Responding to Australia's new critical infrastructure laws

Australia's critical infrastructure laws have been expanded and updated to apply to more sectors. Are you operating a critical asset within one of these critical infrastructure sectors? Or are you supporting the mission of an organisation that is?

In this article, we are going to unwrap the story behind our recent webinar on responding to Australia's new critical infrastructure laws. For the webinar Matthew Chantrell (Director of IRM & GRC Technology at PwC Australia), and Andrew Robinson (6clicks Founder and CISO) joined 6clicks CEO Anthony Stevens. Sadly our representative from the energy sector, Ryan Turan, was unable to attend on the day. 

We'll provide an overview of the legislation that has changed, we'll then explain which sectors they now apply to and what the obligations mean. 

From there we'll give you the 6clicks and PwC take on running an effective risk management program, required under the critical infrastructure reforms, specifically, the Risk Management Rules.

Finally we'll take a look at how technology, including 6clicks, can help you run an effective risk management program.

So what are the changes?

We have grown so very dependent on the internet for many things. So has critical infrastructure like electricity generation & distribution, communications, transport, and banking amongst other sectors. There has been a lot of cyber activity targeting these sectors over the past decade (perhaps longer) and due to its nature, the impact can be significant in terms of outages that cause disruption and impact our now accustomed way of life, yet alone safety.

As such the Australian Government has recognised the need for stronger measures to be in place to protect critical infrastructure. The full list of sectors are described in the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) which combined with the more recent Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) amended the Security of Critical Infrastructure Act 2018 (SOCI Act) to extend applicability and add requirements.

Which sectors do the laws now apply?

According to clause 8D of the SLACI Act, each of the following 11 sectors of the Australian economy are considered a critical infrastructure sector:

1. the communications sector;
2. the data storage or processing sector;
3. the financial services and markets sector;
4. the water and sewerage sector;
5. the energy sector;
6. the health care and medical sector;
7. the higher education and research sector;
8. the food and grocery sector;
9. the transport sector;
10. the space technology sector;
11. the defence industry sector.

More about the requirements

The SLACI Act includes Positive Security Obligations as well as Government assistance powers.

 The Positive Security Obligations i.e., mandatory cyber security incident reporting, requires incidents to be reported to the ACSC where the incident has occurred or is occurring AND is having a significant impact on availability within 12 hours. Where an incident has occurred, is occurring or is imminent AND the incident has had or is likely to have a relevant impact then you are required to notify the ACSC within 72 hours. We’ll put this information in the show notes.

 The Positive Security Obligations apply to Critical Infrastructure Sectors that are deemed to operate Critical Infrastructure Assets or Systems of National Significance.

 The government assistance powers apply more generally to all entities within Critical Infrastructure Sectors and involves government intervention in responding to an incident “as a last resort”.

How to create and maintain a suitable risk management program

Matt Chantrell from PwC says that maturity is the key word when we are talking about risk management, cyber is one of those functions where there is a lot of maturity, but every sector is different and that's what these amendments are here to address.

Many critical infrastructure sectors already have regulatory systems in place to mitigate against threats sufficient to not warrant the development of a new risk management program.

The amendments are here as where an existing regulatory system is not in place, there is a requirement to develop a risk management program.

At its core, a risk management program is designed to mitigate risks/hazards that can cause an impact on the functioning of critical infrastructure. Really it's there to limit the impact and optimise the opportunities.

It's really focussed as far as it is reasonably, minimise or eliminate any material risks, and helping organisations prioritise what's important. Material Risk that have a substantial impact on the availability, reliability and integrity of a critical infrastructure.

If no plan is in place the Risk Management Program Rules are there to help manage and mitigate the following areas over 6-18 months:

1. Physical and natural – the physical risks to the asset critical to the functioning of the asset
2. Cyber and information security – the ‘cyber’ risks to the digital systems, computers, datasets, and networks that underpin critical infrastructure.
3. Personnel – the ‘trusted insider’ risk posed by critical workers who have the access and ability to disrupt the functioning of the asset.
4. Supply chain – the risk of disruption, malicious or otherwise, or exploitation of critical supply chains leading to a disruption of the asset.

Really important organisations prioritise based on their maturity. It's critical to risk - not just cyber.  

If you add tools and systems into that, really it's about :

1. understanding your critical infrastructure (register with department)

2. understanding your obligations, including the attestations (e.g. board level attestation after 12 months)

3. define a plan

3.1 understand roles/responsibilities and get all security checks in place

3.2 understand how your systems interact

3.3 identify the threats & risks and their impact to availability, reliability and integrity of a critical infrastructure

3.4 prioritise based on materiality  and context

4. make sure you've got the training in place

5. make sure you have attestations

6. make sure you can review and report on all this at the right time

Well this is it isn't it, the world is digitising, and we do work in cyber security,  the question is how can you not do this using technology. We've got increasing obligations and changing risks.

The key thing about technology that we have to remember is that it's not just technology.  It's a valuable.  It offers real benefits. Especially when we are talking about implementing a risk program, and especially when thinking about critical infrastructure.

Some examples of where technology can help are to:

• centralise,
• simplify,
• remove manual process,
• standardise, and
• integrate into the departments or organisations smart controls

There is no doubt that technology will continue to take over the world.

How technology can help automate aspects of your risk management program

A great example of technology is being able to see the bigger picture, data is king but context is queen. 

With tools like 6clicks, you can manage:

• critical infrastructure
• related assets
• related processes and services
• criticality
• business resiliency requirements (RTO/RPO)
• risks
• issues & incidents
• compliance obligations
• run assurance activities
• report and monitor

It doesn’t need to be the only system you use,  in fact the more the better but you need that source of truth.

The key thing is that we take it easy and we don't think it's the silver bullet.  

1. set the strategy
2. know what you want to achieve
3. start small
4. be prepared for change
5. integrate

Andrew Robinson from 6clicks adds that the trick will be to manage the identification, assessment, treatment, and reporting of risks across large complex ecosystems that typical sit underneath critical infrastructure assets. This is where technology such as 6clicks can help with its Audits & Assessments module as well as its Risks Libraries, Risk Review, and Risk module.  

Filtering, rolling up and reporting on risks at a summary level in aggregate is something that technology can also make easer by reducing the need to build a new report from scratch for each reporting period. 6clicks Reporting & Analytics can be used to filter, roll-up and report on risks in presentation and story form. 

6clicks Hub & Spoke is an architecture that enables multiple teams to operate risk and compliance programs using shared resources such as risk & control libraries and assessment templates shared by the Hub, and participate in roll-up aggregate reporting between multiple 6clicks teams – or spokes – at the hub or group level.

About 6clicks

6clicks is a risk and compliance platform powered by Hailey, a breakthrough AI engine to automate common compliance tasks, includes a massive content library including standards like ISO 27001, NIST CSF, APRA CPS 234, AESCSF and many more.

About PwC

PricewaterhouseCoopers is an international professional services brand of firms, operating as partnerships under the PwC brand. It is the second-largest professional services network in the world and is considered one of the Big Four accounting firms, along with Deloitte, EY and KPMG.

How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.

All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!