How to Comply with Australia’s CIRMP Rules

The Australian Cyber and Infrastructure Security Centre (CISC) recently announced that the Critical Infrastructure Risk Management Program (CIRMP) obligation had entered into effect. The Minister for Home Affairs, the Hon Clare O’Neil, signed the CIRMP Rules as the final part (Section 61) of the Security of Critical Infrastructure Act 2018 (SOCI Act) on 17 February 2023, effective immediately.

CIRMP follows the Security Legislation Amendment Critical Infrastructure Protection 2022 (SLACIP) as part of Australia’s effort to further improve the security of its critical infrastructures and its assets.

This article will cover the main compliance requirements listed in the CIRMP Rules, how critical infrastructure entities can begin implementing a CIRMP, and the additional cybersecurity requirements they must meet to comply with CIRMP Rules.

Why is the CIRMP Rule Important?

The CIRMP Rule is significant because it requires Australia’s critical infrastructure entities to improve and uplift their core security practices and ensure that the relevant entities take a more proactive approach to their risk management processes.

Any disruption to critical infrastructure assets could have serious impacts extending to major businesses, the government, or the community, which could negatively impact resource supply, distribution and supply chain continuity, national security, and economic growth.

By implementing a strong risk management program, critical organisations can ensure that they can continue providing essential services to those relying on it. Additionally, critical organisations will be better equipped to respond to and recover from a potential incident, thus preserving their professional business reputation.

Learn how to comply with CPS 230 >

How to Comply With the Critical Infrastructure Risk Management Program Rules

The Critical Infrastructure Risk Management Program (CIRMP) obligation requires responsible entities to develop and maintain a program that “identifies and manages material risks of hazards that could have a relevant impact” on critical infrastructure assets (CI assets).

Every critical infrastructure entity must accomplish the following in their CIRMP:

• Identify each hazard where there is a potential risk that the occurrence of the hazard could have a lasting, relevant impact on the specific asset.
• Reduce, minimise, or eliminate the potential risk of the hazard from occurring as far as reasonably practicable. Entities must establish appropriate strategies to reduce the risks as much as possible and should develop processes to detect and respond to potential threats.
• Mitigate the relevant impact of the hazard on the asset as far as reasonably practicable. Entities must have appropriate procedures in place to reduce the impact of each hazard as much as possible and to recover from the impact as quickly as possible.
• Provide an annual report signed by the board, council, or other governing body to the relevant Commonwealth government regulator (in most cases, the Secretary of the Department of Home Affairs) advising whether or not the risk management program is up-to-date.
• Comply with any future requirements the SOCI Act Rules may set or determine.

What is Considered a Hazard?

Under the CIRMP Rules, a hazard is defined by four key vectors:

1. Physical and natural security - Any physical or natural security risks related to the asset that is critical for its functioning, including physical access through the device or facilities and natural disasters that can affect the physical state of the asset.
2. Cyber and information security - Any threat to digital systems, computers, networks, or datasets is considered a cybersecurity hazard that could undermine critical infrastructure systems. This can include improper access, misuse, or unauthorised control of the asset.
3. Personnel hazards - Otherwise known as insider threats, critical workers who have access to sensitive data or have the ability to disrupt the functioning of the asset are considered personnel hazards.
4. Supply chain hazards- The risk of disruption to critical supply chains poses a significant relevant impact on the CI asset. This can include natural hazards or malicious intent to compromise or disrupt the asset.

What is Considered a Material Risk?

A material risk is any risk that has a relevant impact that could lead to the “impairment, stoppage, loss of access to or interference” to a critical infrastructure asset.

Material risks can include:

• Stoppage or major slowdown of the asset’s function for an unmanageable period
• Loss of access to a critical component of the asset
• Deliberate or accidental manipulation of the asset
• Interference with the asset’s operational or information communication technology essential to the asset’s functioning
• Storage, transmission, or processing of sensitive operation information
• Remote access to operational control or monitoring of the asset’s systems

What is Considered Relevant Impact?

Relevant impact is when the material risk has a direct or indirect effect on the “availability, integrity, reliability, and confidentiality” of the information about the asset or the information stored within the asset.

The impact must be more severe than a reduction in the quality of service provided, such as noticeable business disruptions or potential exposure of critical information.

What Does “as far as is reasonably practicable” Mean?

“As far as reasonably practicable” allows organisations and entities to determine how they address material risks and relevant impacts in relation to the operating context of their business. In other words, mitigation processes and their implementation should be measured against factors such as business size, maturity, and overall budget. Risk mitigation and impact minimisation processes should not exceed the organization's capability to implement these processes but should be planned for accordingly.

Who Must Comply with the CIRMP?

The CIRMP Rules don’t necessarily apply to only critical infrastructure organisations — the Rules apply to all “responsible entities” that manage any critical infrastructure assets.

As such, the CIRMP Rules regulate any entity that manages the following CI asset classes:

1. Critical broadcasting assets
2. Critical data storage or processing assets
3. Critical domain name systems (DNS)
4. Critical electricity assets
5. Critical energy market operator assets
6. Critical financial market infrastructure assets used in connection with the operation of a payment system
7. Critical food and grocery assets
8. Critical freight infrastructure assets (listed assets will be critical to the transportation of goods between states or territories, as defined in the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021)
9. Critical freight services assets
10. Critical gas assets
11. Certain critical hospitals (listed in the CIRMP rules)
12. Critical liquid fuel assets
13. Critical water assets

What To Do If Your Company Manages Covered Critical Infrastructure Assets

Companies or entities responsible for managing a CI asset in the above asset classes have a 6-month grace period to implement a critical infrastructure risk management program (CIRMP), or until 18 August 2023. This means that companies must have documented controls in place that address how they plan to reduce and mitigate their material risks. Mitigations do not have to be fully implemented by the end of the 6-month grace period, but they must be documented and approved by the entity’s board, council, or governing body.

Additionally, companies will have an additional 12-month period to meet the cybersecurity requirements of the CIRMP. The Australian government is allowing additional time to meet these requirements due to the complexity and difficulty of implementing new cybersecurity frameworks at the enterprise level.

NOTE: The CIRMP Rules do not have a required format or framework to implement a CIRMP. Responsible entities are encouraged to use existing frameworks and processes to develop their CIRMP and complement their existing risk management processes.

Here is a basic list of what companies need to accomplish to begin developing their CIRMP:

1. Outline the CIRMP process or system

The CIRMP Rules state that responsible entities must establish a system that:

• Identifies the operational context of the CI asset
• Identifies the critical components of the CI asset*
• Identifies the material risks to the asset
• Minimises or eliminates material risks, as far as reasonably practicable
• Mitigate the relevant impact of each hazard, as far as reasonably practicable
• Maintain, review, and improve the CIRMP year over year

*Note: Critical components are any part of the asset that, if damaged or compromised, would prevent proper functioning of cause significant damage to the asset itself.

2. Determine interdependencies between CI assets from other entities

Businesses must describe how their CI assets intersect with CI assets owned or operated by other entities. Whether the other entities are within the same sector or outside of it, the relations between CI assets must be clarified and documented if they are dependent upon each other.

By determining these interdependencies, entities can consider the operational extent of their networks of assets to broaden their mitigation processes.

3. Mitigate or eliminate risks and hazards to prevent incidents from occurring

To minimise risks, responsible entities should consider both a proactive approach to risk management and a reactive approach to respond to threats in the event of an active attack. Risk management processes should be regularly reviewed to adapt to evolving threat landscapes.

Proactive approaches to risk management involve identifying the attack surface of the CI assets and taking steps to reduce or remove involved risks. Reactive approaches should establish documented processes, such as incident response plans to detect and respond to each and every threat that poses a significant risk.

Mitigation processes or methodologies to reduce the impact of hazards must be documented as part of the annual reporting requirement.

4. Designate an individual responsible for maintaining the CIRMP

Every entity must choose or designate an individual to oversee the implementation of the CIRMP. The individual must also develop, improve, review, and update the CIRMP annually. Contact information of the individual must also be provided in the annual report.

The individual in charge should be responsible for reviewing the CIRMP when:

• There are changes to the operating environment
• New business requirements are introduced that may affect CI assets
• New and emerging threats arise
• The occurrence of a hazard resulted in a material risk surfacing
• New industry standards are introduced regarding a CI asset
• The business acquires a new CI asset

5. Submit an approved report to the relevant regulator

Reports must be submitted within 90 days of the end of the relevant Australian financial year. The first report for responsible entities will be required in 2024, submitted between 30 June 2024 and 28 September 2024. Reports must contain information on the following:

• Whether or not the risk management program was updated during the year
• Any new changes or variations to the program from previous years
• Any occurrences of hazards that had a significant impact on CI assets (and if hazards have been successfully mitigated)
• Details on whether or not the program successfully eliminated any hazards or risks
• Whether or not the program was effective in mitigating the relevant impact

Reports do not need to include the full CIRMP — they only need to include updated information regarding the status of the program. The CISC plans to use these reports to better understand the threat environment in each relative industry or sector. By doing so, the CISC can provide better and more meaningful support or assistance regarding the security and resilience of assets to each respective industry when they are at risk or subject to a hazard.

Addressing Cyber and Information Security Hazards of CIRMP

The CIRMP Rules recognize that cyber and information security hazards are the most difficult hazards to address and allow responsible entities an additional 12 months after the 6-month grace period to choose and implement an adequate cybersecurity framework at the enterprise level.

Although all hazards should be addressed appropriately, cyber risks represent the biggest threat to critical infrastructure entities. Cyber attacks or other cybersecurity incidents can potentially cripple entire organisations, which poses a huge threat to the infrastructure of Australian companies. Because cyber threats have continued to grow in sophistication and proportion, cybersecurity has quickly positioned itself as a primary focus and prioritisation in many companies around the world.

For example, some of the biggest cyber threats right now include phishing, malware, ransomware, credential theft, DDoS attacks, supply chain attacks, and third-party attacks. In order to minimise or eliminate these material risks, entities must consider tactics and strategies such as:

• Employee education and training for recognizing phishing or social engineering attempts
• Developing cyber incident response plans that properly address all relevant threats
• Regular testing and review of security controls
• Scanning for potential IT risks and vulnerabilities and implementing risk and vulnerability remediation processes
• Conducting penetration tests against the cyber defenses of the IT infrastructure to identify and assess vulnerabilities
• Implementing network segmentation to limit the spread of a cyber attack and control spread across networks
• Reviewing employee access privileges and assigning role-based access rules to prevent unauthorized access to critical systems and assets

Meeting the Cybersecurity Framework Requirements of CIRMP

Subsection 8(4) of the CIMRP rules specify that entities must comply with one of the following cybersecurity frameworks (or an alternative equivalent):

1. Australian Standard AS ISO.IEC 27001:2015
2. Essential Eight Maturity Model (published by the Australian Signals Directorate) - up to Level 1
3. Framework for Improving Critical Infrastructure Cybersecurity (published by NIST)
4. Cybersecurity Capability Maturity Model (published by US Department of Energy) - up to Maturity Level 1
5. The 2020-21 AESCSF Framework Core (published by Australian Energy Market Operator Limited (ACN 072 010 327)) - up to Security Profile 1

When choosing the right framework for risk management, entities should consider which framework is most relevant to their respective cyber and information security hazards. If there is an alternative framework that better addresses all risks and hazards on the entity’s CI assets, then it can still be considered a valid equivalent framework.

NOTE: Assets that have been declared Systems of National Significance (SoNS) are subject to the Enhanced Cyber Security Obligations, separate from the Cyber and Information Security Hazards rules.

Addressing Personnel Hazards of CIRMP

Personnel hazards are major hazards because employees with improper access to assets or information could potentially leak critical data, whether intentionally or unintentionally.

Subsection 9(1) of the CIRMP Rules lists specific requirements for the personnel hazard vector:

• Entities must identify all critical workers
• Only allow critical workers to access critical components of an asset where they have been “assessed to be suitable to have such access”
• Minimise or eliminate material risks as far as reasonably practicable to do so from 1) Malicious or negligent employees and 2) the off-boarding process for outgoing employees and contractors

The Department of Home Affairs recommends their background-checking service for security-sensitive critical infrastructure sectors in Australia called AusCheck. Using the AusCheck scheme can help mitigate insider threats working with CI assets. However, entities are free to choose their own personnel hazard management processes.

Entities can consider the following practices to mitigate the impact of personnel hazards:

• Implementing access control policies - Access control determine which employees are allowed to access certain assets. Access control policies should also restrict unrecognized devices from connecting to the network.
• Continuous monitoring of personnel and network activity - The fastest way to detect suspicious or unauthorised activity is to implement networking monitoring practices to quickly identify malicious activity.
• Cybersecurity training for staff - One of the leading causes of personnel hazards is employee error. Cyber education and training can provide staff with the tools to recognize and report suspicious activity and practice safer cybersecurity.

Addressing Supply Chain Hazards of CIRMP

Disruptions in the supply chain can often lead to massive financial losses and reputational damages due to major suppliers experiencing business disruptions in the manufacturing, distribution, or shipping of CI asset components.

Section 10 of the CIRMP rules states that responsible entities must establish a CIRMP that addresses the following:

• Unauthorised access, interference, or exploitation of the asset’s supply chain
• Misuse of privileged access to the asset by any provider within the supply chain
• Disruption of the asset’s function due to an issue in the supply chain
• Failure or lowered capacity of assets in the supply chain
• Any risks from third-party major suppliers
• Threats to people, assets, equipment, products, services, distribution, and intellectual property in the supply chain

Major suppliers are defined as “any vendor that by nature of the produce or service they offer, has a significant influence over the security of a responsible entity’s CI asset.” To help minimise these risks, entities should consider:

• Ensuring third-party suppliers or vendors with access to sensitive data have sufficient security policies and personnel equipped to deal with cybersecurity risks
• Diversifying vendor lists to reduce dependencies within the supply chain that can lead to bottlenecks or supply chain issues

Addressing Physical Security and Natural Hazards of CIRMP

Subsection 11(1) of the CIRMP Rules states that entities must establish and maintain a process to:

• Identify the physical critical components of CI assets
• Respond to incidents where unauthorised access to physical critical components occur
• Control and limit access to physical critical components, including restricting physical access to only authorised critical workers and visitors
• Regularly test physical security arrangements for the asset and its components that are effective to “detect, delay, deter, respond to and recover from a breach”

Section 3 and subsection 11(2) of the CIRMP Rules define the following hazards as the following:

1. Physical security hazards - Unauthorised access to, interference with, or control of CI assets, that can compromise the proper function or cause significant damage to the asset
2. Natural hazards - Any natural disaster that can disrupt the physical security of the asset and its components, including fires, floods, cyclones, large storms, heatwaves, earthquakes, tsunamis, hurricanes, space weather, or biological hazards (pandemics)

Entities can minimise or eliminate material risks and reduce hazards by:

• Locking down industrial control systems from external access, such as HVAC, fire alarms, cameras
• Hiring security staff or onsite security to patrol and monitor critical asset components
• Installing CCTV or motion detection sensors to detect intruders
• Building infrastructure resilience through contingency planning, emergency exercises, and hazard simulations
• Implementing physical access controls, such as perimeter fencing, biometric scanning, time-locked access keys
• Creating relative environmental survival plans, such as controlled forest burning, floodplain control, hurricane-resistant foundations, earthquake-resistant roads and buildings, fire-retardant construction, etc.