Critical Industries and the Risk Management Program

In February 2023, the Critical Infrastructure Risk Management Program Rules commenced. The Rules create an obligation for listed asset classes to produce and comply with a critical infrastructure risk management program (CIRMP). We have written about the Critical Infrastructure Bill before — these Rules are another aspect of the Security of Critical Infrastructure Act 2018 (SOCI Act).

What does this mean for us?

If you are an owner or operator of one of the following assets, you need to follow the Rules and have a CIRMP:

  • Broadcasting
  • Domain Name Systems
  • Data Storage or processing
  • Electricity
  • Energy Market Operator
  • Gas
  • Liquid Fuels
  • Payment Systems
  • Food and Grocery
  • Designated Hospitals
  • Critical Freight Infrastructure
  • Critical Freight Services
  • Water

What is the cyber protocol for the Rules?

By August 2024, you need to show that you comply with a cybersecurity framework (either one of the ones listed below, or an ‘equivalent’ framework):

  • Australian Standard AS ISO.IEC 27001:2015
  • Essential Eight Maturity Model published by the Australian Signals Directorate (Meet maturity level one)
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America (Meet maturity level one)
  • The 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327)

These frameworks are focused on reducing the likelihood of a breach. But, vitally, the Rules say you need to:

Establish and maintain a process or system in the CIRMP to–as far as it is reasonably practicable to do so:
– minimise or eliminate any material risk of a cyber and information security hazard occurring; and
– mitigate the relevant impact of a cyber and information security hazard on the CI asset.

Risk Management Program Rules of Critical Infrastructure Assets Guidance — Section 8

So having the frameworks in place is not enough. You can’t just work to reduce the likelihood of a breach. You also have to reduce the impact of a successful one.

This means knowing your risky data: where it is, how sensitive it is, what secrecy and privacy rules apply to it, and what is happening to it at all times. Importantly, you also need to know how long you need to keep it for. The best way to reduce the impact of a spill is to not have any sensitive data in that spill. And the best way to not have sensitive data is to destroy it when you no longer need it. That’s why automated records management is just as important to your risk controls as automated security and privacy management, audit, and discovery.

Contact us if you want to understand your risk exposure, by using AI to scan and report on your entire network. Being able to quantify what the impact of a breach would be helps to make a business case, and a robust plan, for meeting the Rules and Protocol by the deadline.