On 17 February 2023, the Critical Infrastructure Risk Management Program (CIRMP) requirements came into effect. The clock is now ticking for more than 11,000 Australian Critical Infrastructure entities to implement and become compliant with the risk management program obligations under the Security Of Critical Infrastructure (SOCI) Act.1,2,3
What Is the CIRMP?
The following sectors are subject to the CIRMP obligations:
― Water and Sewerage
― Data Storage
― Financial Services
― Food and Grocery
― Healthcare and Medical
The goal of the CIRMP is to help entities responsible for critical infrastructure assets establish, maintain and comply with a risk management program.4 These programs should take a holistic and proactive approach to identifying and mitigating hazards that pose material risks to the availability, integrity, reliability or confidentiality of critical infrastructure assets
What Does the CIRMP Require of Organisations?
There are four key domains within the CIRMP that organisations must address:
― Cyber and Information Security Hazards
― Personnel Hazards
― Supply Chain Hazards
― Physical Security and Natural Hazards
Within each of these domains, responsible entities must identify material risks where the occurrence of a hazard could have a relevant impact on the asset, minimise and eliminate material risks of such hazard occurring, and mitigate the relevant impact of such a hazard on the asset.
The cyber and information security domain of the CIRMP requires that critical infrastructure organisations specify how they will comply with at least one of several existing cybersecurity standards and frameworks, such as:
― Australian Standards AS ISO/IEC 27001:2015
― National Institute of Standards and Technology (NIST) Cybersecurity Framework
― Australian Energy Sector Cyber Security Framework (AESCSF) at security profile one
― Australian Signals Directorate's Essential Eight Maturity Model at maturity level one
― United States of America Department of Energy's Cybersecurity Capability Maturity Model (C2M2) at maturity level one
― A framework equivalent to any of the above
Entities in scope will need a CIRMP in place that documents material risks and controls that will minimise material risks to your assets for each of the four key domains by 17 August 2023. Entities will have until 17 August 2024 to comply with the controls as defined in their CIRMP.5
What Does This Mean in Practice?
Organisations must fulfill a series of requirements for each of the critical infrastructure assets they report on the critical infrastructure asset register. For each hazard within the four key domains of the CIRMP, they need to identify material risks where the occurrence of that hazard could have a relevant impact on the asset. Then, they must eliminate any material risk of such a hazard occurring, and mitigate the relevant impact of such a hazard on the asset.
These requirements are easier said than done, so for the 2022-23 Australian financial year, the Critical Infrastructure and Security Centre (CISC) strongly encourages entities to submit an annual report voluntarily, as a pulse check on their current implementation of the CIRMP, before it becomes mandatory the following year.
How Should My Organisation Proceed?
Take a Holistic Approach. Often, organisations address cybersecurity, personnel, physical, and supply chain risks as standalone, separate activities, with different teams responsible for the initiatives for each one. Rather than considering these domains independently, a more efficient approach is addressing risks holistically, especially given that the CIRMP risk assessments are asset-based, and that each in-scope asset needs to address each of the domains. Beyond creating efficiencies, approaching these components together will create better protections through collaboration, information sharing, and additional perspectives.
Ensure Controls and Costs are Proportional. When assessing cybersecurity risks, consider how serious each risk would be, should it materialise. Evaluate that the proposed controls, and associated costs to implement the controls, are proportionate with each associated risk.
Work Closely with Legal Counsel. Organisations should engage their legal counsel when developing a risk management plan to assist with defining what is in scope for SOCI and align on the risk management plan approach. The legal team should be regularly updated throughout the process and looped back in once risk ratings and controls are implemented to determine if obligations will be sufficiently met.
Seek Board Endorsement Ahead of Implementation. Encourage your Board to review your risk management plan and approach prior to implementing the plans. The Board will need to sign off on compliance with the SOCI Act upon completion of the risk management plan, so validate the plans in advance to receive their buy-in.
Obtain External Perspectives. Consulting external partners can assist your organisation with your end-to-end SOCI needs. Engaging outside firms can help organisations with delivering risk and compliance initiatives spanning each of the four risk domains and help guide decisions on where controls should or should not be implemented. The Department of Home Affairs further encourages organisations to reach out and ask for input and feedback on their risk management programs to ensure compliance.