Critical Infrastructure
March 13, 2023
November 18, 2024

Critical Industries and the Risk Management Program

With new Critical Infrastructure Risk Management Rules in place, businesses must go beyond cybersecurity frameworks to minimise risks and mitigate the impact of potential breaches - are you ready to comply?

Critical Industries and the Risk Management Program

Interview multiple candidates

Lorem ipsum dolor sit amet, consectetur adipiscing elit proin mi pellentesque  lorem turpis feugiat non sed sed sed aliquam lectus sodales gravida turpis maassa odio faucibus accumsan turpis nulla tellus purus ut   cursus lorem  in pellentesque risus turpis eget quam eu nunc sed diam.

Search for the right experience

Lorem ipsum dolor sit amet, consectetur adipiscing elit proin mi pellentesque  lorem turpis feugiat non sed sed sed aliquam lectus sodales gravida turpis maassa odio.

  1. Lorem ipsum dolor sit amet, consectetur adipiscing elit.
  2. Porttitor nibh est vulputate vitae sem vitae.
  3. Netus vestibulum dignissim scelerisque vitae.
  4. Amet tellus nisl risus lorem vulputate velit eget.

Ask for past work examples & results

Lorem ipsum dolor sit amet, consectetur adipiscing elit consectetur in proin mattis enim posuere maecenas non magna mauris, feugiat montes, porttitor eget nulla id id.

  • Lorem ipsum dolor sit amet, consectetur adipiscing elit.
  • Netus vestibulum dignissim scelerisque vitae.
  • Porttitor nibh est vulputate vitae sem vitae.
  • Amet tellus nisl risus lorem vulputate velit eget.
Vet candidates & ask for past references before hiring

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut suspendisse convallis enim tincidunt nunc condimentum facilisi accumsan tempor donec dolor malesuada vestibulum in sed sed morbi accumsan tristique turpis vivamus non velit euismod.

“Lorem ipsum dolor sit amet, consectetur adipiscing elit nunc gravida purus urna, ipsum eu morbi in enim”
Once you hire them, give them access for all tools & resources for success

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut suspendisse convallis enim tincidunt nunc condimentum facilisi accumsan tempor donec dolor malesuada vestibulum in sed sed morbi accumsan tristique turpis vivamus non velit euismod.

In February 2023, the Critical Infrastructure Risk Management Program Rules commenced. The Rules create an obligation for listed asset classes to produce and comply with a critical infrastructure risk management program (CIRMP). We have written about the Critical Infrastructure Bill before -- these Rules are another aspect of the Security of Critical Infrastructure Act 2018 (SOCI Act).

What does this mean for us?

If you are an owner or operator of one of the following assets, you need to follow the Rules and have a CIRMP:

  • Broadcasting
  • Domain Name Systems
  • Data Storage or processing
  • Electricity
  • Energy Market Operator
  • Gas
  • Liquid Fuels
  • Payment Systems
  • Food and Grocery
  • Designated Hospitals
  • Critical Freight Infrastructure
  • Critical Freight Services
  • Water

What is the cyber protocol for the Rules?

By August 2024, you need to show that you comply with a cybersecurity framework (either one of the ones listed below, or an 'equivalent' framework):

  • Australian Standard AS ISO.IEC 27001:2015
  • Essential Eight Maturity Model published by the Australian Signals Directorate (Meet maturity level one)
  • Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology
  • Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America (Meet maturity level one)
  • The 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327)

These frameworks are focused on reducing the likelihood of a breach. But, vitally, the Rules say you need to:

Establish and maintain a process or system in the CIRMP to–as far as it is reasonably practicable to do so:
- minimise or eliminate any material risk of a cyber and information security hazard occurring; and
- mitigate the relevant impact of a cyber and information security hazard on the CI asset.

Risk Management Program Rules of Critical Infrastructure Assets Guidance -- Section 8

So having the frameworks in place is not enough. You can't just work to reduce the likelihood of a breach. You also have to reduce the impact of a successful one.

This means knowing your risky data: where it is, how sensitive it is, what secrecy and privacy rules apply to it, and what is happening to it at all times. Importantly, you also need to know how long you need to keep it for. The best way to reduce the impact of a spill is to not have any sensitive data in that spill. And the best way to not have sensitive data is to destroy it when you no longer need it. That's why automated records management is just as important to your risk controls as automated security and privacy management, audit, and discovery.

Contact us if you want to understand your risk exposure, by using AI to scan and report on your entire network. Being able to quantify what the impact of a breach would be helps to make a business case, and a robust plan, for meeting the Rules and Protocol by the deadline.