SOCI Critical Infrastructure Risk Management Program Rules Come into Force

On 17 February 2023, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules) took effect, introducing a wave of new compliance requirements for responsible entities under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). Over the next six months, responsible entities for critical infrastructure assets (CIAs) captured by the SOCI Act are required to adopt a critical infrastructure risk management plan (CIRMP).

The purpose of the CIRMP is to allow responsible entities to:

  • identify each hazard where there is a material risk that the occurrence of such hazard may impact the availability, reliability, integrity or confidentiality of an entity’s CIA; and
  • so far as reasonably practicable to do so, minimise and mitigate the material risk and relevant impact of such hazards.

In assessing hazards, The CIRMP Rules requires a responsible entity to establish and maintain a “process of system” outlined in the responsible entity’s CIRMP. This “process of system” is designed to help responsible entities:

  • identify the operational context of its CIA;
  • identify the material risks to that CIA; and
  • as far as it is reasonably practicable to do so:
    • minimise or eliminate the material risks, which may include those mentioned in section 6; and
    • mitigate the relevant impact of each hazard on the CIA.

While the above requirements apply to the identification of all hazards, the CIRMP Rules require responsible entities to apply additional criteria to assess four specific forms of hazard. These are:

  • Cyber and information security hazards: responsible entities must adopt a cyber security framework to minimise the threat of cybersecurity risks. Under the CIRMP Rules, responsible entities must adopt one of the following frameworks:
    • Australian Standard AS ISO/IEC 27001:2015;
    • Essential Eight Maturity Model published by the Australian Signals Directorate;
    • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America;
    • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America;
    • The 2020-2021 AESCST Framework Core published but Australian Energy Market Operator Limited (ACN 072 010 327) 
    • Where a responsible entity would prefer to use an alternative framework, the CIRMP rules will permit this so long as that framework is “equivalent” to those listed above.
  • Personnel hazards: responsible entities must adopt a process for identifying suitable critical works and conducting background checks. They must also adopt a process for addressing negligent works and offboarding.
  • Supply chain hazards: responsible entities must adopt a process to minimise material risks to the misuse and disruption of elements of their supply chain, including threats to major suppliers; and
  • Physical Security Hazards and Natural Security Hazards: responsible entities must adopt a process to reasonably minimise the material risk posed by physical security hazards to physical critical components. This requirement also requires the responsible entity to develop incident response plans and security arrangements.

As of this writing, the CIRMP Rules identifies 13 CIAs that will be required to adopt a CIRMP. These are:

(a)   a critical broadcasting asset;

(b)   a critical domain name system;

(c)   a critical data storage or processing asset;

(d)   a critical electricity asset;

(e)   a critical energy market operator asset;

(f)    a critical gas asset;

(g)   a designated hospital;

(h)   a critical food and grocery asset;

(i)    a critical freight infrastructure asset;

(j)    a critical freight services asset;

(k)   a critical liquid fuel asset;

(l)    a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act;

(m)  a critical water asset. 

Any CIRMP adopted by a responsible entity must be signed off by the responsible entity’s governing entity (such as a board) and must be reviewed and updated regularly. In addition, an annual report must be submitted to the Secretary of the Department of Home Affairs within 90 days of the end of the financial year (30 June). 

If you qualify as a responsible entity for one of these CIAs, it is essential that you ensure you adopt a CIRMP by 17 August 2023 in order to maintain compliance with the SOCI Act. A failure to do so may result in the imposition of significant penalties.

If you are unsure whether your company is captured by the above criteria, please reach out to the Hamilton Locke New Energy team for more information.

The Hamilton Locke team advises across the energy project life cycle – from project development, grid connection, financing, and construction, including the buying and selling of development and operating projects. For more information, please contact Matt Baumgurtel.