What Australian CISOs need to know about the Critical Infrastructure Act

Critical infrastructure companies in Australia must now report any critical cyberincident to the federal government within 12 hours of first becoming aware of it following the latest amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act).

Only significant incidents, such as a unauthorised access or ransomware, need to be reported within the 12-hour timeframe to the Australian Cyber Security Centre.

The amended rule, which came into effect on 8 July, applies to 22 critical infrastructure assets that exist within 11 critical infrastructure sectors including financial services, communications, data storage or processing, defence, food and grocery, healthcare, higher education, transport, space technology, energy, and water and sewage. Previously, the SOCI Act categorised “critical assets” across only four sectors: gas, electricity, water, and ports.

The importance of the SOCI Act

The Australian government’s decision to expand the coverage of the legislation from four to 11 sectors, according to PricewaterhouseCoopers (PwC) cyber partner Garry Bentlin, will help make the Australian economy more resilient to cyberthreats.

“What particular services would we not be able to go without…and so how do we make them more resilient? And if companies are starting on that journey, having that legislation, that regulatory requirement, will just assist them to understand what they really need to do,” he tells CSO Australia.

There is no doubt in Bentlin’s mind either that later down the track the legislation will be further expanded to cover additional sectors. “I think, as the economy changes — because it always does with new products and services — the government would have to consider what things are going to be added to [the legislation] as part of it,” he says.

IDC research manager John Feng agrees the latest version of the legislation is a necessary step in ensuring the Australian way of life and best interest of Australians are protected as digital technologies now permeates most if not all areas in the economy.

“By expanding from the original four sectors covered in the Act … the amendment significantly expands the government’s oversight of the critical infrastructures,” Feng says.

Strengthening Australia’s cyberdefences

For EY cyber partner Mark Wroniak, the introduction of the amended SOCI Act signifies the next of evolution of strengthening the country’s national security efforts.

“The government has obviously had a bit of a focus as far as things like making sure there’s a baseline security that organisations have, but now they’re really focusing on the lack of social and economic stability of Australia by looking at the critical infrastructure and adding additional elements to ensure that, as a country, our national security is protected,” Wroniak says.

It’s an evolutionary step in Wroniak’s view, and a lot of it companies should already have these things in place but there are a few new elements that have come to play that give the government a little bit more power to step in and help.

Telstra is one of thousands of Australian companies that are now obligated to meet the requirements under the SOCI Act and says the amendments lift the security maturity of the whole economy.

What changes with the SOCI Act

The legislation now brings to focus the responsibility of board members. Under the expanded compliance regime, boards are required to understand the consequences of a cyberattack, and can even be held personally accountable for a cyberbreach.

“With increased accountability for boards under the SOCI Risk Management Program, it’s a great opportunity to frame a conversation with your board around risk appetite and integrating cyber, physical, supply chain and personnel risk into your enterprise risk management framework,” Telstra CISO Narelle Devine says.

She also noted that for a company like Telstra, which already operates in a highly regulated sector and is subject to a number of other security regulations, implementing frameworks to meet the obligations of the SOCI Act will be a fairly seamlessly process, but hints it may have not be so simple for some others. She believes Telstra has an opportunity to share its learnings about integrating new obligations into reporting and processes with other organisations.

“While we can’t speak to the experience of other organisations, what we do know is that, as a mature organisation, we are able to share our learnings around working with the board and the wider business to integrate new obligations into reporting and processes. We can also share how we’ve evaluated and classified our assets and developed strategies for awareness and compliance for the new obligations,” she says.

PwC’s Bentlin acknowledged as well that some markets such as the electricity and financial services sectors are likely to be “fairly mature” on their journey in terms meeting the required obligations under the new Act as these already deal with other regulations such as CPS 234 for financial services and the Australian Energy Sector Cyber Security Framework, but believes it will be a “little bit of a new world” for others.

“For the new sectors — healthcare, food and grocery, and transport and logistics — they previously didn’t have obligations, so they’re having to uplift their cybersecurity programs from where they’ve been to doing new things to meet some of those requirements,” he says.

“Some of that will depend on the framework that they use as well. The legislation contains a number of frameworks they can use, and they can choose one of those that they can execute against,” Bentlin says.

Despite the potential short-term challenge that may be faced by some industries, Feng believes the legislation has been designed in a way that will encourage collaboration between government and companies. He says a collaborative approach to defending against cyberattacks is critical, particularly as they are often multi-faceted and impact a range of stakeholders.

“Owners and operators are required to register the critical infrastructure assets with the government, and report cybersecurity incidents to the government. The Act also allows government to provide assistance in case of a significant cybersecurity incident. This ensures that critical coordination is in place when dealing with cyberattacks,” he says.

Bentlin also pointed out the legislation has the potential to drive growth in the local cybersecurity sector.

“We’ll start seeing more uptake and more local development of cybersecurity. We’ll start seeing tools come out of local companies providing solutions across the sector … there might be more opportunity for data hosting in Australia, for example, with companies providing local services to meet the data sovereignty requirements,” he says.