In Australia, on March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament.
The SLACIP Act aims to build upon the SOCI 2018 Act framework to improve the security of Australia’s critical infrastructures.
To learn how the SOCI Act reforms will affect you and for guidance on how to comply with its new risk management requirements, read on.
A. What is the SLACIP Act?
The SLACIP Act modifies the SOCI Act to introduce security risk management and cyber threat resilience as mandatory requirements for critical infrastructure entities.
The SLACIP Act aims to improve information exchange between critical infrastructure industries and the government to keep the Australian government informed of emerging threats to national security.
The SLACIP Act aims to give Australians increased peace of mind about the safety of the nation’s essential services.
The SLACIP Act was developed to address the intersection of two significant trends – Australia’s increasing dependency on digital solutions and the increasing sophistication of cyberattacks.
B. What’s the Difference Between the SLACIP Act and the SOCI Act?
The SLACIP Act modifies the SOCI Act by introducing a new obligation and a new framework.
- Entities responsible for critical infrastructures are now obligated to create and maintain a risk management program.
- Operators of Systems of National Significance (SoNS) – entities responsible for Australia’s most important critical infrastructure assets – must comply with a new framework with enhanced cyber security standards.
The SLACIP Act centralizes critical infrastructure security guidelines into one legislation to address the interconnected nature of all SoNS.
C. Who is Responsible for Complying with the SLACIP Act?
Responsibility for compliance will sit with either the Responsible Entity or Direct Interest Holders of critical infrastructures.
D. What is a Responsible Entity?
A Responsible Entity includes anybody with ultimate operational responsibility for a critical infrastructure asset.
E. What is a Direct Interest Holder?
A Direct Interest Holder is either:
- Any entity holding direct or joint interest of at least 10% in a critical infrastructure asset
- Any entity that holds a critical infrastructure asset interest and is in a position of direct or indirect influence over the control of an asset
F. The SLACIP Act Risk Management Plan
The Risk Management Program introduced in the SLACIP Act requires responsible entities to comply with a risk management program designed to identify and mitigate all material risks to critical infrastructure assets as much as reasonably practicable.
A material risk includes risks threatening the availability, integrity, reliability, or confidentiality of critical infrastructure assets.
Under SLACIP, the following categories of critical infrastructure assets are subject to SLACIP’s risk management plan rules:
- Critical broadcasting assets
- Critical domain name system
- Critical data storage or processing assets
- Critical hospitals
- Critical energy market operator assets
- Critical water assets
- Critical electricity assets
- Critical gas assets
- Critical liquid fuel assets
- Critical financial market infrastructure assets that are specified payment systems operator assets
The design of a risk management program must meet the following obligations:
1. Identify all Material Risks
Responsible entities need to follow an All-Hazards approach when identifying potential threats to their critical infrastructure assets’ availability, reliability, and confidentiality.
An All-Hazards approach considers the events and processes impacting preparedness for all emergencies and disasters, both natural and human made.
The SLACIP Act expects responsible entities to focus on four primary categories of hazard vectors:
- Physical and Natural – Any physical and natural risks to critical infrastructure asset functionality, such as a thunderstorm disrupting physical access to a control room.
- Cyber and Information Security – Any cyber threats to the digital ecosystem of a critical infrastructure asset.
- Personnel – Any risk of an insider threat within a critical infrastructure workforce.
- Supply Chain – Any risk of supply chain disruption impacting critical infrastructure operations.
2. Continuously Reduce Security Risk Exposure
Responsible entities need to develop strategies for minimizing the security risks increasing critical infrastructure asset vulnerability to material risks. Risk management efforts should be both proactive and ongoing.
A proactive and ongoing risk management strategy aims to discover and address security risks before cybercriminals exploit them.
3. Minimize the Impacts of all Security Incidents
The security incidents that bypass boundary security controls must be contained and swiftly addressed to minimize impacts on business operations. SLACIP requires entities to have robust processes for reducing the effects of realized incidents and processes for rapid recovery following an incident.
These requirements can be met in an updated and frequently tested incident response plan.
4. Establish Risk Oversight Arrangements
Entities bound to the SLACIP must establish risk management oversight arrangements with their relevant Commonwealth regulators. Regulators will evaluate and test an implemented risk management program to assess SLACIP compliance.
G. SLACIP Annual Reporting Requirements
Entities need to submit an annual report summarizing the yearly efforts of their risk management program to their relevant Commonwealth regulator or the Secretary of the Department of Home Affairs.
Before submission, reports must be approved by the entity’s board, council, or other governing body.
Annual SLACIP reports must be submitted within 90 days after the end of the financial year.
To learn more about the proposed Risk Management Program Rules, refer to this draft policy document.
H. Systems of National Significance and the SLACIP Act
The SLACIP act includes a regime specifically focused on Australia’s most critical infrastructure assets to prevent catastrophic disruptions following a nation-state cyberattack. These entities have been grouped into a separate category known as Systems of National Significance (SoNS).
I. What are Systems of National Significance?
Systems of National Significance (SoNs) include any critical infrastructure entities that:
- Are crucial to Australia’s operations
- Have multiple dependencies across different sectors
- Could potentially cause cascading disruptions to other connected critical infrastructure assets in a cyberattack.
The criticality of Systems of National Significance makes these entities highly vulnerable to sophisticated nation-state attacks. By enforcing improved cyber resilience across all of Australia’s SoNS, the SLACIP Act will significantly reduce the nation’s potential of falling victim to a catastrophic nation-state cyberattack.
J. Which Critical Infrastructure Entities are Classified as SoNS?
Only critical infrastructure assets of national significance are classified as a SoNS asset. Only a small subset of the nation’s critical infrastructure assets are grouped in this category.
Two primary factors are considered when determining whether an asset is of national significance:
- Does the asset have interdependencies with other critical infrastructure assets?
- Would the asset’s compromise significantly impact Australia’s national security, defence, or social/economic stability?
K. SoNS Obligations Under the SLACIP Act
In addition to all of the obligations outlined for critical infrastructure assets under the SLACIP Act, SoNS must also comply with Enhanced Cyber Security Obligations (ECSO).
ESCO requirements may include the following:
1. The Development of a Cyber Security Incident Response Plan
An incident response plan is a written document detailing how a critical infrastructure entity will respond to different cyber security incidents. After completion, the incident response plan must be submitted to the Secretary of the Department of Home Affairs.
2. Cyber Security Exercises
SoNS may be required to undertake cyber security exercises to test cyberattack readiness against specific threats. These exercises will involve a simulation of a cyber incident and may require observance by Department officers or designated officers from the Australian Cyber Security Centre (ACSC).
3. Security Assessments
SoNS may be required to complete vulnerability assessments evaluating the security postures of all critical infrastructure systems.
Under the SLACIP Act, these assessments may be designated to the ACSC by the Department.
4. Provision of System Information
SoNs may be required to supply system information to the ACSC under the request of the Secretary of the Department.
There are two different system information reporting tiers based on reporting frequency:
- Periodic reporting of system information
- Event-based reporting of system information
ESCO may also require SoNS to:
- Register their critical infrastructure assets
- Submit cyber security incident reports
- Implement risk management programs
For more information on SoNS obligations under the SLACIP Act, refer to the Systems of National Significance fact sheet.
L. SLACIP Act Compliance
Here are just some of the features that could support SLACIP compliance:
- Vulnerabilities scanning to identify material risks internally and across the vendor network.
- A managed Third-Party Risk Program for scaling material risk mitigation and uplifting core security practices.
- Data leak detection extending to the third-party attack surface to minimize security risk exposure.
- One-click executive reporting to help address risk oversight arrangements.
- Vulnerability assessments based on popular cybersecurity frameworks, including the Essential Eight.
- Multiple subsidiary tracking to monitor security postures of all SoNS and interconnected critical asset entities