CISC Newsflash: Edition 17

From the Cyber and Infrastructure Security Centre

Welcome to the latest edition of the CISC Newsflash! It has been a big few months as our Critical Infrastructure Security Excellence Workshop series continues around the country.

We have also joined you in various town halls, meetings, deep dives and roundtables on new reforms and obligations.

We also have a big announcement for Critical Infrastructure Security Month (CISM) in November 2024 – read to the end to find out!

Critical Infrastructure Security Excellence Workshops

Our workshop series continues to engage with our critical infrastructure stakeholders around the country.

Since our last newsflash edition, we’ve held workshops in Perth, Canberra, Hobart and Brisbane. The workshops have included a strong representation from industry, Commonwealth and state governments.

The highlights of the workshops have been our interactive deep dive activity, our panel of industry experts discussing all-hazards and DP World sharing their lessons learned from their cyber incident in 2023. Our series wraps up in Sydney on 13 November! ?

Supporting the Security Industry

First Assistant Secretary Justine Jones of the Cyber and Infrastructure Security Centre, presented at the Security ASIAL Conference 2024 in Sydney. Justine highlighted the importance of a positive security culture being embedded in Australia’s critical infrastructure organisations.

A positive security culture within an organisation helps mitigate risks that arise from personnel, physical and cyber threats.

It is important that we work together to build a strong security culture and strengthen risk management practices to build resilience against a range of hazards we face as a nation.??

Cyber Security Is a Shared Global Challenge

In September, Australia, through the Department of Home Affairs, hosted the 2024 Cyber Champions Summit in Sydney. The event built on momentum to strengthen existing global relationships and promote greater cooperation on cyber security issues between the Indo-Pacific and Euro-Atlantic regions.

Australia's participation was led by Deputy Secretary Cyber and Infrastructure Security Hamish Hansford and included National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, CSC, and Ambassador for Cyber Affairs and Critical Technology Brendan Dowling.

Collaboration in the Maritime Industry

The Maritime Industry Security Consultative Forum (MISCF) took place this July, in Newcastle! The Australian Government and maritime industry – including peak bodies, port operators, port facility operators and ship operators – use MISCF to discuss maritime security issues through an all-hazards lens. MISCF promotes the principles of consultation and the two-way sharing of information to discuss evolving threats, identify common challenges and share best practices. All to ensure the ongoing protection of Australia’s critical maritime infrastructure. Members participated in a number of tabletop exercises in addition to discussions on current and emerging maritime security issues to promote preparedness against all-hazards.

Cyber Security Legislative Reforms

Feedback from Government and industry on the Cyber Security Legislative Package, inclusive of proposed new cyber security legislation and reforms to the Security of Critical Infrastructure Act 2018, has been received, with the package to be introduced to parliament in October 2024.

SOCI Compliance

The first Critical Infrastructure Risk Management Program (CIRMP) Annual Report submission period commenced on 1 July 2024 and ended on 28 September 2024. This is a major milestone for the Security of Critical Infrastructure Act 2018 (SOCI Act). The CIRMP ensures measures are in place to minimise the risk of an asset being impaired, stopped or slowed, not to remove all potential risk.

The deadline for responsible entities to meet the CIRMP’s cyber and information security framework requirement was 17 August 2024. The CIRMP Annual Report for the next financial year 2024-2025 must reflect the cyber and information security framework.

Differences between Frameworks

Responsible entities that are subject to the CIRMP obligation must adopt and maintain a cyber security framework as per section 8 of the?SOCI CIRMP Rules.

The SOCI CIRMP Rules prescribes five frameworks that each offer different benefits. Responsible entities should select the cyber security framework that best addresses the risk vectors that threaten their critical assets. The cyber security framework obligation sets the?baseline for cyber security in critical infrastructure assets. We encourage responsible entities to go beyond their legislative obligations.

Alternative Frameworks

The five frameworks listed in the SOCI CIRMP Rules are not exclusive. Responsible entities can use an alternative framework if they consider it better addresses the risk vectors threatening an entity’s critical assets.?An alternative framework may include a newer version of one of the five listed frameworks, or a framework that is not listed in the SOCI CIRMP Rules.

The implementation of an approved cyber security framework will ensure a consistent level of cyber security maturity. Over time this baseline may be increased through legislative change.

The SOCI CIRMP Rules may be updated through ministerial instruments following public consultation.

Deputy Secretary Hamish Hansford hosted the?Critical Infrastructure Risk Management Program obligations and compliance?Town Hall in July. The recording, presentation and transcript are all available on our website. We also provide answers to topics raised in the Town Hall.

If you have any questions that aren’t already answered on our website, email [email protected] .

Critical Infrastructure Security Month (CISM) is around the corner!

Our theme for November 2024 is: ‘Critical Infrastructure Risk Management: A Shared Responsibility’.

To stay up to date with our schedule of CISM activities, latest news and advice, follow us on X , Instagram and LinkedIn !