Assessing successes and challenges of Australian CIRMP rules as critical infrastructure entities navigate adoption
Published Aug 22,2023
As the six-month transition period for critical infrastructure organizations to adopt written CIRMP (Critical Infrastructure Risk Management Program) rules comes to a close, it is expected that Australian entities will have implemented the risk management program for their critical infrastructure assets starting from Friday. These responsible entities have been called upon by the Australian Cyber and Infrastructure Security Centre (CISC) to develop and maintain these CIRMP rules for their critical infrastructure assets, largely navigating compliance challenges.
The CIRMP rules require responsible entities to establish and maintain a process of the system in their risk management plans in relation to all hazards, which identifies the operational context and material risk to each critical infrastructure asset; minimizes or eliminates the material risks; and mitigates the relevant impact of each hazard on the critical infrastructure asset. Furthermore, an entity’s risk management plan must addresshazards across cyber and information security, personnel, supply chain, physical security, and natural hazards.
Industrial Cyber reached out to cybersecurity executives to evaluate how effective has the six-month transition period for adopting the written CIRMP rules been for critical infrastructure organizations in Australia. They also look into the challenges these responsible entities faced during the transition period and how they overcame them.
Laith Shahin, founder and CEO of Secolve told Industrial Cyber that the transition period allowed some organizations to complete work on previous projects or initiatives they started prior to the rules, whilst it gave other organizations the opportunity to establish a basis for a risk management program where one may not have existed previously – or to bring their existing program more in line with the written requirements of the CIRMP.
“The challenges faced by responsible entities vary from sector to sector and organisation to organisation,” according to Shahin. “Certain sectors, such as energy, had existing mandated requirements posed on it, therefore for these organisations that had existing practices in place, it would have been relatively easy to align to the CIRMP rules. On the other hand, for organisations within sectors that didn’t have such considerations in place, the challenges faced in uplifting their security baseline – particularly while handling their ongoing projects and day-to-day work — will have been more significant.”
“The six-month transition period is an acknowledgment that many organisations would face challenges implementing the CIRMP,” Mark Cox, managing director at Industrial CyberTech, said. “The CIRMP at its heart requires a complex risk assessment across four domains: cyber and information security, personnel hazards, supply chain hazards, and physical security and natural hazards.”
Cox told Industrial Cyber that before commencing the complex risk assessment, organizations have had to find and allocate significant resources such as financial, technological, and human as well as select an appropriate cyber security framework. “The difficulty of allocating resources has some correlation to the size of the organisation, with smaller industrial asset owners and operators finding it more challenging. Fortunately, larger critical infrastructure organisations already maintain Risk Management Programs that meet some requirements of the CIRMP.”
However, Cox pointed out that as the CIRMP does take an ‘all-hazards approach’ which includes supply chain hazards and understanding asset interdependencies which force asset owners to look more closely at their major suppliers and other network-responsible entities and the risks they pose to their control, systems environments, which create the challenge of collaboration and information sharing amongst responsible entities.
“Another significant challenge is that the CIRMP is not a one-off compliance exercise,” Cox said. “As well as the initial deadline for compliance, asset owners and operators face the challenge of ongoing regulatory oversight and reporting. Inherent in the ongoing reporting is CIRMP’s will need continuous monitoring and review to ensure their effectiveness is maintained in the face of emerging threats, evolving risks, and changes in the environment.”
Ultimately, Cox highlighted organizations that will have the most effective CIRMP will be the ones that can incorporate it into their business culture and BAU operations.
Christopher Beggs, founder and principal ICS security consultant of SIS Industrial Cyber Security, told Industrial Cyber that he has “seen an uptake in requests from our critical infrastructure clients on establishing specific OT CSMS/ISMS to meet their SOCI CIRMP requirements. The approach and interpretation of our clients towards compliance is inconsistent and we see this as a gap across industries.”
For example, Beggs said that there is confusion about whether an ISO 27001 certification is required to demonstrate compliance with the CIRMP rules. “Furthermore, a key challenge faced by critical infrastructure organisations when implementing their CIRMPs relates to the SOCI guidance not prescribing how the outcomes should be achieved. Therefore, it is challenging for responsible entities to understand what level of detail to go to when performing cyber risk assessments for OT systems.”
Beggs added that many organizations assess cyber risks at a corporate or board level, “however we don’t often see organisations assessing specific detailed risks to their critical OT assets at lower levels of the OT environment.”
He also mentioned that organizations have been able to overcome these challenges by adopting industry-endorsed security standards for the assessment of cyber security risks to control systems, such as IEC 62443 3-2 ‘security risk assessment for system design.’
The executives analyze whether there were any specific sectors or industries that have faced more difficulties in adopting the CIRMP rules. They also provide details on whether there was any additional support or resources provided by the CISC or any other agency to organizations during the six-month transition period to facilitate the adoption of these CIRMP rules.