Corporate espionage and sabotage: Mitigating the risk of personnel hazards

While people are often an organisation's greatest asset, they can also be the greatest liability when it comes to cyber security.

Key personnel can create significant cyber security threats, whether knowingly or unknowingly. This could be as simple as not securing a connected device or failing to report it as lost or stolen, to something more serious like the theft and use of identification and login credentials for nefarious purposes.

Personnel implications of the new Security of Critical Infrastructure Act (SOCI Act)

In our earlier article, we examined the obligations imposed on some businesses by the recently amended SOCI Act to protect and improve the resilience of Australia's critical infrastructure assets.

Aspects of the changes have particular significance for human resources (HR) and occupational health and safety (OHS) managers.

Explore the implications further below.

Why do HR and OHS managers need to know about the SOCI Act?

There are now three Positive Security Obligations (PSOs) for critical infrastructure assets in the SOCI Act.

1. One of the PSOs is an obligation for responsible entities¹ of certain critical infrastructure assets to adopt, maintain, comply with, and regularly review and update a risk management program (RMP). This PSO applies to critical infrastructure assets that are either privately declared, or "switched on" by the rules.

   Part 2A of the SOCI Act sets out the overarching requirements for an RMP, with the more detailed elements to be contained in risk management program rules.

   An exposure draft of the RMP rules has been released, but not yet made enforceable.²

   It is proposed that the RMP PSO will initially be applied to the following 10 asset classes where there are not already sufficient regulatory or administrative arrangements in place:

• electricity assets
• energy market operator assets
• gas assets
• liquid fuel assets
• water and sewerage assets
• financial market infrastructure assets that are a critical payment system
• data storage or processing assets
• hospital assets
• domain name system assets
• broadcasting assets

The following critical asset classes will also be included (some time after 1 January 2023):

• freight services assets
• freight infrastructure assets
• food and grocery assets

2. Responsible entities must develop a written RMP, including to identify relevant hazards, establish measures to minimise or eliminate material risks of the hazard occurring, and mitigate its impact if it does occur.

3. The draft RMP rules currently propose that the RMP address four primary hazards. One such hazard relates to "personnel hazards".³

What is a personnel hazard and how is it identified?

In simple terms, a personnel hazard exists when a critical worker could act, maliciously or negligently, in a way that compromises the proper function of a critical asset.

The draft RMP rules propose that a responsible entity will need to establish and maintain a process or system to:

• identify all "critical workers"
• assess, on an ongoing basis, the suitability of each critical worker to have access to the "critical components" of the asset
• minimise or eliminate "material risks" that negligent employees, and malicious insiders, may cause to the functioning of the asset; and
• minimise or eliminate material risks arising from the off-boarding process for outgoing employees and contractors

Who is a critical worker?

A "critical worker" means an individual, where the following are satisfied:

• the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies
• the absence or compromise of the individual, as assessed by the responsible entity for the asset:
  • would prevent the proper function of the asset; or
  • could cause significant damage to the asset
• the individual has access to, or control and management of, a critical component of the asset

A "critical component" of a critical infrastructure asset is defined as a part of the asset, where absence of, damage to, or compromise of, the part of the asset:

• would prevent the proper functioning of the asset; or
• could cause significant damage to the asset,

as assessed by the responsible entity for the asset.⁴

What is a material risk?

The draft RMP rules provide that when considering if a risk is a "material risk", a RMP should consider the following with respect to a critical infrastructure asset:

• impairment of the asset in a way that may prejudice the social or economic stability of Australia, its people, the defence of Australia, or Australia's national security
• a hazard that would cause the stoppage or major slowdown of the asset's functioning for an unmanageable period
• the substantive loss of access to, or deliberate or accidental manipulation of, a component of the asset (such as the position, navigation and timing systems) which impact provision of service or functioning of the asset
• the interference with the asset's operating technology, or information communication technology, such as a system essential to its functioning
• the impact on the asset resulting from the storage, transmission, or processing of sensitive operational information outside Australia
• the impact on the asset resulting from the remote access to operational control or operational monitoring systems of the asset; and
• any other material risks that go to the substance of the functioning of the asset

How to assess the suitability of a critical worker to have access to critical components

In short, the assessment criteria and framework are at the discretion of the responsible entity.

One option is for the responsible entity to conduct a background check under the AusCheck scheme - which is proposed to be amended by the draft RMP rules to cater to SOCI Act requirements.⁵

The new AusCheck scheme is contemplated to cover:⁶

Broadly, the process for critical infrastructure entities in assessing the suitability of critical workers could include the following steps.

Investigation

Background checks are to be sought by responsible entities only in relation to "critical employees" and a responsible entity will only be able to access the elements of AusCheck background checking that are relevant to their threat risk.

Assessment

Once a responsible entity receives the background check, it is responsible for assessing whether the employee poses a risk to critical components of the asset.

Mitigation

This assessment can be based on AusCheck advice, and the responsible entity will need to put in place mitigation strategies should a risk be identified.

Alternative approaches

If the responsible entity chooses not to undertake background checks, then it will need to consider other options, such as stringent pre employment or engagement checks. This might include psychometric testing and intensive reference checking among other things.

What mitigation strategies should be put in place?

Mitigation strategies for any risk or hazard posed by a critical worker could include reassignment to another area of the business, dual authentication, or restricted duties.

A background check could in some circumstances cause a responsible entity to reconsider whether to employ, or engage, a person or may result in termination of employment.

Important notes:

• Importantly, an employee or worker who is subject to background checking for the purposes of an RMP retains all the rights and protections they are otherwise entitled to
• There is no negation of the responsibilities of employers under the Fair Work Act 2009, or other relevant legislation

In practical terms, this means a responsible entity still needs to act lawfully in making decisions about, for example, whether to hire someone, or whether to dismiss an employee. A responsible entity could not, for example, simply dismiss an employee based on an unfavourable background check without affording due process and ensuring a proper basis for the dismissal.

Practical steps to minimising or eliminating material risks

The legislation does not describe what steps a responsible entity should take to minimise or eliminate the risks of a negligent or malicious insider taking action to impair a critical infrastructure asset.

In our view, depending on the circumstances, practical steps might include:

• implementation of policies and procedures dealing with, for example, management of portable devices, conflicts of interest, acceptance of gifts, corruption and reporting of inappropriate conduct
• physical security and information security practices and procedures, including limiting access to information and systems
• software tracking of access to specific systems, and regular auditing of that access
• multiple token authentication, or multiple person authorisations, to perform highly sensitive tasks
• restricting the use of mobile phones and other equipment such as cameras in areas where certain work is performed

Another practical step that can be taken is providing training for workers on relevant policies and procedures and ensuring there is a clear reporting pathway where risks are identified.

Off-boarding processes

Upon the termination of an employee's employment, an important step will be to ensure that the outgoing employee or contractor does not misappropriate any confidential information or intellectual property.

In some cases, it may be necessary to restrict or suspend system access on resignation. Systems and programs should be audited to determine whether an employee has created a "backdoor" to access a program in anticipation of leaving their employment.

Final thoughts

In addition to identifying steps a responsible entity should take in response to the requirements of the SOCI Act, one of the biggest challenges will be determining what to do with the information generated from the AusCheck background checking process.

The legislation does not presently contain any express guidance on what a responsible entity may (or must) do in response to certain sensitive information that is likely to be obtained in an extensive background check, such as an individual's criminal record.

It is possible that the new AusCheck scheme (to be developed in relation to the SOCI Act) may provide guidance regarding the use of spent convictions - that is, convictions related to older offences.⁷

However, in the absence of guidance, employers must carefully consider the operation of federal and (where relevant) state or territory anti-discrimination legislation, adverse action provisions in the Fair Work Act 2009 (Cth), the Privacy Act 1988 (Cth)⁸ and spent convictions legislation.

For further information about the HR and OHS implications of amendments to the SOCI Act for your organisation, please contact Lander & Rogers' workplace relations and safety experts.

Photo by Towfiqu Barbhuiya on Unsplash.

¹ Section 12L of the SOCI Act provides that a Responsible Entity of a critical infrastructure asset is the entity with ultimate operational responsibility for the asset. This entity will have effective control or authority over the operations and functioning of the asset as a whole and able to engage the services of contractors and other operators. The Responsible Entity will also serve as the key contact point for consultation in relation to rules that may impact the asset. The definition has been separated into 25 subsections representing the 22 classes of assets listed in the definition of critical infrastructure asset (subsection 9(1)), as well as assets that are prescribed under section 9(1)(f) or assets that are declared under section 51 by the Minister.

² An exposure draft of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022 was provided in the explanatory memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (SLACIP Bill).

At this stage, there are no updates to the draft rules. The Minister for Home Affairs is required to consult on the draft rules for a minimum 28-day period. When the consultation period commences, this will be advertised on the CISC website.

If the draft RMP rules are made enforceable, responsible entities will need to comply with them within six months of the rules coming into effect.

³ The other hazards currently contemplated by the draft RMP rules are cyber and information security hazards, supply chain hazards and physical and natural hazards.

⁴ See section 5 of the SOCI Act.

⁵ The new scheme is proposed to be established through amendments to the AusCheck Regulations 2017.

⁶ See the Addendum Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.

⁷ Certain spent convictions in relation to aviation or maritime security relevant offences will be given to AusCheck and used and disclosed in relation to background checks even if they are "spent" (see the Aviation Transport Security Regulations 2005 and Maritime Transport and Offshore Facility Security Regulations 2003).

⁸ Criminal records are "sensitive information" under the Privacy Act and therefore subject to the heightened provisions regarding collection, storage and use under that legislation. A range of other "sensitive information" may be acquired by a prospective employer in an extensive background check, such as information relating to an individual's racial or ethnic origin, political opinion, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association; membership of a trade union; or sexual preferences or practices. Health information is also sensitive information (as is genetic information that is otherwise not health information). Note that the employee records exemption in the Privacy Act does not apply to individuals who are not employees.