Australia CIRMP Rules now live, set to uplift core security practices of certain critical infrastructure assets

The Australian Cyber and Infrastructure Security Centre (CISC) announced Friday that its Critical Infrastructure Risk Management Program (CIRMP) requirement is now live. These CIRMP Rules assist owners and operators to conceptualize risk across these dominions, empowering them to take action that will lower risk to the ongoing operation of their systems, assets, and businesses. 

“The CIRMP is the third and final of the three positive security obligations legislated within recent amendments to the Security of Critical Infrastructure Act 2018 – the other two being Mandatory Cyber Incident Reporting, and the Critical Infrastructure Asset Register requirement,” according to the CISC. Working together, these obligations uplift Australia’s critical infrastructure security and resilience, further protecting the essential services all Australians rely on.

Now the Rules are live, there is a six-month transition period for responsible entities to adopt a written CIRMP, the CISC said. “If a responsible entity’s asset becomes a CI asset after the Rules commence, the r​​esponsible entity must meet CIRMP requirements within six months of the day the asset became a CI asset.”

The Minister for Home Affairs, Clare O’Neil, ‘switched on’ the CIRMP rules in February this year, following an extended period of consultation, CISC said. Through this consultation process, the Minister was able to incorporate feedback from critical infrastructure stakeholders that has ultimately made the rules simpler and easier to implement.

Organizations have a six-month grace period after the commencement of the rules until Aug.17, 2023, a CISC Fact Sheet outlined. The final day for a CIRMP to adopt and comply with the cyber and information security hazards framework will be Aug. 17, 2024, which is 18 months from the guidelines’ start date. Additionally, Sept. 28 annually will be the last day to submit an annual report for the preceding Australian financial year (i.e. ending Jul. 1 to Jun. 30). As part of the ongoing process, organizations must comply with, regularly review and if required update the CIRMP.

The CIRMP intends to uplift core security practices that relate to the management of certain critical infrastructure assets, according to guidance material prepared to assist in the understanding of the CIRMP Rules as part of the Security of Critical Infrastructure Act 2018 (SOCI Act). It aims to ensure responsible entities take a holistic and proactive approach toward identifying, preventing, and mitigating risks. 

The Rules apply to various critical infrastructure assets, including critical electricity assets, critical energy market operator assets, critical gas assets, critical liquid fuels assets, critical water assets, critical financial market infrastructure assets used in connection with the operation of a payment system, critical data storage or processing assets, certain critical hospitals, critical domain name systems, critical food and grocery assets, critical freight infrastructure assets that specify that listed intermodal transfer facilities will be critical to the transportation of goods between states or territories, critical freight services assets, and critical broadcasting assets. 

The SOCI Act and the Rules specify requirements to be contained in a CIRMP. These requirements are based on principles-based outcomes and include identifying material risks, minimizing risks to prevent incidents, mitigating the impact of realized incidents, and delivering effective governance.

“Now the rules are in effect, responsible entities for critical infrastructure assets are required to adopt, maintain and comply with a risk management program that identifies and manages material risks of hazards that could have a relevant impact on a critical infrastructure asset,” CISC highlighted on Friday. “The plan must identify each hazard where there is a material risk that the occurrence of that hazard could have a relevant impact on the asset, and – as far as it is reasonably practicable to do so – must minimise or eliminate any material risk of such a hazard occurring.”

Through the implementation of agnostic rules, “we hope to create a baseline for security across all critical infrastructure sectors in the Australian economy. While many organisations will no doubt already exceed the thresholds set out in the rules, we hope the Critical Infrastructure Risk Management Program (CIRMP) rules will uplift all critical infrastructure entities, right through supply chains,” the agency added.

CISC also envisioned the rule benefiting not just the responsible entity, but both its upstream and downstream suppliers; ensuring that an awareness of security standards becomes the norm for many Australian businesses. “The inclusion of a requirement for a board or governing body to sign an attestation regarding the CIRMP lifts the issue of risk management and security from an operational level to the board level. By ensuring that directors of companies have these issues at the front of their minds as they make strategic decisions, we will aim to ensure a stronger effort to protect our critical infrastructure at all levels,” it added.

The agency said that the issue particularly goes to the requirement for responsible entities “to consider supply chain hazards – we have all seen the significant disruptions in the supply chain caused by the COVID-19 pandemic. By requiring directors and board-level decision makers of a responsible entity to be thinking about how best to mitigate possible hazards to their supply chain, we will see more industries consider not just cost but also security and reliability of their supply chains going into the future,” it added.

While pursuing sensible regulation, “our approach is not intended to increase the burden on owners and operators, nor to duplicate other mechanisms. For example, where a requirement for a CIRMP already exists under other legislation, we won’t be enforcing dual reporting,” CISC said.

Similarly, nothing in the rules overrides any existing provisions within the Privacy Act 1988, the Australian Privacy Principles, or the Fair Work Act 2009, and nor do the Rules absolve employers of any other obligations, including relevant occupational health and safety legislation, the agency said. “The Secretary of the Department of Home Affairs, Michael Pezzullo AO, also has the power to review a responsible entity’s Plan, to ensure actions are being taken appropriately.”

It added that this ensures the CIRMP sits alongside other important and relevant legislative requirements and does not overrule, duplicate, or impinge upon them.

Earlier this month, the CISC published its critical infrastructure asset class definition guidance, which is applicable to all relevant infrastructural sectors. The outline simplifies obligations for critical infrastructure responsible entities and direct interest holders helping improve operational resilience and reduce complexity. Across ten categories, the document covers 22 critical infrastructure sectors and provides guidance on critical infrastructure asset classes.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.