The regulation of critical infrastructure under the Security of Critical Infrastructure Act, 2018 (the SOCI Act) has now been updated and expanded. The passing of the Security Legislation (Critical Infrastructure) Act 2021 has amended the SOCI Act to bring about new legislative requirements to enhance the security and resilience of critical infrastructure. Companies have a 6-month window to organise a risk management program in compliance with the new regulations. These measures aim to protect against potential cyber-attacks and other security breaches, emphasising the importance of proactive risk management strategies. It is essential for companies to act swiftly and prioritise the implementation of effective risk management programs to ensure the protection of critical infrastructure. Despite it only recently moving up the list of organisations’ priorities due to these amendments, the SOCI Act has been in place since 2018 with a narrow focus on certain electricity, gas, water, and maritime port assets and minimising risks of sabotage and interference from foreign threats.
Over the last 12 months, our team has worked closely with new and existing customers, in helping them to meet the requirements of the SOCI Act and embed end-to-end compliance solutions across their organisation. Today we talk to Issa Maimoun and Leah Egginton, Kinatico Client Executives to gain insight into the common issues across our client base and what steps organisations are taking to meet their compliance requirements.
1. Who is the main catalyst for ensuring the requirements of the SOCI Act are met within these organisations?
Leah Egginton: Under the Act, owners and operators of critical infrastructure are required to identify and mitigate against security risks, as monitored by the Cyber and Infrastructure Security Centre, Department of Home Affairs. Although there is no formal accreditation program that must be followed, owners and operators of critical infrastructure are now required to be reporting to the Government and will need to have a clear plan to address what are already very real cyber risks and the risk management program requirement will be effective in the next few months, hence the relevancy.
2. What are the common barriers being faced in adopting a process to comply?
Leah Egginton: The requirements are multi-faceted, touching several departments, particularly where an entity is required to fulfil multiple Positive Security Obligations, of which the Risk Management Program is only one part. This means that solutions to comply can be complex to develop, implement & maintain and it is a heavy resource drain for a responsible entity to get across the requirements. With competing priorities and a looming deadline, many organisations are finding they are running short on time to get into the detail of what the requirements mean for their business. Try to step back, understand the risks at a big-picture level and work towards addressing them broadly, without getting caught up in the detail and minutiae.
Common barriers we have had from customers include:
- Lack of clear direction on what is required – much is left to an organisation’s interpretation and application to their business.
- The vague, subjective nature of the Act, leaves organisations wondering what is a MUST and what is a SHOULD.
- Data security concerns – clients and their people worry about the risks associated with capturing, processing, and storing PII.
3. Has the response to the recent changes been uniform across all industries and sectors
Issa Maimoun: There are 11 Critical Infrastructure sectors (as well as 22 categories of CI assets). Some of these sectors by nature of what they do already have some of the SOCI requirements in place, or the framework exists. Over recent months, a large portion of the organisations we have implemented solutions for come from the energy, communications, data storage, hospitals, water & sewerage sectors. Whilst some organisations have a plan in place, very few have policies and processes in place to meet the requirements.
4. What steps are needed for compliance?
Leah Egginton: Based on our experience working directly with organisations needing to comply, the key part we have been supporting on is the Risk Management Program (which can include personnel screening and supply chain due diligence). Outside of this, the other steps we see businesses taking, are:
- Make provisions for access by the government where intervention might be deemed necessary
- Register critical assets
- Build processes around notification of cyber incidents
Issa Maimoun: Responsibility lies with the owners and operators of critical infrastructure needing to mitigate the risk, there are 4 key hazard areas as outlined in the bill, they need to address:
- Personnel
- Supply Chain
- Cyber & info security
- Physical & Natural
With comprehensive pre-employment screening and compliance monitoring technology, these organisations can be assured that their personnel risk, and part of the supply chain risk, is under control.
5. Any potential risks/issues that can happen when compliance is not met?
Leah Egginton: Civil penalties range up to 200 penalty units for each non-compliance, with one penalty unit being $222 ($44,400). However, the risk of reputational damage if an owner or operator is seen to be disregarding the SOCI Act obligations could be more significant, because the Act is largely accepted by the public as being important to keep Australia and Australians safe.
Concluding Comments
The SOCI Act 2021 has introduced new requirements to enhance the security and resilience of critical infrastructure, emphasising proactive risk management strategies. Companies have a 6-month window to establish compliant risk management programs, aiming to protect against cyber-attacks and security breaches. The Act, although not new, previously focused on certain assets and foreign threats.
CVCheck has been working closely with customers, assisting them in meeting SOCI Act requirements and implementing end-to-end compliance solutions. The main catalyst for ensuring compliance lies with the Cyber and Infrastructure Security Centre, with no formal accreditation framework in place. While some sectors show better preparedness, none are fully ready. Failure to comply can result in civil penalties and reputational damage.
CVCheck offers solutions for personnel and supply chain hazards.