Australia’s CISC releases updated cybersecurity guidance for Systems of National Significance

Australia’s Cyber and Infrastructure Security Centre (CISC) released on Monday updated guidance materials aimed at bolstering cyber security measures for Systems of National Significance (SoNS), which represent the country’s most critical infrastructure assets. The comprehensive guidance includes specific instructions for SoNS on fulfilling the Incident Response Planning obligation and detailed guidelines for meeting the Cyber Security Exercise obligation. These enhanced obligations are part of Australia’s ongoing efforts to strengthen the resilience and security of its vital infrastructure against cyber threats.

Under the Security of Critical Infrastructure (SOCI) Act, SoNS may be subject to one or more Enhanced Cyber Security Obligations designed to ensure critical infrastructure entities have well-tested plans in place to respond to and mitigate against a cyber attack.

The SOCI Act imposes several security obligations on critical infrastructure entities to achieve this security uplift. This includes the Register of Critical Infrastructure Assets obligation; Risk Management obligation; Notification of Data Service Providers obligation; and Mandatory Cyber Incident Reporting obligation. Entities responsible for SoNS may have additional enhanced Cyber Security Obligations applied to their assets.

An incident response plan is a written plan that outlines how a responsible entity for a SoNS will respond to a cyber security incident. While uplifting cyber security and preventing attacks from occurring will always be the number one priority, there may be some threats that cannot be thwarted. 

Incident response plans provide an organization with a clear understanding of ‘what to do’ and ‘who to call’ to minimize the impact of an incident and continue to provide services to the community. To be effective, an incident response plan should:  align with an organization’s emergency, crisis, and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements; and support personnel to fulfill their roles by outlining their responsibilities and all legal and regulatory obligations.

The document outlines that the secretary of the Department of Home Affairs (or a delegate) may apply the Incident Response Planning obligation to a responsible entity for a SoNS. The obligation requires the entity to adopt, maintain, and comply with an incident response plan, which must be concerning the SoNS and cyber security incidents. The entity must also review the plan regularly and take reasonable steps to ensure the plan is up to date. 

Before applying the Incident Response Planning obligation, the Secretary must consult the responsible entity and consider the costs, reasonableness, and proportionality of applying the obligation, as well as any other matter that the Secretary considers relevant. This may include whether a similar or equal regulation already applies to the SoNS.

The Department’s initial approach to implementing the Incident Response Planning obligation is to ensure a baseline incident response capability across all SoNS, and that plans are well-practiced and tested. This component will be supported by applying the Cyber Security Exercise obligation.

The Incident Response Planning obligation under the SOCI Act is focused on cyber security incidents and is not intended to address hazards more broadly. While the Department will accept incident response plans that include an all-hazards approach, it must be clear that the plan has a significant focus on cyber. 

Best practice incident response plans do not apply to specific cyber security incidents (although components of them may focus on specific types) but rather apply to cyber security incidents more generally. This ensures procedures are in place to address the various methodologies adopted in a cyber attack. 

The second document covering cybersecurity exercise obligation tests an entity’s ability and preparedness to respond to cybersecurity incidents, as well as mitigate those impacts. Ultimately, an exercise is designed to reveal whether the existing resources, processes, and capabilities of an entity sufficiently safeguard the system from being impacted by a cyber security incident. Working through the reality of what needs to happen when responding to a cyber attack is a vital element of an entity’s cyber preparedness and maturity. 

Exercises can be conducted in different formats designed to achieve different outcomes and test different capabilities. They may include discussion-based or table-top exercises, where teams or individuals talk through how they would respond to an incident and explore issues that might arise during an incident; or operational or functional exercises, where teams or individuals perform their roles and responsibilities in implementing plans, processes, and procedures to respond to a simulated incident. 

The document said that regardless of the format, exercises should be followed by a debrief with those who participated and an evaluation report that outlines what occurred during the exercise, what worked well, what did not work well, lessons learned, areas for improvement, and actions required. This report is essential for an exercise to be worthwhile. 

It further outlined that the Secretary of the Department of Home Affairs (or a delegate) may, by written notice, require a responsible entity for a SoNS to undertake a cybersecurity exercise within a certain timeframe to test the responsible entity’s ability to respond appropriately to one or more incidents that could have a relevant impact on the system;  preparedness to respond appropriately to one or more incidents that could have a relevant impact on the system; and ability to mitigate the relevant impacts that one or more incidents could have on the system. 

Before giving a written notice, the Secretary must consult the responsible entity and consider the cost, reasonableness, and proportionality of applying the obligation, as well as any other matter the Secretary considers relevant. This may include whether a similar or equal regulation already applies to the SoNS. If the obligation is applied, the notice will specify whether the exercise should concern all types of cybersecurity incidents or about one or more specified types of cybersecurity incidents (sections 30CM and 30CM respectively).

In practice, a cybersecurity exercise about all types of cybersecurity incidents will be used to test an entity’s general cyber response preparedness, mitigation, and response capabilities. In contrast, a cyber security exercise about a specific incident will test responsiveness, preparedness, and mitigation capability with a particular threat scenario, such as a ransomware attack. This requirement may be applied to certain SoNS where critical risks or threats have been identified within a specific sector or asset class.

The compliance focus of the CISC for 2023–24 is on education and awareness raising, except for any detected egregious non-compliance. We have extended this to assist the industry in understanding and complying with their SOCI obligations. During the third and fourth quarters of 2023-24, the CISC will undertake a limited series of trial audits testing industry compliance with SOCI Act obligations. This will inform and guide the commencement of compliance audit activities in 2024-25.

In 2024-25, the SOCI Compliance Regulatory Posture will aim to balance education and awareness-raising activities, with compliance activities. This aims to effectively drive an uplift in regulated entity compliance. Effective compliance activities will support the objective of the SOCI Act to provide a framework for managing risks relating to critical infrastructure. Helping the industry understand the implications of these obligations and ensuring compliance is not just a matter of legal obligation, it’s a requirement to protect the essential services all Australians rely on.

The CISC’s 2024-25 Compliance Regulatory Posture relating to the Enhanced Cyber Security Obligations will continue to focus on partnering with the entities responsible for SoNS. This will ensure they understand and can comply with their obligations. The advice about the change in CISC’s regulatory posture is consistent with our intent to continue to build relationships with stakeholders and to be a transparent and effective regulator.

In December, the Australian government published a consultation paper on new cybersecurity legislation, which proposes changes to the SOCI Act. Dedicated to becoming a global leader in cybersecurity by 2030, the government document indicates plans to introduce a last-resort consequence management power. This would allow the Minister for Home Affairs to issue directives to a critical infrastructure entity, ensuring safeguards are in place and only when no other powers are applicable.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.