In our interconnected world, the resilience and security of critical infrastructure are crucial. Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act) was established to safeguard the nation’s most vital assets. A key part of this framework is the Critical Infrastructure Risk Management Program (CIRMP), which places obligations on businesses to proactively manage risks across a range of hazard categories.
But with several important compliance deadlines approaching, the time to assess your CIRMP readiness is now. Are you prepared? Let’s look into some of the most important questions about CIRMP:
- What is CIRMP and what is its role in SOCI?
- What are the deadlines for CIRMP compliance?
- What are the key areas for CIRMP ?
- Who needs to report CIRMP?
Protecht ERM can help entities meet their CIRMP requirements by offering a comprehensive, integrated platform for managing risk across all critical hazard categories:
CIRMP and its role in the SOCI Act
The Critical Infrastructure Risk Management Program (CIRMP) is central to the SOCI Act’s mission of fortifying Australia’s critical infrastructure. Its primary goal is to ensure that organisations managing critical assets are not only aware of potential risks but also actively mitigating them.
The CIRMP mandates that responsible entities take a proactive and holistic approach to risk management, ensuring that they are:
- Identifying, preventing, and mitigating material risks that could impact critical infrastructure assets.
- Adopting and maintaining a CIRMP in line with legislative requirements.
- Regularly reviewing and updating the program to adapt to emerging threats.
The CIRMP encompasses four critical hazard categories:
- Cyber and information security hazards
- Personnel hazards
- Physical security and natural hazards
- Supply chain hazards
By addressing these areas, the SOCI Act aims to create a standardised approach to risk management, enhancing both national security and economic stability.
Deadlines for CIRMP compliance
Compliance with the SOCI Act is not optional—and the clock is ticking. Here are the key deadlines you need to know:
- August 17, 2024: Deadline for updating CIRMPs to comply with a cyber and information security hazards framework.
- September 28, 2024: Deadline for submitting the inaugural board-approved annual report. This report covers the 2023-2024 financial year and must be submitted to the relevant government regulator by this date.
These deadlines are non-negotiable, and failing to meet them could expose organisations to significant operational and legal risks.
Control areas for CIRMP compliance
To meet CIRMP requirements, organisations must focus on specific control areas within each hazard category. These controls are designed to ensure the security and continuity of critical infrastructure services. Below is a breakdown of these key control areas[1]:
|
Hazard |
Control Category |
Description |
Recommended Frameworks |
|
Cyber & information security |
Vulnerability and malware management |
Implement anti-phishing policies and malware prevention software |
ISO27001 Essential 8 ML1 NIST CSF AESCSF Framework Core (AEMO) |
|
Denial-of-service (dos) |
System segmentation to prevent dos attacks |
||
|
Identity and access control |
Regular updates to access privileges |
||
|
Incident management |
Develop incident response plans for cyber attacks |
||
|
Monitoring |
Regular control testing (e.g., penetration tests) |
||
|
Personnel hazards |
Identification |
Background checks for critical personnel |
|
|
Access control |
Limit access to critical systems |
||
|
Education |
Cybersecurity training for staff |
||
|
Monitoring |
Enhanced monitoring for insider threats |
||
|
Physical security |
Identification |
Identify physical critical components |
|
|
Incident management |
Respond to unauthorised access incidents |
||
|
Access control |
Restrict physical access to critical components |
||
|
Testing |
Test security controls for effectiveness |
||
|
Supply chain |
Identification of critical suppliers |
Identify key vendors supporting critical assets |
|
|
Unauthorised access monitoring |
Ensure suppliers monitor for unauthorised access |
||
|
Operational resilience |
Manage service failures and disruptions |
Who needs to report CIRMP for SOCI compliance?
Under the SOCI Act, not all sectors are required to report on CIRMP compliance. The government has designated certain asset classes that fall under these obligations. Below is an overview of the sectors and whether they are required to maintain and report on a CIRMP[2].
|
Sector |
Asset Class |
CIRMP |
|
Communications |
Broadcasting |
Yes |
|
Domain name systems |
Yes |
|
|
Telecommunications |
No |
|
|
Data storage or processing |
Data storage or processing |
Yes |
|
Defence industry |
Defence industry |
No |
|
Energy |
Electricity |
Yes |
|
Energy market operator |
Yes |
|
|
Gas |
Yes |
|
|
Liquid fuels |
Yes |
|
|
Financial services and markets |
Banking |
No |
|
Financial market infrastructure (payment systems only) |
Yes |
|
|
Insurance |
No |
|
|
Superannuation |
No |
|
|
Food and grocery |
Food and grocery |
Yes |
|
Health care and medical |
Hospitals |
Yes |
|
Higher education and research |
Education |
No |
|
Space technology |
No defined asset class |
No |
|
Transportation |
Aviation |
Yes |
|
Freight infrastructure |
Yes |
|
|
Freight services |
Yes |
|
|
Public transport |
No |
|
|
Ports |
No |
|
|
Water and sewerage |
Water |
Yes |
CIRMP is not a one-and-done obligation. The SOCI Act requires ongoing reporting and regular updates to risk management plans. Entities must submit annual reports on their CIRMP activities, detailing their efforts to address evolving threats and secure their critical assets.
These reports must cover all aspects of the hazard categories, from cybersecurity controls to physical security and supply chain resilience. Organisations must continuously monitor their systems and controls, ensuring that they are prepared to respond swiftly to any new or unforeseen threats.
Conclusions and next steps for your organisation
With deadlines fast approaching, it's critical that organisations managing Australia’s vital infrastructure assess their CIRMP readiness. The stakes are high – not just in terms of regulatory compliance, but also in ensuring the security and resilience of the nation's most essential services.
By focusing on key control areas and staying ahead of the compliance deadlines, your organisation can mitigate risks and contribute to the broader goal of securing Australia's critical infrastructure.
Protecht ERM can help entities meet their CIRMP requirements by offering a comprehensive, integrated platform for managing risk across all critical hazard categories. With its robust features for risk identification, controls management, and continuous monitoring, Protecht ERM simplifies the complex task of ensuring compliance with the SOCI Act.
Its alignment with industry-standard frameworks, customisable reporting, and automated workflows enable organisations to stay ahead of regulatory deadlines and confidently manage their cyber, personnel, physical security, and supply chain risks.
Find out more and book a demo:
References
[1] Cyber and Infrastructure Security Centre. (2024, July 30). Critical Infrastructure Risk Management Program: Annual report presentation. Australian Government. Link.
[2] Cyber and Infrastructure Security Centre. (2024, January). Critical Infrastructure Risk Management Program: Guidance for the Critical Infrastructure Risk Management Program 2024. Link.