Why you need to strengthen your critical infrastructure risk profile

While responsible entities need to have a CIRMP in place, even those organisations indirectly involved with critical infrastructure play an essential role in these legislative reforms. Creating a risk management program that meets current and future regulatory requirements is necessary from a compliance point of view. However, Security and Resilience of Critical Infrastructure (SOCI) Act also provides a powerful opportunity to understand your risk profiles and strengthen overall resilience. 

The SOCI Act delivers new regulations requiring the development of CIRMP for many indispensable systems. These policies capture assets across water, electricity, energy, liquid fuel, food and groceries, gas, hospitals, freight, domain names, data storage and financial markets. The intent is clear. The regulations are fast-tracking efforts around how risk is managed within organisations by working with existing frameworks (or requiring the development of new ones) to strengthen management and resilience.

Organisations needed to get their board or governing body to endorse the first iteration of their CIRMPs by 17 August 2023. After that, 90 days before the end of the financial year, ongoing annual requirements come into effect. At this time, organisations need to submit an endorsed report declaring the following: that the risk program is up to date, details of any hazards that occurred which had an impact and provide details on any variations to the program and effectiveness of the risk mitigation efforts. While submitting annual updates becomes compulsory from next year, the Cyber and Infrastructure Security Centre encourages voluntary reporting to happen sooner.

The legislation states that your CIRMP needs to detail the following:

• Identify each hazard where there is a potential risk of impact that could result in impairment, stoppage, loss of access to or interference with a critical infrastructure asset. For example, this might be an outage, slowdown, loss of access to components, or deliberate or accidental interference with operations.
• Reduce, minimise, or eliminate the potential risk of the hazard from occurring as far as reasonably practicable. Your organisation’s plans and strategies must stop the risk from occurring.
• Mitigate the impact of the hazard on the asset as far as reasonably practicable. If you have an incident and the risk materialises, what’s the plan to get the asset back up and operating as quickly and safely as possible?

The regulations provide excellent guidance on approaching and thinking about the risks. These provisions include references to hazard vectors. Hazard vectors are defined by the following four areas and need to be incorporated into your CIRMP:

• Physical and natural security: Any physical or natural security risks related to the asset are critical for functioning, e.g., physical security, local conditions, or climate change.
• Cyber and information security: Any cybersecurity threat that could impact the essential infrastructure systems, e.g., improper access, misuse, or unauthorised asset control.
• Personnel hazards: Think about critical workers who might have access to sensitive data or physical infrastructure or who may have the ability to disrupt the functioning of the asset.
• Supply chain hazards: The risk of failure of your supply chain. This might be through various factors, including natural hazards, external threats, market demand or supplier solvency.

Your organisation must thoroughly consider the above hazards and the risks. This involves testing how one hazard vector might impact another – known as the ‘all hazards’ approach. Once your in-depth plan is endorsed and implemented, the critical work of having it support your organisation’s risk management begins.

• Given the requirement for approval of annual CIRMP reports, organisations should consider whether a level of independent assurance might be good practice.
• Much of what is required under the new CIRMP requirements for organisations with well-developed risk management frameworks and systems is already in place. Ensure you explore how these new requirements will further enhance your resilience. 
• Look beyond how risk is managed concerning the critical asset, and explore how it can be leveraged across your whole enterprise to strengthen risk maturity and culture.
• For those owners, operators and managers whose risk frameworks and systems haven’t been deeply explored or matured yet, there is an excellent opportunity to use these regulations as the foundations for building a broader risk system over the years to come.