Almost all critical infrastructure operates in a digital environment, and while technologies like mobility and automation have improved, so have the vulnerabilities.
Global connectivity, primarily since Covid-19, has delivered more significant numbers of employees working remotely and from home. This has created new risks and greater opportunities for threat actors who have grown more sophisticated and capable. Critical infrastructure has become the preferred target for high-end cybercriminals like nation-states and terrorist organisations, including well-organised criminal syndicates.
The Australian Government’s Department of Home Affairs has identified the following eleven sectors are covered under the Security of Critical Infrastructure Act 2018:
Australia’s Department of Home Affairs describes the Act as; The Security of Critical Infrastructure Act 2018 (the Act) as seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors described above, covering food, utilities, education, transport, health and various technologies.
The key elements of the Act are:
The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.
The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to introduce the following key measures.
The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and, resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.
It has never been more critical for Boards to understand and mitigate their organisation’s cyber risks. The rise of ransomware is just one threat challenging an organisation’s ability to respond to cyber attacks with more sophisticated attacks on critical infrastructure; the stakes are raised to a much greater degree.
With the above amendments now in force, boards and individual directors of critical infrastructure must be aware of their obligations to oversee and manage security threats.
While boards and directors cannot be prosecuted under critical infrastructure legislation, they do require the board to sign off on an organisation’s Risk Management Program (RMP).
The RMP is a written program that applies to responsible entities for one or more critical infrastructure assets. Organisations must identify and, as far as is reasonably practicable, mitigate material risks presenting a security threat.
This means all due care and diligence must be exercised in the governance of critical infrastructure entities.
We can support your critical infrastructure organisation in:
Thank you for your interest in Gridware. Drop us a line and the right security specialist will contact you the same business day. If you require immediate response, please call our 24/7 Response Line.
Cyber security for Critical infrastructure describes a framework for protecting the systems, networks and assets whose continuous operation is deemed necessary for the effective protection of a nation, its people and its economy.
The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure. The Act applies to 22 asset classes across the 11 sectors of communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.
Board members or executives of critical infrastructure assets must have a documented Risk Management Program (RMP) that outlines a risk profile based on evaluation, mitigation, accountability and governance measures.