Australia is using the Security of Critical Infrastructure Act 2018 (SOCI Act 2018) as a framework to help the country mitigate and remediate threats to the country’s critical infrastructure. This comes after several high-profile cyber attacks raised Australia’s awareness of the need for cybersecurity and the standardization of cyber security measures for priority organizations.
The Security Legislation Amendment (Critical Infrastructure) Act 2021 was later introduced as an amendment to the SOCI Act, and this was further strengthened by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) in April 2022.
The act and its amendments are viewable on Australia’s Federal Register of Legislation. Combined, they have had a significant impact on Australia’s awareness, preparedness, and resilience in the face of increasingly frequent and sophisticated cyber threats.
This post will give you an overview of the most important features and considerations of the landmark SOCI Act, the changes to improve the cybersecurity of Australia’s critical infrastructure, and an idea of the legislation’s impact on Australian cybersecurity policies and procedures.
SLACIP Amendments to the SOCI Act 2018
SLACIP made a few amendments to the SOCI Act 2018 to introduce a few new key measures for cyber risk management:
Identification of Systems of National Significance
One of the aims of this SLACIP amendment to SOCI is to enhance the minimum acceptable security practices for critical infrastructure entities.
The Australian government determined that SOCI and the SLACIP amendments will apply to the following critical infrastructure entities it has identified:
- Critical broadcasting
- Critical data storage and processing assets
- Certain critical defense assets
- Critical domain name system assets
- Critical energy assets, including electricity, water, gas, and liquid fuel assets
- Financial services sector assets are divided into critical banking, critical insurance, critical financial market infrastructure, and critical superannuation assets
- Critical food and grocery assets
- Critical freight infrastructure
- Specific critical healthcare assets
Following the addition of part 6A to the SOCI Act, the Minister for Home Affairs can declare a critical infrastructure asset of national significance a system of national significance, considering the potential impact of a cyber attack on the following criteria:
- National security
- The defense of the country
- Social stability
- Economic stability
The named asset does not need to act nationally or serve the entirety of the country. Even when this is not the case, it’s understood that an asset and its function can nonetheless have national significance.
In naming an asset a system of national significance, the Minister must recognize the interconnectedness of that asset with other assets and systems.
One reason that the impact of a third-party data breach or a supply chain attack can be so devastating is that a single attack affects many organizations and individuals connected to the compromised network, either through customer relationships, business partnerships, or reliance on the provision of goods and services that maintain a business ecosystem.
Once an asset has been named a system of national significance, it must adhere to the following requirements:
- Vulnerability assessments
- Incident response planning
- Cybersecurity exercises
- Reporting obligations to the Australian Signals Directorate
Risk Management Planning
Under SOCI, critical infrastructure entities must implement an appropriate risk management program. A risk-based approach means that the organization will consider:
- The potential threat actors that could impact its information security
- The cyber risks that could impact information security
- The potential impact of those risks and threats to the critical infrastructure business and the business ecosystem
- The likelihood of each incident occurring
By seeking clear information on cybersecurity risks and prioritizing accordingly, organizations can begin with the mitigation and vulnerability remediation efforts that have the most impact.
Notably, the SLACIP amendment clarifies that the risk management program must exist in written form and that it must be an evolving, living document that changes with the organization, the results of audits, and developments in the cyber threat landscape.
A robust suite of cybersecurity practices is about more than defense against known threats. It is not only reactive to threats but also proactive in identifying vulnerabilities and exposures.
A firm with a mature cybersecurity framework takes steps to predict and prepare for new threats and is willing to collaborate with other entities to protect itself and the wider business ecosystem from growing cyber risks.
After the identification of cyber risks, threats, and vulnerabilities, critical infrastructure must undergo an ongoing process of threat mitigation and vulnerability remediation.
Annual Reporting
Accountability is a vital aspect of any risk management program. Critical infrastructure owners or operators identified by the Australian government must report to the Department of Home Affairs or their assigned regulator within 90 days of the financial year.
For critical infrastructure organizations, the annual report must include the following information:
- Identified hazards that had a significant impact
- Whether or not the organization’s risk management program was updated by the end of the financial year
- Whether or not the risk management program was updated due to an identified hazard occurring
- An evaluation of the risk management program with respect to coping with identified material risks and threat
If any assets remain unprotected by a critical infrastructure risk management program, the responsible entity must detail the reasons why it is exempt, the risks and threats that have affected it, and what security measures were taken as a result.
System Information
The Australian Secretary of Home Affairs may issue three kinds of notices for reports regarding responsible entities’ cybersecurity and information systems. It may:
- Require periodic reports regarding a computer’s use
- Demand that a report be sent each time a specific event occurs
- Necessitate the installation of a computer program that shares information with the Australian Signals Directorate in the event that the entity cannot prepare the required reports for technical reasons
Penalties for Non-Compliance with SOCI and SLACIP
Civil penalties for non-compliance can reach up to $55,000 for each incident.
However, the problems associated with data breaches and cyber attacks can be more significant. It’s not uncommon for other factors to drive up costs, such as ransom payments, the cost of identifying the attack itself, isolating malicious code, and repairing damage to the system. Paying higher regulatory fines in case of non-compliance with regulations like GDPR and HIPAA is also common.
On top of these costs, businesses suffering cyber attacks must also consider the price of business disruption. Moreover, reputational damage is a significant factor in data breaches and cyber attacks, especially when the organization does not have a sufficient incident response plan in place.
An insufficient or missing incident response plan can result in a slow response, inadequate remediation efforts, insufficient public disclosure, and a potentially damaging lack of transparency about the impact of the attack and what the organization did to rectify it.
To protect national security, revenue, and reputation, critical infrastructure must adopt strong cybersecurity procedures backed by documented, reviewed information security policies and incident response plans.
How SOCI has Affected Australia’s Cybersecurity Policy
The introduction of SOCI and its amendments have increased awareness of cybersecurity across the country. It has helped make cybersecurity and risk management core parts of business activity.
Internationally, it is increasingly likely that boards and C-suite executives will engage with cybersecurity issues. While cybersecurity problems were once considered the remit of an IT department or the Chief Information Security Officer (CISO), organizations around the world are more likely to see that cybersecurity is an operational problem and opportunity.
It’s also becoming clearer that everyone is a stakeholder in data protection and information security. Even in cases of cyber attacks by organized, professional hacker groups, staff often plays a part.
For example, a successful phishing attempt is a vector to ransomware. A phishing attack that tricks a staff member into providing access credentials or personally identifiable information can lead to the introduction of malware into the system.
Likewise, a server misconfiguration by IT personnel or an insider attack by a disgruntled employee can lead to data exposure that compromises sensitive information.
In meetings at every level, it’s increasingly likely that cyber risk and cybersecurity measures will be discussed and addressed, moving Australian organizations toward cybersecurity maturity and the development of cybersecurity cultures.
Australia’s solid, publicized cybersecurity policy has inspired more firms — in critical infrastructure sectors and beyond — to prioritize risk management, information security, and cybersecurity best practices.
The policy has been backed by the threat of civil penalties, while the news of recent, significant Australian data breaches have helped set the tone. With SOCI and the environment of cyber threat in which it has been introduced, more businesses are maintaining cybersecurity best practices and adopting a cyber threat management approach to defend against known and emerging threats.
Common Cybersecurity Best Practices Supported By SOCI Act 2018
Attack Surface Management
Attack surface management (ASM) helps businesses appreciate the extent of their potential exposure to cyber risk and takes measures to reduce their attack surfaces and attack vector risk. Because every new device, user, or access point on a network increases an organization’s attack surface, it is critical that organizations implement some type of ASM to prevent the risk of a data breach. Gaining visibility of the attack surface and then taking steps to reduce it is an effective cybersecurity practice for reducing cyber risk.
Vulnerability Remediation
Proactively seeking out vulnerabilities and remediating them can dramatically improve a firm’s security posture.
Vulnerability remediation includes using threat intelligence and information-sharing resources, such as the Common Vulnerabilities and Exposures (CVE) list, to ensure that known issues are fixed with security patches. It also includes active penetration testing or running simulations to find weaknesses before hackers do.
Third-Party Risk Management (TPRM)
The wording of SOCI and its amendments foster more appreciation of the interdependencies between organizations, which is essential to implementing a successful third-party risk management program.
Third-party risk or vendor risk can be particularly damaging because cybercriminals and hackers target vendors that can provide them with access to valuable, sensitive data and/or cause widespread disruption due to the number of organizations using their goods or services.
The SolarWinds supply chain attack of 2019 is an excellent example of the disruption hackers can cause by targeting a software vendor used by critical infrastructure and high-profile businesses. Among those impacted were federal government agencies, Microsoft, Intel, and Cisco.
Incident Response Planning
While reducing risk and avoiding attacks is a mainstay of cybersecurity, any business’s cybersecurity policy should also include some clear guidelines on incident response planning. A firm needs an incident response plan so that any individual knows what actions to take during a cyber attack.
Since cyber attacks are more common and businesses are more connected, the risks of a cyber attack have dramatically increased, and organizations need some plan for when they happen.
An incident response plan should include the responses for various cyber incidents according to their likelihood and their potential impact, as ascertained during a risk management process.
An incident response plan should be:
- Documented
- Easily accessible
- Understandable by any staff member
The incident response plan should also achieve the following:
- Identify the incident response team
- Explain each team member’s roles and responsibilities
- Contain accurate contact information
- Include what constitutes a data breach or cyber incident
- Include who to contact regarding information disclosure to law enforcement, regulators, and the media due to a data breach
The incident response plan should be reviewed, tested, and updated regularly to ensure that it works and that it remains relevant amid changing personnel, workflows, systems and technology, business objectives, and the cyber threat landscape.
Information Security Policies
Cybersecurity procedures and practices are often prone to misinterpretation, lapses, and gaps when they are not backed up by documented policies.
Ommissions in security measures can be a particular issue in large organizations, such as higher education institutions, where department heads often take charge of their own information technology needs and procedures.
Standardized, homogenous practices and procedures, using agreed technology, are easier to manage and maintain and thus safer than allowing department heads to do their own things.
With everyone following the same information security policies, a business will find it easier to update and strengthen its practices across the organization.
