Working in the energy sector means that your company is part of Australia’s critical infrastructure. And it’s not centralised to those in production. Companies that handle the generation, transmission, and distribution of electricity, as well as gas production, storage, and distribution, are all considered critical sectors and are held up against strict compliance laws.
The Security of Critical Infrastructure Act (the SOCI Act) is the most recent bill to go through amendments—catching it up to the modern landscape of risk—and the obligation to achieve compliance falls on you.
The SOCI Act changes coming into effect.
The SOCI Act was originally passed in 2018 as a risk management framework. With a clear focus on Australia’s critical infrastructure, the act has been working to defend against the high-security risks of espionage, sabotage, and foreign interference (Lander & Rogers, 2023). In 2023, these risks are growing, and the act has now taken on two key amendments under the Security Legislation Amendment (Critical Infrastructure Protection) Act (SLACIP). With this many acronyms to remember, let’s focus on just three key changes that affect the energy sector:
- You need to register critical assets and report any cybersecurity events.
- You need to devise a Risk Management Program (RMP)—new part 2A of the SOCI Act
- The ministerial power to declare systems of national significance is also added—new part 6A of the SOCI Act
Is your energy company affected by these new laws?
As with the introduction of any new regulation, you’re probably hoping that your company manages to be one of the few that’s exempt. And it’s true, not every company is involved, it depends on whether the SOCI Act has determined that your company is part of the energy sector.
In the Act, there are four assets which relate to the energy sector:
- A critical electricity asset
- A critical gas asset
- A critical energy market operator asset
- A critical liquid fuel asset
Therefore, your company is part of the energy sector if it involves:
- The production, transmission, distribution, or supply of electricity
- The production, processing, transmission, distribution, or supply of gas
- The production, processing, transmission, distribution, or supply of liquid fuel (Cyber and Infrastructure Security Centre, 2023)
Setting up your Risk Management Program (RMP)
Now that you’ve determined whether the SOCI Act affects your company, the RMP is where you will need to focus a significant amount of your attention. It will be the most time-consuming requirement to meet, falling under the Critical Infrastructure Risk Management Program (CIRMP) obligation in part 2A.
For those in the energy sector, your RMP is your detailed approach to identify, assess, mitigate, and manage the material risks to your infrastructure—this of course encompasses your assets but also the systems and operations you have in place.
“Under the RMP Rules ‘material risk’ includes anything that causes a stoppage, major slowdown, interference, or substantive loss of access to the critical infrastructure … Therefore, instead of limiting the focus to only the most relevant hazards (from the entity’s perspective), [you] must also consider cyber and information security hazards, personnel hazards, supply chain hazards, physical security hazards, and natural hazards.”
Clyde & Co, 2023
Six essential RMP inclusions
While every energy company is going to hold a unique risk profile, your RMP will likely need to cover these six common areas:
- Risk assessment – this is the foundation of the whole program and needs to heavily focus on action steps and mitigation.
- Asset identification – you need to know what assets are considered ‘critical’ in order to resource effectively. Everything from power plants, substations, and transmission lines, to control systems and IT infrastructure.
- Threat analysis – you need to analyse the potential threads that could impact the energy infrastructure’s integrity and functionality.
- Vulnerability assessment – identify weak points and potential entry points for threat. Evaluate your security measures, operational processes, and technological systems that you have in place and areas that require improvements.
- Incident response planning – create a plan to effectively manage and recover from any disruptive events. Training and awareness are vital at this stage.
- Compliance with regulations and standards – while it may begin with the SOCI Act, your Customer Relationship Management (CRM) may also need to adhere to other compliance laws.
The deadline for SOCI Act compliance (RMP included)
The date you want to highlight in your calendar is 17 August 2023. The six-month grace period began on 17 February and SOCI Act compliance, including adopting and maintaining an RMP, is fast approaching. And there are penalties for non-compliance.
If you fail to adopt or maintain a Critical Infrastructure Risk Management Program (CIRMP) or fail to meet any of the related obligations, then you will receive 1,000 penalty units ($275,000) per day until you meet the requirements. Another circumstance where you could be penalised is if you fail to meet the annual reporting requirement of your CIRMP, this results in a penalty of 750 penalty units ($206,250) per day (Clyde & Co, 2023).
References:
“Critical Infrastructure Protection Act 2022 explained”. (2023, January). Lander & Rogers. https://www.landers.com.au/legal-insights-news/Critical-Infrastructure-Protection-Act-2022-explained
“Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’”. Clyde & Co. (2023, February 27). https://www.clydeco.com/en/insights/2023/02/critical-infrastructure-update-risk-management-pro
“What the changes mean for me”. (2023, March 23). Cyber and Infrastructure Security Centre. https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure/what-the-changes-mean-for-me
