Australia begins engagement on Risk Management Program rule of its critical infrastructure reforms

The Australian government announced that it has begun consulting on the Risk Management Program Rule under Part 2A of the Security of Critical Infrastructure Act 2018. The initiative works towards a strong and effective government-industry partnership that is central to achieving the government’s vision for critical infrastructure security and resilience. 

The Risk Management Program (RMP) will require the owners and operators of certain critical infrastructure assets to identify risks to their business and have a risk plan signed off annually by their board or other governing body.

The consultation is open for 45 days, from Wednesday, October 5, 2022, until Friday, November 18, to ensure that everyone can have a say on these important obligations. The critical infrastructure RMP intends to ensure that the responsible entity for each of those assets identifies each hazard where there is a material risk that the hazard could have a relevant impact on the asset. It also “so far as it is reasonably practicable to do so—minimises or eliminates any material risk of such a hazard occurring, and so far as it is reasonably practicable to do so—mitigates the relevant impact of such a hazard on the asset.”

“RMP is a great opportunity for businesses to identify the full range of risks they face, and then plan out practical steps to mitigate or reduce their exposure,” Hamish Hansford, group manager and inaugural head of the Australian Cyber and Infrastructure Security Centre (CISC), said in a recent statement. “In parallel, we have developed a discussion paper for you to consider which outlines a proposed framework for conducting background checks for critical infrastructure, to support businesses manage personnel risk.”

Hansford added that these checks are not mandatory, “and we are not requiring Auschecks for critical workers – but we have provided it as an option for when you are considering how to manage personnel security.”

Building on industry engagement during the development of amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), the Australian government has widely consulted with government and industry partners in developing asset definitions and risk management program rules. It also aims to ensure that vital services to Australia’s security, economic prosperity, and way of life are included while it seeks to reduce the regulatory burden on industry.​​​​

The CISC is holding two all-sector introductory town hall meetings on Microsoft Teams to commence consultation. At the meetings, the CISC will provide information on the formal consultation process and the proposed RMP Rules, RMP Guidance, AusCheck background check for critical infrastructure, Protected Information Guidance, and RMP Annual Report Submission form. 

The first meeting was held on Monday, October 10, while the second is scheduled for Wednesday, October 12, between 1530-1630 hrs AEDT. Each session is capped at 1000 persons, covering the same content, and will be recorded. Further, the slides for these sessions will be available on the CISC website following the second session.

Over the 45-day consultation period, the CISC will also hold four Q&A sessions using Microsoft Teams for hearing the specific issues the industry would like to raise. The four sessions are scheduled to be held between 1330 to 1500 hrs AEDT on Thursday, October 13, Tuesday, October 18, Tuesday, October 25, and Tuesday, November 1. The agency said it could schedule more Q&A sessions should there be interest from industry.

The Minister for Home Affairs proposes to apply the critical infrastructure risk management program requirements, through the risk management program Rules, to critical electricity assets​, critical energy market operator assets, critical gas assets, critical liquid fuels assets, critical water assets​​, and critical financial market infrastructure assets used in connection with the operation of payment systems. It also covers critical data storage or processing assets, certain critical hospitals, critical domain name systems​, critical food and grocery assets, critical freight infrastructure, critical freight services, and critical broadcasting assets.

Under the amended SOCI Act, the Minister for Home Affairs has the option to require the responsible entity for one or more critical infrastructure assets to have, and comply with, a critical infrastructure risk management program, according to part 2A, which was inserted by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. It provides that the responsible entity for one or more critical infrastructure assets must have, and comply with, a critical infrastructure risk management program unless an exemption applies. The rules also provide responsible entities with a period of six months before they will be required to comply with obligations under Part 2A of the Act.

Draft guidance on the requirements disclosed that the matters that an entity must consider when developing their risk management program included whether the program has established and maintained a process for identifying the operational context for critical assets. The organization must also account for the interdependencies between critical assets, and critical positions, including persons responsible for the risk management program, persons responsible for minimizing or eliminating risks, and persons responsible for reviewing the program. Other matters include whether the program contains principles of a reasonable risk management methodology and whether the program describes the circumstances in which the entity will review the program.

Subsection 8(2) requires that the entity must establish and maintain a process or system in the entity’s critical infrastructure risk management program to minimize or eliminate a material risk of a hazard that could have a relevant impact on the cyber and information security of the asset. Additionally, organizations must mitigate the relevant impact of a hazard on the cyber and information security of the asset. The purpose of the subsection is to require an entity’s program to have the required level of preparedness to mitigate cyber security threats to its critical infrastructure assets. 

Additionally, Paragraph 8(4)(a) of the instrument requires that the entity’s program must comply with either the Australian Standard AS ISO/IEC 27001:2015, or Essential Eight Maturity Model, published by the Australian Signals Directorate, or Framework for Improving Critical Infrastructure Cybersecurity published by the U.S. National Institute of Standards and Technology (NIST), or the Cybersecurity Capability Maturity Model published by the U.S. Department of Energy. 

Under subsection 8(5), an entity must alternatively comply with a framework equivalent to a framework mentioned in a document mentioned in subsection 8(4). The purpose of this provision is to provide the industry with the necessary flexibility to comply with statutory obligations by recognizing alternative cyber security frameworks that achieve the desired uplift in security and resilience of the entity’s Part 2A asset. 

As part of the consultation process, the Australian government also provided a draft titled ‘AusCheck Background Checks for the purpose of a Risk Management Program​,’ which ​outlines how background checks for the risk management program obligation will be executed using the AusCheck scheme. “We encourage you to review the document. Feedback gathered will be used to amend the AusCheck Regulations 2017 and establish the checking mechanism,” it added.

As part of the process of making the rules under Part 2A of the SOCI Act, the Minister for Home Affairs must consider the industry’s cost in implementing the obligations for the risk management program. To enable this, a draft regulation impact statement has been developed based on the cost information provided to the Department by sectors following the development of the draft risk management program rules in late 2021.

The regulation impact statement will be finalized and published by the Office of Best Practice Regulation once the Minister makes the final risk management program rules.

Last week, the U.S. ​Cybersecurity and Infrastructure Security Agency (CISA) published a Binding Operational Directive calling upon federal civilian executive branch (FCEB) agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. The document assesses continuous and comprehensive asset visibility as an essential precondition for any organization to manage cybersecurity risk.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.