As part of Australia’s Cyber Security Strategy 2020, the Australian Government introduced critical infrastructure law reforms with the aim of further protecting and improving the resilience of Australia’s critical infrastructure. More than 18 months after its original announcement, the full package of reforms to the SOCI Act has been implemented with important implications for critical infrastructure sectors in Australia.
Who is regulated?
A critical infrastructure (CI) asset is only regulated if it is “specified in the rules” or declared by the Minister. Rules can be made if “required or permitted by this Act” or are “necessary or convenient to be prescribed for carrying out or giving effect to this Act.” The Minister retains the power to prescribe or declare assets if “critical to the social or economic stability of Australia or its people, the defence of Australia or national security.”
Entities' responses in the Critical Infrastructure Sector (CIS) are to be included in the definition of “national security business” in the Foreign Investment Reform (Protecting Australia’s Nations Security) (National Security Business) Regulations 2020. This will subject the responsible entities to direct ongoing regulation regarding the extent of foreign ownership/investment.
NCC Group can help ensure you’re meeting the requirements of the Act.
Consider NCC Group services in the three main areas:
- Positive Security Obligation
- Enhanced Cyber Security Obligations
- Government Assistance
1. Positive Security Obligation includes:
- Register of Critical Infrastructure Assets
- Critical Infrastructure Management Program
- Mandatory notification of cyber security incidents to the ASD
In relation to these obligations, NCC Group can support with:
- Asset identification and mapping, policy and process improvement.
- Risk management program development
- Incident response readiness reviews, incident response plans and playbook uplift, and incident response retainers.
2. Enhanced Cyber Security Obligations include:
- Sharing of near-real-time threat information
- Cyber incident response plans and testing
- Vulnerability Management
In relation to these obligations, NCC Group can support with:
- Threat intelligence services
- Security Testing and Assurance services
- Cyber incident response plans and table-top crisis management simulations
- Vulnerability Management services
3. Government Assistance includes:
- Information Gathering Direction
- Action Direction
- Intervention Request
In relation to these obligations, NCC Group can support with:
- Incident Response retainers
- Managed Detection and Response
- Forensic investigations
Additional services:
- Conducting Gap Analysis based on NIST CSF, ISO 27001, or Essential Eight, leveraging any CPS234 reviews.
- Completing assurance testing to ensure compliance with obligations specified within the Act.
- Developing an appropriate Risk Management Program and reporting regime.
- Conducting background checks for those who may pose a risk to the asset or business.
- Conducting standards compliance across the supply chain.
- Establishing a robust Policy Architecture and Plans to minimise risk exposure.
- Standing by on retainer for third-party (independent) services to complete the gaps in cyber security posture, e.g., Digital Forensics, Public Relations, Cyber Insurance Negotiator, Incident Response, Legal, etc.
- Negotiating appropriate cyber security insurance coverage to assist in remediation.
Call us before you need us.
Our experts are here to help you meet the obligations of the SOCI Act and continue operating successfully and securely.