The Australian Government signed off on the Critical Infrastructure Risk Management Program (CIRMP) as the final part of the Security of Critical Infrastructure (SOCI) Act updates in February 2023. If you’re an Australian critical infrastructure organisation it’s likely that these updates will apply to you, but what does it all really mean? In this article, we’ll take a look at the new CIRMP obligations and what you’ll need to action in order to achieve compliance.

So, what is the SOCI Act and how does the Critical Infrastructure Risk Management Program (CIRMP) fit in? 

Australia’s Security of Critical Infrastructure (SOCI) Act is a legislation that aims to protect the country’s critical infrastructure from national security risks. The act was introduced in 2018 and requires certain critical infrastructure assets and systems to be registered and assessed for security risks. The final part of the SOCI Act updates to pass introduced the Critical Infrastructure Risk Management Program (CIRMP). 

The CIRMP aims to improve the security and resilience of critical infrastructure assets across Australia, including electricity, water, healthcare, transport, and communication systems. It is designed to help organizations identify, assess, and manage security risks to their critical infrastructure assets and systems. 

By having a robust risk management program in place, organisations will be able to continue providing essential services that our communities and economy rely upon, and recover quickly from incidents that impact critical infrastructure assets. 

CIRMPs are intended to uplift core security practices that relate to the management of CI assets. They ensure responsible entities take a holistic and proactive approach toward identifying, preventing and mitigating material risks from all hazards. The program’s scope encompasses:

• Identification of critical assets 
• Assessment of risks 
• Development of mitigation strategies, and 
• Implementation of those strategies.  

The program requires organisations to identify, assess, mitigate, and prevent risks from all hazards to the critical infrastructure assets, including cyber security hazards, personnel hazards, physical and natural hazards, and supply chain hazards. It also ensures that all stakeholders are aware of the requirements and expectations for secure and resilient infrastructure in Australia’s critical sectors.

The key features of the Critical Infrastructure Risk Management Program 

The CISC’s Risk Management Program Rules of Critical Infrastructure Assets Guidance outlines key features and requirements of the CIRMP which will guide asset owners and operators to keeping their critical infrastructure safe from threats. These features include:

Identification of critical assets 

The CIRMP provides a structured approach to identify critical assets and determine their level of criticality to national security or economic welfare. Some of these assets have been declared systems of national significance (SoNS) and will have additional obligations they need to comply with.

Risk assessment 

The CIRMP provides guidance on a range of risk assessment methodology that will enable asset owners to identify vulnerabilities and potential threats to their critical assets. This helps in identifying the likelihood and impact of an incident and will inform the required timeframes and steps for reporting the incidents.

Development of mitigation strategies 

The CIRMP helps asset owners and operators to develop and implement mitigation strategies to manage identified risks effectively. This includes identifying and prioritizing recommended mitigation measures to reduce risk to an acceptable level.

Mandatory baseline security requirements 

The CIRMP requires organisations to adopt frameworks in order to reach a mandatory baseline of security. There are a number of cyber security frameworks that responsible organisations can choose to adopt (including two developed within Australia):

• ACSC Essential Eight, 
• Australian Energy Sector Cyber Security Framework (AESCSF) 
• Cybersecurity Capability Maturity Model (C2M2) 
• National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 
• ISO27001

For personnel hazards, responsible organisations can use AusCheck for vetting key staff in critical roles, and to manage supply hazards, they can leverage the ACSC’s Cyber Supply Chain Risk Management Guide.   

For physical and natural hazards, responsible organisations should ensure that the relevant security hazards are integrated into their existing enterprise risk management framework along with all other natural and physical hazards, and not treated separately.

Incident reporting 

The CIRMP requires asset owners and operators to report significant cyber security incidents to the Australian Cyber Security Centre.

Annual reporting 

In addition to the CIRMP, required entities must also provide an annual report. The annual report allows boards to assess security risk management and gives the Australian Government visibility into how critical infrastructure entities are managing security risks, at individual asset levels and overall. 

The CISC can understand how risks are being managed, what hazards are impacting CI, and how things can be improved across the industry. 

The annual reporting will need to include:

• A declaration that the CIRMP was (or wasn’t) up to date at the end of the Australian financial year 
• Detailed information on any hazards which occurred that had an impact on critical infrastructure assets, and 
• Signed-off approval from the organisation’s board, council or governing body

How long do you have to implement a Critical Infrastructure Risk Management Program? 

As the CIRMP was officially signed off in February 2023, responsible entities have a 6-month grace period to adopt a CIRMP. Within this grace period, it is expected that organisations will have documented the risks, and have controls in place to minimise the risks to their asset. This also includes mitigations that are intended to be put in place over time. 

Organisations will also have a further 12 months to meet the CIRMP cyber security framework requirements. Once implemented, the CIRMP will need to be reviewed regularly, kept up to date, and comply with annual reporting requirements. 

The CIRMP underscores the Australian Government’s commitment to strengthening our national security posture and ensuring critical infrastructure protection and resilience. By implementing the CIRMP, Australia can better protect its citizens and economy from disruptions that could have far-reaching consequences.