The SOCI Act and CIRMP: A New Era in Critical Infrastructure Protection


Our previous article, Navigating the Critical Infrastructure Risk Management Program (CIRMP): Understanding and Compliance, provided an overview of the CIRMP and the obligations arising for critical infrastructure owners, operators and suppliers in Australia. This article delves further into the CIRMP, what it means and the specific obligations arising with regard to cybersecurity. The Australian Government has enhanced critical infrastructure security through the Security of Critical Infrastructure Act 2018 (SOCI Act) and the mandatory Critical Infrastructure Risk Management Program (CIRMP). These regulations cover various sectors, imposing obligations like asset registration, cyber incident reporting, and the establishment of a comprehensive risk management program. While these measures present challenges, they also offer benefits such as increased stakeholder trust. By 17 August 2024, entities must align with international standards like the Australian Standard ISO/IEC 27001:2015 or the US NIST Cybersecurity Framework. Lote Consulting offers specialised services to assist businesses in navigating these regulations, promoting a resilient infrastructure landscape in Australia.

Figure 1. Compliance, risk management and critical infrastructure

The Australian Government's Commitment to Critical Infrastructure Security

The Australian Government has made significant strides in safeguarding critical infrastructure with the implementation of the Security of Critical Infrastructure Act 2018 (SOCI Act) and the introduction of a mandatory Critical Infrastructure Risk Management Program (CIRMP) for critical infrastructure operators. The SOCI Act is designed to bolster the security and resilience of critical infrastructure across a variety of sectors, including but not limited to communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.

Owners and operators of certain critical infrastructure assets are required to adhere to key obligations under the Act. These include mandatory reporting of information to the Register of Critical Infrastructure Assets, cyber incident reporting requirements, and the development and compliance with a CIRMP.

The CIRMP is a written program that outlines the management of 'material risks' of 'hazards' that could significantly impact a critical infrastructure asset. It aims to enhance core security practices related to the management of certain critical infrastructure assets. The program promotes a comprehensive and proactive approach towards identifying, preventing, and mitigating risks.

The rules establish baseline standards related to cybersecurity, physical security, personnel security, and supply chain security.

Challenges and Opportunities

While the SOCI Act and CIRMP present challenges for critical infrastructure owners and operators, they also offer opportunities. By enhancing security and resilience, entities can reduce their exposure to incidents that could disrupt their operations or cause significant harm. Moreover, by demonstrating compliance with the SOCI Act and CIRMP, entities can build trust with stakeholders and potentially gain a competitive advantage.

Requirements of the SOCI Act and CIRMP

The Security of Critical Infrastructure Act 2018 (SOCI Act) and the Critical Infrastructure Risk Management Program (CIRMP) impose several key obligations on the owners and operators of certain critical infrastructure assets. These include:

  • Reporting to the Register of Critical Infrastructure Assets: Owners and operators are required to report information related to their critical infrastructure assets.
  • Mandatory Cyber Incident Reporting: A requirement for entities to report any cyber incidents.
  • Critical Infrastructure Risk Management Program (CIRMP): Entities must produce and comply with a CIRMP.

A compliant CIRMP should assist responsible entities to manage the 'material risks' of 'hazards' which could have a 'relevant impact' on their critical infrastructure asset (CI asset). Once these hazards have been identified, the responsible entity must, so far as reasonably practicable to do so, minimise or eliminate the material risk of such a hazard occurring, and mitigate any relevant impact of the hazard on the asset.

Responsible entities for the following critical infrastructure assets classes are required to adopt, maintain and comply with a written CIRMP: Broadcasting, Domain Name Systems, Data Storage or processing, Electricity Energy Market Operator, Gas, Liquid, Fuels, Payment Systems, Food and Grocery, Designated Hospitals, (listed in Schedule 1 of the CIRMP Rules) Critical Freight Infrastructure.

These requirements represent a comprehensive approach to managing risks associated with critical infrastructure. They encourage entities to take a proactive stance towards identifying and mitigating risks, which is crucial in today's increasingly interconnected and digital world. However, it is important for critical infrastructure owners, operators and suppliers to understand that compliance with these requirements is not just about ticking boxes. It is about embedding risk management into your organisational culture and processes. This will not only help you comply with the SOCI Act and CIRMP but also enhance their resilience in the face of potential threats.

Compliance with International Standards

Responsible entities must comply with one of the following cybersecurity frameworks by 17 August 2024: Australian Standard ISO/IEC 27001:2015, ACSC Essential 8 – Level 1, the US National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), or the US Department of Energy Capability Maturity Model (C2M2).

Figure 2. International cybersecurity frameworks

Looking Ahead

As we move forward, it will be important for all stakeholders to stay informed about developments related to the SOCI Act and CIRMP. This includes understanding changes to legislation, keeping abreast of best practices in risk management, and engaging with government and industry bodies. By doing so, we can ensure that Australia’s critical infrastructure remains secure, resilient, and reliable.

Our Services for Compliance

At Lote Consulting, we recognise the intricacies of the SOCI Act and CIRMP. Our seasoned experts are here to guide businesses through the regulatory maze, assisting in understanding the mandates, crafting effective CIRMPs, and ensuring unwavering compliance. Our deep knowledge of legislative shifts and best practices positions us to offer bespoke solutions tailored to your requirements. Partner with us and fortify the resilience and security of your critical infrastructure in Australia. Contact us today to embark on a seamless compliance journey.