Cyber security illustration. Digital information protection. Data processing. Microchip, circuit concept. Lock icon. Digitalization, computer technology, Artificial Intelligence (AI). 3D Render

By Hamish Hansford, Deputy Secretary, Cyber and Infrastructure Security, Department of Home Affairs

Australian businesses and critical infrastructure operators continue to face a deteriorating risk environment – from cyberattacks and ransomware, to fire and flood, malicious insiders and malign foreign powers – there’s no shortage of risks that need to be thought about and managed in the modern era.

To some critical infrastructure sectors this comes as no surprise – managing risk has been part of the parcel of doing business for many years. But for others, thinking about the full range of hazards modern critical infrastructure faces, and planning reasonable, practicable mitigations across the realms of cyber, physical, personnel, and supply chain security, is relatively new.

Working to protect critical infrastructure

To assist owners and operators conceptualise risk across these dominions – and to empower them to take action that will lower risk to the ongoing operation of their systems, assets, and businesses – the Critical Infrastructure Risk Management Program (CIRMP) requirement is now live.

The CIRMP is the third and final of the three positive security obligations legislated within recent amendments to the Security of Critical Infrastructure Act 2018 – the other two being Mandatory Cyber Incident Reporting, and the Critical Infrastructure Asset Register requirement.

Working together, these obligations uplift Australia’s critical infrastructure security and resilience, further protecting the essential services all Australians rely on.

The new rules in effect

The Minister for Home Affairs, Clare O’Neil, ‘switched on’ the CIRMP rules on 17 February 2023, following an extended period of consultation. Through this consultation process, the Minister was able to incorporate feedback from critical infrastructure stakeholders that has ultimately made the rules simpler and easier to implement.

Now the rules are in effect, responsible entities for critical infrastructure assets are required to adopt, maintain and comply with a risk management program that identifies and manages material risks of hazards that could have a relevant impact on a critical infrastructure asset.

The plan must identify each hazard where there is a material risk that the occurrence of that hazard could have a relevant impact on the asset, and – as far as it is reasonably practicable to do so – must minimise or eliminate any material risk of such a hazard occurring.

Through the implementation of agnostic rules, the Cyber and Infrastructure Security Centre (CISC) – within the Department of Home Affairs – hopes to create a baseline for security across all critical infrastructure sectors in the Australian economy.

While many organisations will no doubt already exceed the thresholds set out in the rules, the CISC hopes that the Risk Management Program (RMP) rules will uplift all critical infrastructure entities, right through supply chains.

In that vein, the CISC envisions the rule benefiting not just the responsible entity, but both its upstream and downstream suppliers; ensuring that an awareness of security standards becomes the norm for many Australian businesses.

The inclusion of a requirement for a board or governing body to sign an attestation regarding the RMP lifts the issue of risk management and security from an operational level to the board level.

By ensuring that directors of companies have these issues at the front of their minds as they make strategic decisions, the CISC aims to ensure a stronger effort to protect critical infrastructure at all levels.

Boosting confidence in supply chains

This issue particularly goes to the requirement for responsible entities to consider supply chain hazards – especially since many have now seen the significant disruptions in the supply chain caused by the COVID-19 pandemic.

By requiring directors and board level decision makers of a responsible entity to be thinking about how best to mitigate possible hazards to their supply chain, the CISC hopes to see more industries consider not just cost, but also security and reliability of supply chains going into the future.

While pursuing sensible regulation, the CISC’s approach is not intended to increase the burden on owners and operators, nor to duplicate other mechanisms. For example, where a requirement for an RMP already exists under other legislation, dual reporting won’t be enforced.

Similarly, nothing in the rules overrides any existing provisions within the Privacy Act 1988, the Australian Privacy Principles, or the Fair Work Act 2009, and nor do the Rules absolve employers of any other obligations, including relevant occupational health and safety legislation.

The Secretary of the Department of Home Affairs, Michael Pezzullo AO, also has the power to review a responsible entity’s plan to ensure actions are being taken appropriately. This ensures the CIRMP sits alongside other important and relevant legislated requirements – it doesn’t overrule, duplicate, or impinge upon them.

Now the Rules are live, there is a sixmonth transition period for responsible entities to adopt a written CIRMP. If a responsible entity’s asset becomes a CI asset after the Rules commence, the responsible entity must meet CIRMP requirements within six months of the day the asset became a CI asset.

The CISC is committed to working in partnership with all levels of government and industry to support the wider security uplift of Australian critical infrastructure, and for some critical infrastructure entities, it recognises that implementation of a CIRMP will be an extensive task.

Wherever a business is in terms of maturity, the CISC will assist whenever possible. Together, sensible government regulation and attentive owners and operators can secure Australia’s critical infrastructure, and in the process safeguard shared security and prosperity.

Related articles

Leave a reply

©2024 Infrastructure Magazine. All rights reserved


We're not around right now. But you can send us an email and we'll get back to you, asap.


Log in with your credentials

Forgot your details?