Securing Australia’s critical infrastructure has been a top priority for the Federal Government with the Security of Critical Infrastructure Act 2018 (SOCI Act) and its recently implemented reforms, with a broader range of businesses now covered.
The most recent reforms have expanded the covered sectors from four to 11, including healthcare, medical, food and grocery, and higher education and research. Each new sector includes a number of assets, with 22 covered by the Act.
These reforms also mean more small and medium businesses would have to adhere to the Act and ensure their cybersecurity posture is compliant, which means additional responsibility that may require more resources.
What is the SOCI Act?
The Federal Government developed the act to help secure Australia’s critical infrastructure against threats, creating a framework for regulating critical infrastructure sectors, specifically around cybersecurity. This occurred amid a period of increased cyber threats hitting Australian organisations and geopolitical tensions.
Expanding the sectors from four to the current 11 gives the Act a broad coverage of sectors. Some sectors include food distribution, groceries, aviation, and the military, so it’s quite broad. In fact, some argue that it covers almost everything.
The Act commenced in July 2018, with reforms implemented in 2021 and early 2022 to reflect the government’s response to the growing cyber threats and its recognition that addressing threats requires joint efforts and shared responsibility between owners, operators, and governments.
The most recent reforms include the addition of three positive security obligations (PSOs) and the concept of Systems of National Significance (SoNS). The PSOs require organisations to report ownership and operational information relating to critical infrastructure assets, mandatory cyber security incident notifications and adopting and maintaining a risk management program.
What should SMEs know about the reforms?
The PSOs are the most important addition to the Act as far as small and medium businesses are concerned, aiming to mandate organisations to manage the security and resilience of their critical infrastructure assets.
The first of the three PSOs centre around asset information around the actual critical infrastructure asset, which is linked to particular components – the physical asset itself and the digital assets running that infrastructure.
The Act broadly defines assets as a system, network, facility, computer, computer device, computer program, computer data, premises and “any other thing”. It also allows the sitting cyber security minister to privately declare an asset as a critical infrastructure asset, or an asset can be declared a critical infrastructure asset if it meets the Act’s definition.
This provision is meant to create a register for the government to determine which company owns which asset, which can be accessed and submitted to the Australian Cyber Security Centre (ACSC), as well as reporting the digital assets running in that environment.
The asset information must also include any entity, trust, person or otherwise that may own 30 per cent of the facility aimed to map out any foreign investment or external threat that may have been purchased into a critical infrastructure environment and try to use that leverage to own the asset.
There’s been lots of policies and acts around information reporting and breach notification reporting, but this is particularly targeted at securing critical infrastructure.
Incident response
The second PSO covers what organisations should do following an infiltration, attack, vulnerability exposure, ransomware attack or any other actor-type scenarios and how you report that to the government.
These threats can come in many different forms, and there are many ways that attacks can be executed to infiltrate an organisation, so the Act requires businesses to implement a robust incident response plan with a clear understanding of the defined roles and reporting lines necessary for compliance.
Businesses should have an understanding of whose awareness would trigger the clock for notification, a way to assess whether an incident is critical or non-critical, and who is in charge of ensuring the relevant notification is made within a set period of time (either 12 hours or 72 hours).
Asset information also plays a key role in incident response – you can’t secure what you can’t see. Getting a good snapshot and a strong baseline of what’s actually in the environment is an excellent starting point that provides you with a reference for where you are. With that information, you can engage internal or external parties to help mitigate the identified vulnerabilities.
Part of asset discovery is the ability to get that information and start planning to remediate, tighten, and strengthen vulnerabilities and other areas lacking security.
Risk management
Third is risk management, where organisations should develop a program to identify hazards and risk of occurrence, minimise or eliminate the risk of hazard occurring, and mitigate any relevant impacts.
The Act requires organisations to adopt, maintain and comply with a risk management program while also regularly reviewing the program and ensuring it is kept up to date. Another requirement is an annual report submitted to regulators, showing the program is up to date and details of any recent hazards that may have impacted an asset during the year.
Failure to adopt and maintain, comply and regularly review a risk management program would incur fines of $44,400, while failing to submit a report would incur a $33,300 fine.
While the Act is mandated across all those industries, we at Orro have found that large entities and organisations that have been doing critical infrastructure for some time have good mature processes, investments in cybersecurity, total reporting and an incident management plan.
However, the Act can give small and medium-sized enterprises a foundation and structure to know where to start before engaging with a service provider like Orro.
Let’s say an SME has an asset – it might be a small utility, something they managed from an IT point of view. With the act, they’ve got a foundation to follow, and I think the impact will be very good for SMEs.
The Act also stipulates that the government will assist organisations in creating a risk management plan for those that do not have one in place. For an SME, that’s a real positive and gives them a north-star target or phase and something to follow.
How SMEs can ensure compliance
Depending on the contracts and service-level agreements (SLAs), managing vulnerabilities, especially in critical infrastructure, is not just a matter of simply patching the devices or services but customers need to think about and plan for how to mitigate the security threats holistically.
Patching, maintenance, and managing vulnerabilities should also be paired with investing in a new architecture standard to help SMEs meet the Act’s requirements.
Historically, cybersecurity spending for SMEs was treated like an IT problem, but we have noticed that SMEs now know cybersecurity is a board and asset owner problem. SMEs are now finding the money and investing in either remediating the non-compliance themselves or engaging an external party like Orro to help them map out the journey ahead.
SMEs are definitely a target for threats which is why Orro has invested in developing our managed asset visibility service, which we also built particularly for critical infrastructure. Engaging with a third party allows SMEs to leverage an extensive, broad range of skill sets with industry experience and insights.
Orro has many customers in similar industries, which allows us to leverage those intricacies, helping accelerate the conversation and understand the challenges that they have. Using a third party can also save costs from hiring internal cyber staff, particularly in the current state of a cyber skills shortage.
This is further supplemented with the ability to get threat intelligence across many analysts and a larger pool of resources available. Orro’s services are also on standby, available and ready to execute should a customer be infiltrated, saving them the need to scramble internally during such a pressured situation.
Our services can provide early detection and help before it causes considerable damage to the organisation.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.