Key cyber security requirements for critical infrastructure organisations
In March 2022 Cyber and Infrastructure Security Centre introduced new amendments to the Security of Critical Infrastructure Act (SOCI) 2018 that came to effect in April 2022. SOCI was developed to create a safe environment for all critical, national assets in Australia through a security framework with the following objectives,
- Improving transparency of ownership and operational control of critical assets
- Facilitating corporation and collaboration between critical infrastructure owners and the Australian government
- Identifying and managing risk related to critical infrastructure assets
- Imposing Enhanced Cyber Security Obligations (ECSO)
- Providing a regime for the Commonwealth to respond cyber security incidents
The new amendments apply to all critical infrastructure entities to create and maintain a risk management program and has also introduced a new framework to all operators whose operations fall under the System of National Significance (SoNS) called the Enhanced Cyber Security Obligations. SoNS by definition are critical assets of Australia declared as utmost importance to the stability of Australia’s socio-economic, defence and national security. Australia considers the following as critical infrastructure:
- Financial services and markets
- Data storage or processing
- Defence industry
- Higher education and research
- Food and grocery
- Health care and medical
- Space technology
- Water and sewerage
These industries are of great importance to Australia and has strict cybersecurity controls enforced. One such aspect is incident response and reporting. It is so significant to the nation that any critical cyber security incident must be reported within 12 hours of identification and all other cyber incident must be reported within 72 hours to the Australian Cyber Security Centre (ACSC) under Mandatory Cyber Incident Response (MCIR) obligation.
Impact of the amendments on critical infrastructure entities
According to the new amendments, all critical infrastructure entities must develop a written risk management program to be better prepared for cyber security incidents. The risk management program should provide a holistic approach to detect and mitigate potential risks which covers confidentiality, integrity, reliability, and availability of the critical assets and reviewed periodically to ensure the program is achieving its objectives, moreover, all entities must provide an annual report (90 days after the end of financial year) covering all aspects of the risk management program to the Australian government.
It is vital for all owners and operators (Responsible entities/Direct Interest Holders) of critical infrastructure assets to be aware whether their infrastructure is declared a SoNS, if your organisation is declared as SoNS by the Home Affairs you will be required to perform additional cyber security functions such as developing cyber security incident response plans, cyber security exercises, conduct vulnerability assessments and provide information about systems under the Enhanced Cyber Security Obligations.
Key take aways from SLACIP Act
- Establish and maintain a risk management program to identify, mitigate and comply with the objectives stated in the program
- Be aware whether your organisation is declared as a System of National Significance (SoNS)
- Adhere to Enhanced Cyber Security Obligations (ECSO) if your organisation is declared as SoNS