As a risk management practitioner, you may have heard of the Security of Critical Infrastructure Act 2018, otherwise known by its more common name—the SOCI Act 2018.
Introduced in 2018 and fully implemented in 2022, it’s a new set of reforms by the Australian government to protect the essential services that underpin the Australian economy from national security risks such as sabotage, espionage, and coercion by foreign entities.
This new legislative reform has huge implications for the critical infrastructure sector, with the introduction of new obligations and requirements. The Act has also seen amendments in recent years that have expanded its scope.
In this post, let’s explore in detail the SOCI Act and how it will affect cybersecurity organisation
Who does the SOCI Act impact?
The Act is mainly focused on critical infrastructure. That said, the Act has further expanded the definition of critical infrastructure to include more sectors and asset groups.
According to the Act critical infrastructure is defined as “those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security”.
The Act identifies 11 critical infrastructure sectors as essential for Australia’s national security and prosperity, including:
- Electricity
- Water
- Health care and medical
- Higher education and research
- Food and grocery
- Communication
- Financial services and markets
- Transport
- Space technology
- Defence
- Data storage and processing
Within each sector, there are specific asset classes that have a high degree of responsibility for delivering essential services, have a high degree of interdependence with other sectors or assets, or have a high potential for significant impact if compromised. These asset classes are considered critical infrastructure assets.
When did the Security of Critical Infrastructure Act come into effect?
Although introduced in 2018, the Act didn’t come into full effect until April 2022 as the Act was implemented in 2 parts; the first part came into effect on the 2nd of December 2021 with the implementation of the Security Legislation Amendment (Critical Infrastructure) Act 2021 and the second part came into effect on the 2nd of April 2022 with the implementation of Security Legislation Amendment (Critical Infrastructure Protection) Act 2022.
With the implementation of the second part, Information Provision PSO was switched on for 13 critical infrastructure asset classes, including.
- Broadcasting
- Domain name system
- Data storage or processing
- A critical financial market infrastructure asset that is a payment system
- Food and grocery
- Hospital
- Freight infrastructure
- Freight services
- Public transport
- Liquid fuel
- Energy market operator
- Electricity (only assets that were not within the scope of a critical infrastructure asset before the SLACI Act amendments); and
- Gas (only assets that were not within the scope of a critical infrastructure asset before the SLACI Act amendments).
Critical infrastructure businesses in Australia are expected to come into full compliance with the Act on or before 17 August 2024, with each stage offering a 3-6 month grace period to ensure compliance with the new obligations.
What are the new obligations introduced by the SOCI Act?
1.Obligation to notify data service providers
Critical infrastructure entities must inform external data service providers when they store or process critical business data. This ensures that companies handling sensitive data for crucial infrastructure assets understand their obligations under the Act and take appropriate security measures.
2.Obligation to register critical infrastructure assets
Entities must register information about their critical infrastructure assets with the Cyber and Infrastructure Security Centre. This registration provides the centre with a detailed understanding of the ownership and operation of these assets.
3.Obligation to implement a Risk Management Program
Entities must have and follow a Risk Management Program for their critical infrastructure assets. This ensures that responsible entities have a thorough understanding of potential threats and can develop effective processes and procedures to respond to any hazards that may impact their assets.
4.Obligation to report cyber incidents
Entities must report cyber security incidents that significantly or relevantly impact their assets. This information helps the government develop a comprehensive threat picture to inform both proactive and reactive cyber response options, from providing immediate assistance to working with the industry to improve security standards.
5.Obligation to enhance cyber security
Under Part 2C of the Act, the Minister for Home Affairs may declare an asset to be a ‘System of National Significance’ after consulting with the responsible entity and others. These assets are considered crucial to the nation due to their interdependencies across sectors and the potential consequences of disruption to other critical infrastructure assets and sectors.
If an asset is declared a system of national significance, the responsible entity may be notified that they are subject to four additional obligations focused on cyber preparedness and resilience.
Comply with obligations of the Security of Critical Infrastructure Act with expert support
With just over a year left for critical infrastructure businesses to fully comply with the requirements of the SOCI Act, risk practitioners must devise implementation plans to integrate the new reforms into their workflows.
And if you’re a security risk professional handling the implementation of procedures to fulfil the requirements of the Security of Critical Infrastructure Act 2018, having modern and capable risk management software can help you.
Learn more about the SOCI Act from our free webinar.
From August 2023 the SOCI Act and the associated CIRMP rules are fully enforceable for critical infrastructure entities in Australia.
One of the core principles presented in the SOCI Act and the CIRMP for securing critical infrastructure assets is ‘all-hazards risk management’, which refers to a comprehensive emergency preparedness framework that takes into account the full scope of emergencies/disasters when formulating mitigating strategies.
SECTARA’s free webinar on all-hazards risk management in critical infrastructure is aimed at helping you maintain a seamlessly functioning CI system that wields a high degree of preparedness for overcoming any emergency or disaster.
Conducted by ECTARA’s CTO and co-author of the Security Risk Management Body of Knowledge (SRMBoK), Julian Talbot and MD Konrad Buczynski, this is a great opportunity to expand your knowledge and ensure compliance with the CIRMP. Access the webinar by clicking the button below.
