Risky business – Inaugural Critical Infrastructure Annual Risk Reviews due

John Dieckmann, Margaret Gigliotti, Bianca Weiss and Lynette Munoz
25 Sep 2024
8 minutes

Responsible entities not only must submit their first annual report on their CIRMP by 28 September 2024, but will now face increased scrutiny and the possibility of an audit – with fines for non-compliance.

The first annual reports in relation to critical infrastructure risk management plans required under the Security of Critical Infrastructure Act are due by 28 September 2024. With the Department of Home Affairs confirming its focus is now shifting towards compliance and audit activities, it is more important than ever for responsible entities to ensure their plans reflect best practice.

The Security of Critical Infrastructure regime at a glance

The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) aims to improve the cyber resilience of the nation’s critical infrastructure. In late 2021, the Australian Government expanded the entities to which SOCI applied.

Entities responsible for specific critical infrastructure assets (responsible entities) must adopt and maintain a critical infrastructure risk management program (CIRMP) to identify material risks, minimise or eliminate them, and mitigate their impact. The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) is the second set of Ministerial Rules to be switched on under the SOCI Act, and elaborate upon the requirements that CIRMPs must meet.

In November 2023, the Department of Home Affairs' Cyber and Infrastructure Security Centre (CISC) released its first Critical Infrastructure Annual Risk Review. It discusses the risks facing responsible entities for critical infrastructure assets in the last 12 months, and which specific risks that CISC considers CIRMPs should address. Entities should consider these risks where relevant, and whether updates to their CIRMPs should be made to deal with them.

Responsible entities must submit an annual report on their CIRMP within 90 days of the end of each financial year. Following an initial period of voluntary submissions in 2022, the first annual mandatory report will be due at the end of the 2023 financial year (no later than 28 September 2024).

FAQ on the CIRMP Framework

When did the CIRMP Rules commence?

The CIRMP Rules commenced on 17 February 2023. If your asset is newly classified as a critical infrastructure asset after the date on which the CIRMP Rules commenced, you will have six months to develop and implement a CIRMP and a further 12 months to implement a cyber security framework.

Requirements under the CIRMP Rules

Responsible entities for affected critical infrastructure assets are now required to have: 

  • a compliant CIRMP; and 
  • a process or system in place that enables them to comply with a cyber security framework (such as ISO 27001, Essential Eight maturity level one or an equivalent framework),  

and review, update and report on their CIRMP.

The CIRMP must include processes to minimise or eliminate material risks, and mitigate the relevant impact of, the following types of "hazards": 

  • cyber and information security hazards; 
  • personnel hazards; 
  • physical security and natural hazards; and 
  • supply chain hazards. 

Which assets do the CIRMP Rules apply to?

The CIRMP Rules apply to entities who are the responsible entity for critical infrastructure assets within the following classes:

  • critical broadcasting assets; 
  • critical domain name systems; 
  • critical data storage or processing assets; 
  • critical electricity assets; 
  • critical energy market operator assets; 
  • critical gas assets;
  • designated hospitals; 
  • critical food and grocery assets; 
  • critical freight infrastructure assets; 
  • critical freight services assets; 
  • critical liquid fuel assets; 
  • critical financial market infrastructure assets that are used in connection with a payment system critical to the security of financial services and markets; and 
  • critical water assets.

Any asset which has been declared a critical infrastructure asset by the Minister for Home Affairs will also be required to adopt and maintain a CIRMP. While draft versions of the Rules applied to all "critical hospitals", the CIRMP Rules only apply to "designated hospitals" listed in Schedule 1 of the CIRMP Rules. To determine whether your asset falls within one of the above categories, it is important to review the definition of that class in the SOCI Act as well as the Security of Critical Infrastructure (Definitions) Rules. If you are unsure whether the CIRMP Rules apply to you, you can check your status on our interactive flowchart, or contact us.

What is a "material risk"?

The CIRMP Rules define what a "material risk" is for the purpose of creating a CIRMP. These risks include:

  • stoppage or major slowdown of a critical infrastructure asset's function for an unmanageable period;
  • substantive loss of access to, or deliberate or accidental manipulation of, critical components of the asset;
  • an interference with the critical infrastructure asset's operational technology or information communication technology essential to the functioning of the asset;
  • the storage, transmission or processing of sensitive operational information outside Australia; and
  • remote access to operational control or operational monitoring systems of the critical infrastructure asset.

Hazards

The CIRMP Rules require entities to consider all hazards their assets face. A CIRMP must have a process or system to, so far as is reasonably practicable, minimise or eliminate material risks, and mitigate the relevant impact of each hazard on the critical infrastructure asset.

To ensure that the CIRMP captures all hazards, and is consistent, maintained, and reviewed, entities must have a process in place to ensure compliance with the CIRMP, and identify the persons responsible for developing, implementing and reviewing the CIRMP.

There are also specific requirements relating to cyber and information security hazards, personnel hazards, supply chain hazards, and physical security hazards and natural hazards.

Hazards to be addressed and the Annual Review's commentary on CIRMPs

Cyber and information security hazards

A responsible entity must establish and maintain a process or system within the CIRMP which, as far as reasonably practicable, minimises or eliminates any material risk of a cyber and information hazard occurring, and mitigates the impact of such a hazard on the asset.

The CIRMP must describe all cyber and information security hazards that could have a relevant impact on the asset. Examples of cyber and information security hazards which should be addressed include phishing, malware, credential harvesting and denial-of-service attacks.

Measures which are implemented under a CIRMP to mitigate the risk of cyber and information security hazards may include those which are generally considered as part of information security plans, including, for example:

  • cyber security training for personnel;
  • the development and regular testing of detailed cyber security incident response plans;
  • plans for vulnerability and penetration testing of systems;
  • processes to ensure that systems are patched on a regular basis to minimise known vulnerabilities;
  • processes for data backup and recovery; and
  • access management processes for ensuring that access credentials are current and appropriate (for example, by ensuring that access to sensitive data is removed immediately when an employee ceases employment).

As an additional requirement, responsible entities must establish and maintain a process or system in the CIRMP to comply with any one of the specified cyber frameworks or an equivalent framework, including any conditions, listed in the table below:

Document

Condition

Essential Eight Maturity Model (Australian Signals Directorate)

Meet maturity level one as indicated in the document.

Framework for Improving Critical Infrastructure Cybersecurity (US National Institute of Standards and Technology)
Cybersecurity Capability Maturity Model (US Department of Energy)

Meet Maturity Indicator Level 1 as indicated in the document.

The 2020-21 AESCSF Framework Core (Australian Energy Market Operator Limited (ACN 072 010 327))

Meet Maturity Indicator Level 1 as indicated in the document.

Further information about information security risk mitigation strategies you may consider incorporating in CIRMP can be found here. 

The Annual Review notes that cyber risks include risks within both physical and digital supply chains, and notes that the convergence of operational technology (OT), information technology (IT) and Internet of Things (IoT) devices creates specific vulnerabilities which should be considered. For example, the integration of IoT devices creates an increasing number of third party integrations which may provide additional opportunities for infiltration of a network.

Personnel hazards

A CIRMP must include processes or systems to:

  • identify workers who are critical to the asset;
  • permit critical workers access to critical components of the asset only where the critical worker has been assessed to be suitable to have such access; and
  • as far as it is reasonably practicable to do so, minimise or eliminate material risks arising from:
  • malicious or negligent conduct by employees or contractors; and o the offboarding process of outgoing employees and contractors. Processes for permitting critical workers access to assets only where they have been assessed to be suitable to have such access may involve:
  • physical and logical access control mechanisms to ensure that only authorised workers have access to relevant components of assets (for example, use of swipe cards to access restricted areas within facilities and appropriate access control for databases and systems);
  • background checks for workers (under the RMP Rules the process or system for determining suitability may, but is not required to, include a background check under the AusCheck scheme); and
  • monitoring of workers with access to critical systems (for example, systems logging to ensure that any unauthorised or unusual use of systems is detected).

The Annual Review notes that significant insider threats can arise through the malicious, negligent or unwitting acts of individuals with legitimate access and privileged knowledge in relation to critical infrastructure assets. It also flags that trusted insiders can be vulnerable to external manipulation and are attractive targets for foreign actors.

Supply chain hazards

The CIRMP must include a process or system to, as far as is reasonably practicable, minimise or eliminate material risks with respect to:

  • unauthorised access, interference or exploitation of the asset's supply chain;
  • misuse of privileged access to the asset by any provider in the supply chain;
  • disruption of the asset due to an issue in the supply chain;  disruption of the asset due to an issue in the supply chain;
  • threats to people, assets, equipment, products, services, distribution and intellectual property within supply chains;
  • major suppliers; and
  • failure or lowered capacity of other assets and entities in the responsible entity's supply chain.

The CIRMP process or system must, as far as is reasonably practicable to do so, mitigate the relevant impact of a supply chain hazard on the asset. The responsible entity should also, when developing, reviewing or varying the CIRMP, consider whether the CIRMP lists the entity's major suppliers and describes the hazards which could have a relevant impact on the asset. A "major supplier" is any vendor that by the nature of the product or service it offers, has a significant influence over the security of the critical infrastructure asset.

The Annual Review highlights that supply chains for critical infrastructure assets are often reliant on international suppliers, which can create vulnerabilities if adequate contingencies are not put in place. Similarly, the Annual Review flags that significant vulnerabilities may exist where entities rely on single-source suppliers (including multiple suppliers located within a single country or region). 

Processes for minimising supply chain risks may include:

  • supply chain due diligence and security review processes;
  • inclusion of appropriate physical and logical security obligations in contracts with suppliers; and
  • diversification of vendors to reduce single-points-of-failure within supply chains.

Physical security hazards and natural hazards

The CIRMP must consider and describe physical security hazards (including unauthorised access to, interference with, or control of critical infrastructure assets, to compromise the proper function of the asset or cause significant damage to the asset) and natural hazards (including fire, flood, cyclone, storm, heatwave, earthquake, tsunami, space weather or biological health hazard (such as a pandemic)). The CIRMP must also include a process or system to:

  • identify the physical critical components of the critical infrastructure asset;
  • as far as is reasonably practicable, minimise or eliminate material risks regarding physical security hazards and natural hazards;
  • responding to incidents of unauthorised access to a physical critical component;
  • control access to physical critical components (including by restricting access to critical workers or accompanied visitors); and
  • test effectiveness and appropriateness of security arrangements for the asset.

In relation to physical security hazards and natural hazards, CIRMPs could give consideration to:

  • physical security measures (such as physical access control using swipe cards, keys or biometric access and security monitoring using security cameras, motion detectors, security personnel or other methods);
  • putting in place and regularly testing emergency response plans to address a range of emergencies including natural disasters. Testing may include the use of emergency simulations; and
  • backup and redundancy of assets to increase resilience.

The Annual Review notes that Australia is likely to experience increasing levels of natural hazards, including due to climate change and El Niño conditions. The Annual Review also highlights the physical security hazards arising from potential foreign interference in a global and political environment where espionage and foreign interference have supplanted terrorism as ASIO's principal national security concern.

Annual reporting requirements

Responsible entities must submit an annual report relating to their CIRMP within 90 days of the end of each financial year. Entities were not obliged to submit a report at the end of the 2022 financial year (though voluntary submissions were encouraged). The first annual report is due at the end of the 2023 financial year (or no later than 28 September 2024). While compliance for 2023-2024 focused on education and awareness raising, the CISC has indicated its focus will now shift to undertaking a “limited series of trial audits testing industry compliance with SOCI Act obligations”. Noting this, we expect that responsible entities may now be asked by CISC to demonstrate their compliance with submitted CIRMPs.

Penalties for non-compliance

Contravention

Fine

For each contravention of the requirements in relation to CIRMPs (including failure to adopt and maintain an CIRMP, comply with an CIRMP, review it regularly or update it)

200 penalty units (currently $313,000 for bodies corporate and $62,600 otherwise)

Failure to produce an annual report

150 penalty units (currently $234,750 for bodies corporate and $46,950 otherwise)

Reviewing your CIRMPs

Responsible entities should review their CIRMPs against the hazards and risks identified in the Annual Review, update their CIRMPs to consider whether the hazards addressed in the Annual Review have been addressed adequately and ensure CIRMPs are submitted by 28 September 2024.

Get in touch

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.