Assessing successes and challenges of Australian CIRMP rules as critical infrastructure entities navigate adoption

Published Aug 22,2023

As the six-month transition period for critical infrastructure organizations to adopt written CIRMP (Critical Infrastructure Risk Management Program) rules comes to a close, it is expected that Australian entities will have implemented the risk management program for their critical infrastructure assets starting from Friday. These responsible entities have been called upon by the Australian Cyber and Infrastructure Security Centre (CISC) to develop and maintain these CIRMP rules for their critical infrastructure assets, largely navigating compliance challenges.


The CIRMP rules require responsible entities to establish and maintain a process of the system in their risk management plans in relation to all hazards, which identifies the operational context and material risk to each critical infrastructure asset; minimizes or eliminates the material risks; and mitigates the relevant impact of each hazard on the critical infrastructure asset. Furthermore, an entity’s risk management plan must addresshazards across cyber and information security, personnel, supply chain, physical security, and natural hazards.


Industrial Cyber reached out to cybersecurity executives to evaluate how effective has the six-month transition period for adopting the written CIRMP rules been for critical infrastructure organizations in Australia. They also look into the challenges these responsible entities faced during the transition period and how they overcame them.


Laith Shahin, founder and CEO of Secolve told Industrial Cyber that the transition period allowed some organizations to complete work on previous projects or initiatives they started prior to the rules, whilst it gave other organizations the opportunity to establish a basis for a risk management program where one may not have existed previously – or to bring their existing program more in line with the written requirements of the CIRMP.


“The challenges faced by responsible entities vary from sector to sector and organisation to organisation,” according to Shahin. “Certain sectors, such as energy, had existing mandated requirements posed on it, therefore for these organisations that had existing practices in place, it would have been relatively easy to align to the CIRMP rules. On the other hand, for organisations within sectors that didn’t have such considerations in place, the challenges faced in uplifting their security baseline – particularly while handling their ongoing projects and day-to-day work — will have been more significant.”

“The six-month transition period is an acknowledgment that many organisations would face challenges implementing the CIRMP,” Mark Cox, managing director at Industrial CyberTech, said. “The CIRMP at its heart requires a complex risk assessment across four domains: cyber and information security, personnel hazards, supply chain hazards, and physical security and natural hazards.”


Cox told Industrial Cyber that before commencing the complex risk assessment, organizations have had to find and allocate significant resources such as financial, technological, and human as well as select an appropriate cyber security framework. “The difficulty of allocating resources has some correlation to the size of the organisation, with smaller industrial asset owners and operators finding it more challenging. Fortunately, larger critical infrastructure organisations already maintain Risk Management Programs that meet some requirements of the CIRMP.”


However, Cox pointed out that as the CIRMP does take an ‘all-hazards approach’ which includes supply chain hazards and understanding asset interdependencies which force asset owners to look more closely at their major suppliers and other network-responsible entities and the risks they pose to their control, systems environments, which create the challenge of collaboration and information sharing amongst responsible entities.


“Another significant challenge is that the CIRMP is not a one-off compliance exercise,” Cox said. “As well as the initial deadline for compliance, asset owners and operators face the challenge of ongoing regulatory oversight and reporting. Inherent in the ongoing reporting is CIRMP’s will need continuous monitoring and review to ensure their effectiveness is maintained in the face of emerging threats, evolving risks, and changes in the environment.”


Ultimately, Cox highlighted organizations that will have the most effective CIRMP will be the ones that can incorporate it into their business culture and BAU operations.


Christopher Beggs, founder and principal ICS security consultant of SIS Industrial Cyber Security, told Industrial Cyber that he has “seen an uptake in requests from our critical infrastructure clients on establishing specific OT CSMS/ISMS to meet their SOCI CIRMP requirements. The approach and interpretation of our clients towards compliance is inconsistent and we see this as a gap across industries.”


For example, Beggs said that there is confusion about whether an ISO 27001 certification is required to demonstrate compliance with the CIRMP rules. “Furthermore, a key challenge faced by critical infrastructure organisations when implementing their CIRMPs relates to the SOCI guidance not prescribing how the outcomes should be achieved. Therefore, it is challenging for responsible entities to understand what level of detail to go to when performing cyber risk assessments for OT systems.”


Beggs added that many organizations assess cyber risks at a corporate or board level, “however we don’t often see organisations assessing specific detailed risks to their critical OT assets at lower levels of the OT environment.”


He also mentioned that organizations have been able to overcome these challenges by adopting industry-endorsed security standards for the assessment of cyber security risks to control systems, such as IEC 62443 3-2 ‘security risk assessment for system design.’


The executives analyze whether there were any specific sectors or industries that have faced more difficulties in adopting the CIRMP rules. They also provide details on whether there was any additional support or resources provided by the CISC or any other agency to organizations during the six-month transition period to facilitate the adoption of these CIRMP rules.


Shahin confirmed that some sectors and organizations within those sectors would have faced more difficulties in adopting the CIRMP rules compared to others. “This is for the same reason stated before, those that have not had prior mandated requirements faced and continue to face more challenges.”


“A good example is the Renewable Energy sector, in particular solar farms, even though it falls under the umbrella of the wider Energy sector,” according to Shahin. “There are two main reasons for this – firstly, a large number of solar farms have not traditionally aligned or complied with the same standards that other Energy companies have been adopting such as the AESCSF, which meant that the SOCI Act was the driver for them to start their journey. Secondly, many solar farms are operated and maintained by OEM providers which introduces further challenges for them given the nature of the relationship and services provided by the OEM’s.”


The CISC has helped in this regard with their provision of comprehensive resources for organizations to read through and follow, such as their sector-specific factsheets, Shahin observed. “Additionally, they have been quite active in running industry workshops and discussions to support understanding and implementing the CIRMP rules and other obligations under the SOCI Act.”


“There has been a steep learning curve for all industries as they implement the CIRMP,” according to Cox. “Compliance presents various challenges that vary based on each organization’s circumstances, with organisational size definitely being a contributing factor. Common hurdles include; the time constraint to implement, finding resources, and selecting an appropriate framework.”


Cox added that some sectors, for example, the energy sector, have created their own Cyber Security Framework (AESCSF) that can be utilized by individual energy entities as they move towards compliance. “During the transition period, the CISC is providing as much support as they can to assist entities to transition and this includes the creation of the ‘Trusted Information Sharing Network,’ which is a platform for the industry to engage with the government and discuss threats and other issues within an industry context.”


Broadly speaking, Beggs pointed to a gap in the interpretation of the requirement across industries. “For example, those sectors who generally have a lower cyber maturity (i.e. manufacturing) have faced more difficulties in adopting a CIRMP, which can broadly be attributed to the lack of cyber awareness and training, and overall resourcing in OT cyber security.”


He added that Fact Sheets and Town Hall presentations provided by the CISC assisted with the understanding of Risk Management Program Rules, “however defining what is a ‘material risk’ and acting upon risk mitigating measures proved difficult for many organisations in pursuing risk mitigation measures that are disproportionate relative to the likelihood and consequences of a particular risk.”


The executives examined the consequences faced by organizations that have failed to adopt written CIRMP rules by the designated deadline.


Shahin commented that responsible entities that fail to meet and comply with the obligations by the deadline may result in hefty financial penalties, but non-compliance has more broad-reaching consequences than money lost. “The introduction of the SOCI Act and CIRMP rules are intended to uplift the security baseline to protect our nation’s most important assets – the critical infrastructure that underpins the running of our society.”


He added that as technology evolves, so do the risks of cyber attacks on critical infrastructure. “Non-compliance by organisations could allow for security vulnerabilities to be taken advantage of and the implications of such an attack on critical infrastructure could be devastating to the communities it provides for.”


Cox detailed that when it came to failure to adopt or maintain CIRMP or meet obligations (except annual reporting), companies facing non-compliance in adopting or maintaining a CIRMP or meeting related obligations will be liable for a penalty of 1,000 penalty units ($275,000) for each day of the violation.


He added that when it comes to failure to comply with the adopted CIRMP rules, non-compliance with the established CIRMP rules carries the same penalty of 1,000 penalty units ($275,000) for each day of the breach. Also, companies that fail to meet annual reporting requirements are subject to a penalty of 750 penalty units ($206,250) for each day of the violation.


Beggs said that his clients are consulting internal legal and compliance teams to understand the consequences. “Our clients are proactively implementing the CIRMP rules and adhering to the recommended trial run of reporting and board engagement, with the objective of avoiding any failure or non-compliance with the CIRMP rules. We are confident our clients will comply with the CIRMP rules by adopting industry best practices and internationally endorsed standards for risk management,” he added.


The executives also throw light on whether any lessons have been learned during this ‘six-month transition period’ as organizations head towards the additional 12-month period. The move will assist responsible entities in achieving compliance with the cybersecurity framework identified in their written CIRMP rules.


“The lessons learned lie in the key risks that have been identified by organisations during the 6-month transition period under the CIRMP rules. This period provided many opportunities including raising awareness across an organisation and its stakeholders on why this journey is important and what it means,” according to Shahin. “During this period, organisations needed to understand their risks and how to mitigate those risks, they also needed to develop an understanding of the different approaches the numerous cyber security frameworks offer and discern which one is best suited to their organisation’s specific requirements.”


Shahin added that it has paved the way for the cybersecurity framework compliance that the next 12 months (and beyond) would require. “A lot of the risks identified while developing the CIRMP would also be gaps identified when looking at the different requirements of the cybersecurity frameworks that organisations can adopt.”


Cox noted that the introduction of the CIRMP has elevated the awareness and understanding of how important risk management obligations are across critical infrastructure organizations. “The requirement for a framework-backed comprehensive approach that enforces timely adherence and ongoing compliance means risk management planning is not something that can be done once and put in the back of the drawer. The CIRMP will drive continuous collaboration with regulators and across industries to ensure continuous improvement in risk reduction and improved cyber security.”


He added that not reinventing the wheel by building on existing policies and procedures if available can significantly reduce the effort in complying with the CIRMP. “Existing risk management programs, quality, and safety systems can all be drawn on to aid with compliance. As compliance is an ongoing annual requirement, entities must integrate a security mindset into organisational culture so everyone understands security is everyone’s responsibility.”


“With regular training of staff, the ongoing identification and reporting of new hazards will become routine, similar to reporting OH&S issues and they can be included in the CIRMP, maintaining its currency,” Cox added.


Beggs suggests providing additional clarity on how critical infrastructure organizations can meet the compliance requirements, especially for those starting from a low level of maturity. “Also, since the acceptable standards in the CIRMP are not ICS/OT specific, extending IT cybersecurity standards to critical systems that are supported by ICS/OT makes it additionally challenging.”


He also identified the need for incorporating specific OT/ICS standards such as IEC 62443 in the list of acceptable standards for CIRMP compliance. “Responsible entities have used the ‘6-month transition period’ to establish/uplift their CIRMP and gain have it ratified by the board. A key lesson learned by several entities is that mitigating actions and the implementation of controls should be commensurate with the likelihood and consequences of a particular risk. Rather than try to solve the problem with a silver-bullet approach across all systems.”


Furthermore, Beggs outlined that his clients have taken the time to plan for mitigations by developing OT security architectures that identify controls that are practical and pragmatic for each SuC based on security levels for each system class within their OT technology environment.


“Using methodologies for risk management defined in IEC 62443 to assess risks specific to critical components or CI assets enables the foundation of any OT cyber strategy/framework that provides a standard blueprint by defining exactly where to deploy security controls to best protect critical infrastructure and maximise security spend,” he concluded.


Original article posted here on Industrial Cyber.