The increased and alarming nature of cyber attacks on Australian organisations has prompted the Federal Government to step in to strengthen our national resilience through significant regulatory reforms and amendments to what is known as the Security of Critical Infrastructure (SOCI) Act 2018.
Defined by the Department of Home Affairs as "services that are essential for everyday life such as energy, food, water, transport, communications, health and banking and finance", critical infrastructure, if disrupted, can have serious implications for business, governments, and the community.
The amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) provide the Government with the ability to provide assistance to critical infrastructure entities in response to serious cyber-attacks on Australian systems, while compelling infrastructure stakeholders to uplift the security of their assets through a range of new due diligence, risk mitigation and governance obligations.
So what sectors are covered by the SOCI Act? What are the obligations of applicable organisations?
Here we take a further look into what you need to know about the SOCI Act.
What is the goal of the SOCI Act?
The Australian Department of Home Affairs states that "the SOCI Act seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure."
The SOCI Act specifies requirements for owners and operators of critical infrastructure assets to provide information on the Register of Critical Infrastructure Assets. The Register maintains information on who owns, controls and has access to critical infrastructure assets.
The SOCI Act was amended in 2021 to expand coverage to ensure the Government has access to information necessary to conduct risk assessments (on relevant people, systems and data, physical and strategic categories) and the power to enforce mitigations on organisations if they are not implemented through collaboration.
What Sectors are covered by the SOCI Act?
Australia’s critical infrastructure regime now encompasses 11 broadly framed sectors and 22 critical infrastructure asset classes. Critical infrastructure assets included are:
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- critical liquid fuels assets
- critical water assets
- critical financial market infrastructure assets used in connection with the operation of payment systems
- critical data storage or processing assets
- certain critical hospitals
- critical domain name systems
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical broadcasting assets
What are the new obligations for critical infrastructure sectors?
The amendments to the SOCI Act impose three key obligations on the organisations responsible for critical infrastructure assets.
Obligation 1 - Report information to the Register of Critical Infrastructure Assets
Reporting entities must provide interest, control and operational information to the Cyber and Infrastructure Security Centre, with compliance deemed compulsory after 8 October 2022. Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
Obligation 2 - Mandatory cyber security incident notification requirements
This obligation requires that:
- if an entity becomes aware of a cyber security incident that has had or is having, a significant impact on the availability of the asset, it must report this event within 12 hours; and
- if an entity becomes aware that a cyber security incident has had, or is having, a relevant impact on the availability of the asset, it must report this event within 72 hours.
A ‘significant impact’ is one that has materially disrupted the availability of essential goods or services provided by the asset. A ‘relevant impact’ is any other impact on the availability, integrity, reliability or confidentiality of the asset. Non-compliance can result in a maximum penalty of 50 penalty units (currently $11,100).
Obligation 3 - Risk management program
This obligation requires responsible entities to establish, maintain and comply with a risk management program that manages and mitigates prescribed risks associated with its critical infrastructure assets.
A risk management program must:
- identify all hazards that present a material risk to the availability, integrity, reliability and confidentiality of its critical infrastructure asset;
- mitigate risks to prevent incidents;
- minimise the impact of realised incidents; and
- implement effective governance and oversight procedures relating to security.
Failing to adopt, maintain or comply with a critical infrastructure risk management program can result in a maximum penalty of 200 penalty units (currently $44,400).
Key takeaways
There are a number of immediate steps to be taken by organisations that may be impacted by the SOCI Act, including:- Gathering asset information to identify whether they are captured as the owner, operator or direct interest holder in critical infrastructure assets. An asset audit should be undertaken to ensure that critical infrastructure assets are properly identified and, where relevant, ensure that reporting and other obligations are complied with in relation to those assets.
- Ensuring existing cyber incident response plans include processes for quick identification of cyber incidents and their impact on critical infrastructure assets.
- Consider what internal processes and procedures would be followed if the organisation were to receive a request for information or a direction from the Government in response to a cyber security incident.
- Consider existing risk management processes relating to critical infrastructure assets. It should be noted that the risks to be managed arise from all hazards (including supply chain, people and natural and physical hazards), not just cyber hazards.
- Review third-party arrangements. Where necessary, a responsible entity should seek to uplift those contracts to include contractual obligations on third parties to ensure that they will support the organisation’s compliance with its obligations under the SOCI Act.
Where can I find more information about the SOCI act?
More information about coverage and obligations under the Act is available in the following fact sheets:
- Factsheet - Requirements for reporting entities under the Act
- CISC Factsheet – Register of Critical Infrastructure Assets
- CISC Factsheet - Cyber Incident Response Government Assistance Measures
- CISC Factsheet - Cyber Security Incident Reporting
How Diamond IT can help navigate your compliance and security requirements
Our team of Business Technology Consultants are currently working with key organisations across a range of sectors to ensure they are meeting specific compliance requirements. Ensuring your organisation is compliant with applicable reforms and regulations doesn’t have to be a complex process. Our team are here to guide you through. Contact us today on 1300 307 907.