Effective security and protection of Australia's critical infrastructure assets are crucial to safeguarding the delivery of essential services to the Australian community.
Risks to critical infrastructure assets are manifold and ever-evolving. They have also become more complex due to frequent natural disasters, foreign or state-sponsored interference and increased malicious threat actor activity. These risks are not limited in nature and it is erroneous to equate the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) only with cyber risk ─ the risks are wide-ranging, as are the legislative definitions of what constitutes critical infrastructure assets.
This explains the now mandated risk management approach to protecting critical infrastructure assets for owners and operators. Understanding the application of the SOCI Act and implementing a compliant risk management program is critical to minimising the impact of the range of risks responsible businesses and their supply chains are now required to manage.
CIRMP Rules
The SOCI Act imposes obligations on responsible entities of critical infrastructure assets to adopt and maintain a critical infrastructure risk management program (CIRMP) ─ see Part 2A of the SOCI Act.
The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN/23/006) 2023 (CIRMP Rules) specifies:
- the critical infrastructure assets subject to the SOCI Act critical infrastructure risk management program obligations; and
- further CIRMP requirements for relevant responsible entities.
Learn more about CIRMP requirements in our previous update, Critical Infrastructure Protection Act 2022 explained, or speak directly with one of our experts.
Key dates
The grace period to comply with the CIRMP Rules ends 17 August 2023. Operation of the CIRMP Rules commenced on 17 February 2023, marking the beginning of the six-month grace period within which responsible entities of critical infrastructure assets must comply with the CIRMP Rules. By the end of this grace period, responsible entities will be required to have a written CIRMP in place or run the risk of contravening the CIRMP Rules and the SOCI Act.
If, at any time after 17 February 2023, certain assets of responsible entities are deemed to be critical infrastructure assets, the responsible entity will have a six-month transition period from the deeming date to adopt a CIRMP for that applicable asset by the end of the relevant transition period.
Within 12 months after the end of the six-month grace period (being 17 August 2024) or a six-month transition period, a responsible entity must establish and maintain a process or system to comply with a cyber security framework, or an equivalent framework, identified in its written CIRMP.
Who must have a written CIRMP?
Responsible entities of the following critical infrastructure assets must adopt, maintain and comply with a CIRMP.
- Critical broadcasting assets
- Critical domain name systems
- Critical data storage or processing assets
- Critical electricity assets
- Critical energy market operator assets
- Critical gas assets
- Designated critical hospitals
- Critical food and grocery assets
- Critical freight infrastructure assets
- Critical freight services assets
- Critical liquid fuel assets
- Critical financial market infrastructure assets used in connection with the operation of a payment system
- Critical water assets
Key takeaways
The new CIRMP Rules are only a small part of what is increasingly becoming a highly regulated and complex regulatory landscape. It is important that owners and operators of critical infrastructures assets:
- know that the SOCI Act applies to them,
- stay on top of the new obligations imposed by the CIRMP Rules to understand any additional responsibilities, and
- avoid any contraventions of both the SOCI Act and the CIRMP Rules.
How we can help
Lander & Rogers' Digital Economy practice advises owners and operators of critical infrastructure assets on their obligations under the SOCI Act. Please contact our team of experts if you would like to know more or discuss how the CIRMP Rules may affect your business, or if you need assistance with developing or reviewing a CIRMP.
Image by chungking via AdobeStock.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted. Lander & Rogers is furthermore committed to providing legal advice and content that is factual, true, practical and understandable. Learn more about our editorial policy.