Risk management program PSO switched on

Two men pointing at paperwork in front of shipping containers.

The risk management program positive security obligation (PSO) under Part 2A of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) was recently "switched on", leading to new obligations for responsible entities of 13 asset classes.

More specifically:

  • the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) (CIRMP Rules) have been registered under the SOCI Act and commenced on 17 February 2023; and
  • the AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 also commenced on 17 February 2023.

This article explores the changes and the implications of the CIRMP Rules for responsible entities.

What is the SOCI Act?

The SOCI Act is a framework for the regulation and protection of critical infrastructure sectors. Learn more in SOCI Act Explained - your comprehensive guide to the cyber security and critical infrastructure law reforms.

Which assets are caught within the CIRMP Rules?

The CIRMP Rules will apply to the following 13 asset classes:

  1. a critical broadcasting asset;
  2. a critical domain name system;
  3. a critical data storage or processing asset;
  4. a critical electricity asset;
  5. a critical energy market operator asset;
  6. a critical gas asset;
  7. a designated hospital;
  8. a critical food and grocery asset;
  9. a critical freight infrastructure asset;
  10. a critical freight services asset;
  11. a critical liquid fuel asset;
  12. a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act (i.e. an asset that is used in connection with the operation of a payment system); and
  13. a critical water asset.

These asset classes are largely the same as the draft CIRMP Rules, although:

  • we note a decision has been made to limit the application of the CIRMP Rules to "designated hospitals" rather than "critical hospitals", with a list provided at Schedule 1 of the CIRMP Rules. Designated hospitals represent a subset of critical hospitals that are considered appropriate for the application of Part 2A of the Act following consultation;
  • "critical water and sewerage assets" have been amended such that "sewerage" has now been omitted from the critical water assets; and
  • critical financial market infrastructure assets that are a critical payment system have now been defined using section 12D(1)(i) of the SOCI Act.

It should also be noted that the relevant Commonwealth regulator for the critical financial market infrastructure asset mentioned in section 12D(1)(i) of the Act is the Reserve Bank of Australia (RBA).

Who is responsible for complying with the CIRMP obligations?

The responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program (unless an exemption applies).

When do the CIRMP obligations begin?

The CIRMP obligations will apply to the critical infrastructure assets mentioned above on the later of six months after the CIRMP Rules commence, or six months after the asset became a critical infrastructure asset. In other words:

  • (a) for an existing critical infrastructure asset as at 17 February 2023, the CIRMP obligations will apply from 17 August 2023;
  • (b) for an asset that becomes a critical infrastructure asset on 1 March 2023, the CIRMP obligations will apply six months from the date it became a critical infrastructure asset, that is, from 1 September 2023.

This is to ensure that the responsible entities are provided with a reasonable timeframe to establish and begin complying with their CIRMP before Part 2A applies to their critical infrastructure asset.

Further, within 12 months following the end of the above 6-month grace period, the responsible entities of these specified critical infrastructure assets must comply with the cyber and information security requirements specified in subsections 8(4) and 8(5) of the CIRMP Rules relating to compliance with a framework such as the:

  • Australian Standard AS ISO/IEC 27001:2015
  • Essential Eight Maturity Model published by the Australian Signals Directorate
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America
  • The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327)

This means that for (a) above, compliance with the cyber and information security requirements framework will be required by 17 August 2024, and for (b), by 1 September 2024.

What are the CIRMP obligations?

The requirements are largely unchanged from the draft rules. To summarise, responsible entities must develop a written critical infrastructure risk management program with a purpose to:

1. Identify hazards and risk of occurrence.

Identify each hazard where there is a ‘material risk’ that the occurrence of the hazard could have a ‘relevant impact’ on the asset. There will be a material risk where there is:

i. a stoppage or major slowdown of the critical infrastructure (CI) asset’s function for an unmanageable period;

ii. a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the CI asset;

iii. an interference with the CI asset’s operational technology or information communication technology essential to the functioning of the asset;

iv. the storage, transmission or processing of sensitive operational information outside Australia, which includes:

  • (A) layout diagrams;
  • (B) schematics;
  • (C) geospatial information;
  • (D) configuration information;
  • (E) operational constraints or tolerances information;
  • (F) data that a reasonable person would consider to be confidential or sensitive about the asset;

v. remote access to operational control or operational monitoring systems of the CI asset.

2. Minimise/eliminate risk of hazard occurring.

So far as it is reasonably practicable to do so, establish and maintain a process or system in a CIRMP to minimise or eliminate any material risk of such a hazard occurring.

3. Mitigate relevant impact.

So far as it is reasonably practicable to do so, mitigate the relevant impact of such a hazard on the asset.

4. Effective governance.

The Responsible Entity must submit an annual report, in an approved form, to the relevant Commonwealth regulator or Secretary of the Department of Home Affairs within 90 days after the end of the financial year. The annual report must be approved by the entity's board, council or other governing body.

This annual report does not need to contain the full critical infrastructure risk management program, but it requires a statement specifying:

  • that the program remains up to date,
  • any variations to the program,
  • details about any hazards that have had a “significant” impact on the asset during the reporting period, and
  • details of how the program was effective in mitigating any relevant impacts

When identifying the hazard, organisations should know that there is an "all-hazards" approach, including:

  • Cyber and information security hazards - where a person, whether authorised or not, improperly accesses or misuses information or computer systems about or related to the CI asset; or uses a computer system to obtain unauthorised control of, or access to the CI asset that might impair its proper functioning.
  • Natural hazards - fire, flood, cyclone, storm, heatwave, earthquake, tsunami, space weather or biological health hazard (such as a pandemic).
  • Personnel hazards - where a critical worker acts, through malice or negligence, to compromise the proper function of the asset or to cause significant damage to the asset.
  • Physical security hazard - unauthorised access to, interference with, or control of CI assets, to compromise the proper function of the asset or cause significant damage to the asset.
  • Supply chain hazard - malicious people, both internal and external, exploiting, misusing, accessing or disrupting the supply chain and over-reliance on particular suppliers.

A copy of the CIRMP Rules can be accessed here

For questions or assistance in relation to the CIRMP Rules and understanding how they apply to your organisation, please contact Melissa Tan.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.