What happens if our critical infrastructure such as gas or water is attacked by cyber criminals? It could be a disaster for the running of everyday life. As such, the Government is seeking to address this modern threat through legislation. The SOCI Act sets out strict cyber resilience rules for the critical infrastructure sector. It is, however, important for all Australian businesses to understand.
With cyber threats increasing year on year, the SOCI Act is likely just the beginning of government measures to protect the country from cyber crime. Whether you're a big multinational or a small local business, it is important to be aware of what is going on. By staying up to date, you will be prepared when change does occur. Even better, act now by putting proactive cyber security measures in place, and you will be way ahead of the curve.
What is the SOCI Act?
Introduced in 2018, The Security of Critical Infrastructure (SOCI) Act aims to help mitigate the growing threat of attacks against the country’s most important systems, such as those in the electricity, gas, water and maritime sectors.
It imposes very strict requirements on the critical infrastructure sector, setting out cyber resilience measures that must be taken.
The Act also mandates stringent reporting obligations to the Government by these organisations.
The basic idea is - hackers are likely to be interested in disrupting societies through critical infrastructure. This is very much an element of modern warfare. To secure our country and the economy, the law must protect our critical infrastructure from digital attacks.
The Act was amended in 2021 following 18 months of community and industry consultation. The amendments mean the Act is now relevant to a total of 11 sectors, instead of the previous four. These sectors include health care and medical, the defence industry, higher education and data storage and processing.
What is critical infrastructure?
Critical infrastructure is the assets and services which we rely on for our everyday business and lives. They underpin society.
The Australian Government defines critical infrastructure as: "Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security."
These include:
- Communications
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage
Understanding the in's & out's of the SOCI Act
Newest amendments to the SOCI Act set out the following obligations for the critical infrastructure sector:
- Obligation 1 - Report information to the Register of Critical Infrastructure Assets.
- Obligation 2 - Mandatory cyber security incident notification requirements.
- Obligation 3 - Risk management program. This obligation requires responsible entities to establish, maintain and comply with a risk management program that manages and mitigates prescribed risks associated with its critical infrastructure assets.
To read more about these obligations and what the SOCI Act entails, you can view our previous blog here.
The latest updates
Following the Optus and Medibank hacks, there has been concern that the SOCI Act does not effectively work in practice.
Rob Nicholls, Associate Professor of Regulation and Governance at UNSW Business School, explains to the Law Society Journal:
“SOCI is basically associated with systems in terms of the definition of critical assets, and those systems don’t necessarily include the data which is protected by the systems… If our data is caught in a breach, it doesn’t matter what the systems are. If they had taken a photocopy of the 100 points of ID and left those in a paper file, my personal data would be safe still."
Home Affairs Minister Claire O’Neil has also released a discussion paper - the 2023-2030 Australian Cyber Security Strategy Discussion Paper - delving into how current legislation and policy can be streamlined.
There are 21 questions in the paper, including whether payment of ransoms and extortion demands by cyber criminals should be banned; the scope of the powers of intelligence agencies to intervene; and whether a standalone Cyber Security Act should be considered.
This is very much a developing issue and evolving space, so stay tuned.
What does this all mean for Australian businesses?
If a standalone Cyber Security Act was implemented, stringent cyber diligence measures would likely apply not just to critical infrastructure entities but small to medium-sized businesses too.
There could also be a greater onus placed on smaller businesses with ties to critical infrastructure.
Either way, cyber security and due diligence to protect any data held by your business is an increasingly hot topic.
It's only going to become more and more important for businesses to tighten their cyber security measures.
How to get your business prepared
It's likely only a matter of time before all Australian businesses are required to adhere to strict cyber security guidelines by law.
Waiting until the last moment to put cyber security measures in place puts your business at risk of cyber attack. It could also cause undue stress, resources and financial strain.
This is too big of an issue to put on the back-burner. We would advise all businesses to be proactive and act now.
How Diamond IT can support your cyber security strategy
Do you need help keeping your business secure or adhering to regulations? The Diamond IT team specialises in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations and include the necessary defences required to best protect your business from malicious threats.
We can support you by establishing your Essential Eight maturity level and improving your overall cyber security posture.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.
