physical and natural risks, using a standardized methodology to bring consistency to your risk management program across your organization.
Vulnerability assessments
Perform vulnerability assessments to pinpoint gaps that may expose the organization to specific types of cyber incidents as required under SoCI. Use the findings to determine areas where additional resources are needed to enhance the organization’s resilience to cyber threats.
Third-party risk management
Streamline the capture of Critical Infrastructure operator information including key entity details, descriptions of the arrangements in place and details about how relevant data types are managed using automated questionnaires and document requests to ensure you have the information required as part of SoCI.
Preparedness
Create incident response plans in Noggin using automated plans and checklist functionality then leverage these to conduct exercises on an ongoing basis to test general preparedness, mitigation, and response capabilities so that shortcomings can be identified and addressed.
Threat intelligence
Stay ahead of potential threats to critical infrastructure and your operators using real-time threat intelligence alerts. Leverage situational awareness dashboards to consolidate feeds from multiple sources to streamline threat detection and improve the incident response process.
Incident management
Improve incident response times and team effectiveness with automated emails, SMS, and voice notifications. Allocate personnel to complete mandatory reporting to the regulator, then assign tasks, record decisions, and share updates as the incident evolves before using investigations to identify controls to prevent reoccurrence.
Analytics and reporting
Centralize critical infrastructure information to enable data visualization through interactive dashboards, charts, and maps in real-time on any device. Share insights to improve decision making and ensure annual reporting is completed in a timely manner to meet SoCI requirements.
Next steps for regulated entities
Finally, Australia is ahead of the curve when it comes to security of critical infrastructure legislation. For its critical infrastructure entities, though, that means a mass of regulations that they must follow.
What’s more, relevant deadlines for SoCI compliance are right around the corner.
Critical infrastructure organizations don’t have to fear those deadlines, though. Thanks to technology partners like Noggin, those deadlines can represent opportunities for growth as well as compliance.
But they need to act now to remain in compliance while anticipating and managing threats, conducting preparedness activities, effectively responding to disruptions, and continually learning from insights to strengthen resilience.
Request a demonstration of Noggin today to learn how we can help support SoCI Act compliance obligations.