The Perfect Storm

The Australian government's reforms to the Security of Critical Infrastructure Act 2018 (SOCI Act) have introduced a new Enhanced Cyber Security Obligation (ECSO) framework that applies to the nation's most critical infrastructure assets, known as Systems of National Significance (SoNS). This framework is designed to bolster the cybersecurity resilience of these vital assets and ensure they have comprehensive, regularly tested plans to effectively prepare for, respond to, and mitigate the impact of cyber attacks.

The ECSO framework comprises four key components: cyber incident response planning, cyber security exercises, vulnerability assessments, and system information sharing. Each plays a crucial role in enhancing the overall cybersecurity posture of SoNS assets.

Firstly, the ECSO mandates that entities responsible for SoNS assets develop and maintain detailed cyber incident response plans. These plans should outline the steps and procedures to be followed during a cyber security incident, ensuring a swift and coordinated response to minimise the impact on the asset and its dependent systems. Regular reviews and updates of these plans are required to keep pace with the evolving threat landscape.

Secondly, SoNS entities are required to conduct regular cyber security exercises to test the effectiveness of their incident response plans and overall cyber resilience. These exercises can range from discussion-based activities to full-scale simulations of cyber attacks, allowing entities to identify potential weaknesses and areas for improvement in their response capabilities. The government will work closely with each entity to determine the most appropriate type and frequency of exercises based on factors such as the nature of the asset, its sector, and the current threat environment.

Thirdly, the ECSO framework requires SoNS entities to undertake periodic vulnerability assessments to proactively identify and address security gaps that malicious actors could exploit. These assessments may include system design reviews, hands-on penetration testing, or automated vulnerability scans. The government has the authority to direct an entity to conduct an evaluation and, if necessary, to authorise an official to perform the assessment on the entity's behalf. The results of these assessments must be documented in a vulnerability assessment report and shared with the government.

Lastly, to support the development of a national-level, real-time threat picture, SoNS entities are obligated to share specified system information, such as logs and event data, with the government. This information sharing enables the government to analyse trends, identify emerging threats, and disseminate actionable intelligence back to the entities, ultimately strengthening the collective defence of Australia's critical infrastructure. The government may request this information on a periodic basis or in response to specific events, and in some cases, may require the installation of software to facilitate automated reporting.

The industries subject to the SOCI Act and the ECSO framework include:

1. Communications
2. Energy
3. Water and Sewerage
4. Transport
5. Food and Grocery
6. Health
7. Banking and Finance
8. Space technology
9. Defence industry
10. Higher Education and Research
11. Data Storage or Processing

The inclusion of these sectors highlights the wide-ranging impact and interdependencies of critical infrastructure assets on the nation's economic and social well-being and national security. By implementing the ECSO framework, the Australian government aims to ensure that the most critical assets within these sectors are well-prepared to withstand and respond to cyber threats, thereby maintaining the continuity of essential services and protecting the nation's interests.

Key Impacts:

• SoNS assets are now subject to ECSO on top of pre-existing security obligations.
• The Secretary of Home Affairs determines which specific ECSO apply to each SoNS.
• SoNS entities must develop and maintain detailed cyber incident response plans.
• Regular cyber security exercises must be conducted to test response capabilities.
• Entities must undergo vulnerability assessments to identify and address security gaps.
• System information must be provided to the government to enable real-time threat monitoring.

Core Recommendations:

• Determine whether your critical infrastructure assets have been declared SoNS and understand applicable ECSO
• Develop or update cyber incident response plans in line with new requirements
• Plan and conduct comprehensive annual cyber exercises to test response plans rigorously
• Produce thorough post-exercise evaluation reports assessing strengths and improvement areas
• Implement a vulnerability management program to identify and remediate vulnerabilities proactively
• Implement technical and process changes to meet system information-sharing obligations
• Engage leadership to ensure awareness and appropriate resourcing to meet ECSO requirements

Background on SoNS:

The SOCI Act reforms introduce the Systems of National Significance (SoNS) concept — a subset of critical infrastructure assets deemed to be of the highest criticality to the nation. The Minister for Home Affairs can privately declare an asset as SoNS based on factors such as interdependencies with other critical infrastructure and the severity of consequences if it is disrupted. SoNS assets are subject to the new ECSO and existing security obligations.

Overview of Enhanced Cyber Security Obligations"

The ECSO framework includes four key components that can be selectively applied to SoNS assets:

1. Cyber Incident Response Plans - SoNS entities must develop, maintain and comply with detailed plans outlining how to respond to and mitigate cyber security incidents affecting their assets. While no specific template is mandated, plans should align to the entity's operating environment and threat profile and be regularly reviewed.
2. Cyber Security Exercises - Entities must conduct practical exercises to test their incident response plans and overall cyber resilience. Exercise formats can include discussion-based activities or functional simulations. The government will work with each entity to determine appropriate exercises based on sector and threat factors. After each workout, entities must provide an evaluation report assessing outcomes and identifying improvement opportunities.
3. Vulnerability Assessments - SoNS entities must undergo vulnerability assessments to identify security gaps that malicious actors could exploit proactively. Assessments may include design reviews, hands-on testing or automated scans. The government can direct an entity to conduct an evaluation and if not completed, authorise an official to perform it. Results must be provided in a vulnerability assessment report.
4. Provision of System Information - To support whole-of-nation threat awareness, SoNS entities must provide government-specified system information (e.g., logs, event data). This enables the development of a real-time threat picture to share actionable intelligence and uplift collective defence. Information can be requested on a periodic or event-driven basis. In limited cases, the government may require software installation to enable reporting.

Supporting guidance has been published to help SoNS entities conduct practical cyber exercises aligned with the obligations. This includes advice on exercise scenario development, incident response plan testing, participant involvement, and post-exercise reporting and improvement planning.

A series of critical compliance and reporting dates have accompanied the SOCI Act reforms and the introduction of the ECSO framework. These dates are designed to provide a phased approach to implementing the new obligations, giving entities sufficient time to assess their status, understand the requirements, and implement the necessary measures.

Key dates for compliance and reporting include:

1. July 8, 2022: The Mandatory Cyber Incident Notification obligation (Part 2B of the SOCI Act) came into effect for most critical infrastructure assets. Entities have until July 8, 2022, to comply with this obligation, which requires them to report critical cyber security incidents within 12 hours and other cyber security incidents within 72 hours of becoming aware of the incident.
2. October 8, 2022: The six-month grace period for compliance with the Register of Critical Infrastructure Assets (Part 2 of the SOCI Act) concluded. Entities had until this date to provide the required operational and ownership information to the Register.
3. February 17, 2023: The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules) came into effect, "switching on" the Risk Management Program obligation (Part 2A of the SOCI Act) for 13 critical infrastructure asset classes. The AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 also commenced on this date.
4. August 17, 2023: The six-month grace period for compliance with the Risk Management Program obligation (Part 2A of the SOCI Act) will conclude. Entities will have until this date to establish and begin complying with their risk management programs.
5. August 17, 2024: The 12-month grace period for compliance with the cyber and information security framework requirements under sections 8(4) and 8(5) of the CIRMP Rules will conclude. Entities must have fully implemented the specified cybersecurity frameworks by this date.

In addition to these overarching deadlines, the ECSO framework introduces specific reporting requirements for SoNS entities. For example:

• Entities must provide the Secretary of Home Affairs with a copy of their cyber incident response plan as soon as practicable after adopting it and whenever material changes are made to it.
• Following a cyber security exercise, entities must prepare an evaluation report and provide a copy to the Secretary within 30 days of the exercise's completion, unless otherwise directed.
• Vulnerability assessment reports must be submitted to the Secretary within 30 days of completion unless an extension is granted.
• System information reporting may be required on a periodic basis or in response to specific events, with timeframes specified in the relevant notice from the Secretary.

Critical infrastructure entities must know these compliance and reporting dates and engage early with the Cyber and Infrastructure Security Centre to clarify any specific requirements or deadlines applicable to their sector or asset. Proactive planning and resource allocation will be essential to ensure timely compliance with the SOCI Act reforms and the ECSO framework.

Mandatory Reporting

The Security of Critical Infrastructure Act 2018 (SOCI Act) requires responsible entities for critical infrastructure assets in Australia to report certain cyber security incidents mandatorily. This reporting obligation aims to give the government a comprehensive picture of emerging cyber threats and risks, enabling better partnerships with industries to mitigate serious cyber attacks. Reporting also allows the government to provide timely advice and support to entities during serious incidents.

1. Could you please identify if a reportable cyber security incident has occurred, is occurring or is imminent? This includes unauthorised access, modification or impairment of computers, data, programs or communications.
2. Assess if the incident has had a "significant impact" (for critical incidents) or "relevant impact" (for other incidents) on the asset.
3. A "significant impact" materially disrupts the availability of essential goods or services from the asset. Report critical incidents within 12 hours of becoming aware.
4. A "relevant impact" is on the asset's availability, integrity, reliability, confidentiality, or information about/stored in it. Could you report other incidents within 72 hours of becoming aware?
5. Reports are made to the Australian Cyber Security Centre (ACSC). You are requested to provide details such as the impacted systems, incident description, estimated impact, and response steps taken.
6. Some incidents, like scam emails or suspicious contacts, are generally only reportable if they lead to further infiltration and impact on the asset. When in doubt, err on the side of reporting.
7. Reporting ensures the government can help protect all entities and the broader economy. Non-compliance may also lead to enforcement actions.

By instituting robust processes to identify and mandatorily report severe cyber incidents, entities will strengthen their cyber resilience while contributing to a collective national defence against the growing threat of cyber attacks on critical infrastructure. A proactive reporting partnership between industry and government is key to protecting Australia's economic and social well-being.

Where does Ai Play a Role?

The impact of AI on the Security of Critical Infrastructure (SOCI), Enhanced Cyber Security Obligations (ECSO), and Systems of National Significance (SoNS) is multifaceted and can be both positive and negative.

Positive impacts:

1. Improved threat detection: AI-powered tools can analyse vast amounts of data from various sources, identifying potential cyber threats more quickly and accurately than traditional methods. This can help critical infrastructure entities detect and respond to incidents more effectively.
2. Enhanced situational awareness: AI can help correlate and contextualise information from multiple sources, providing a more comprehensive understanding of the threat landscape and enabling better-informed decision-making.
3. Automated incident response: AI-driven systems can automate certain aspects of incident response, such as isolating infected devices or updating firewall rules, reducing response times and minimising the impact of cyber incidents on critical assets.
4. Predictive maintenance: AI can analyse sensor data and historical performance records to predict when critical infrastructure components may fail, enabling proactive maintenance and reducing the risk of disruptions.
5. Compliance monitoring: AI can help monitor and ensure compliance with ECSO requirements, such as identifying gaps in incident response plans or tracking the implementation of vulnerability remediation actions.

Negative impacts:

1. Increased attack surface: The integration of AI systems into critical infrastructure may introduce new vulnerabilities and expand the attack surface, providing adversaries with new potential entry points.
2. AI-powered attacks: Malicious actors can leverage AI to create more sophisticated and harder-to-detect attacks, such as adaptive malware or intelligent social engineering, making it more challenging for SoNS entities to defend against them.
3. Data poisoning: Adversaries may attempt to manipulate the data used to train AI models, leading to incorrect decisions or actions that could compromise the security or resilience of critical assets.
4. Overreliance on AI: Excessive dependence on AI systems may lead to complacency or a lack of human oversight, potentially allowing threats to go unnoticed or causing unintended consequences.
5. Ethical concerns: The use of AI in critical infrastructure raises ethical questions around data privacy, algorithmic bias, and the potential for AI systems to make decisions that may have unintended societal impacts.

To maximise the benefits and mitigate the risks of AI in the context of SOCI, ECSO, and SoNS, critical infrastructure entities should:

1. Adopt a balanced approach that leverages AI capabilities while maintaining human oversight and control.
2. Implement robust security measures to protect AI systems and the data they process, which align with ECSO requirements.
3. Regularly test and validate AI models to ensure accuracy, reliability, and alignment with organisational goals.
4. To develop secure and effective AI solutions, Foster collaboration between AI experts, cybersecurity professionals, and critical infrastructure operators.
5. Stay informed about the latest developments in AI technology and its potential implications for critical infrastructure security.

By proactively addressing AI's challenges and opportunities, critical infrastructure entities can harness its power to enhance their cyber resilience and better protect the nation's most vital assets.

Conclusion and Recommendations:

The SOCI Act reforms and ECSO framework represent a substantial step-change in the security regulation of Australia's most critical infrastructure. The obligations will drive significant uplifts in the cyber resilience of crucial assets and the nation.

However, the ECSO imposes additional compliance and resourcing burdens for which SoNS entities must prepare. Entities should engage with government and leadership early to assess their status, understand requirements, and secure necessary funding and support.

Priority recommendations for SoNS entities include:

1. Evaluate and refine cyber incident response plans against ECSO requirements, establish a regular testing and update cycle, and clearly understand reporting obligations under the SOCI Act.
2. Design and deliver a multi-year cyber exercise program focused on likely, high-impact scenarios to maximise organisational learning and improvement.
3. Continuously identify, prioritise, and remediate vulnerabilities across critical assets and systems through mature vulnerability management processes.
4. Implement logging, monitoring, and reporting capabilities to fulfil system information-sharing obligations, aligning with broader situational awareness initiatives where possible.
5. Drive executive understanding of ECSO implications and integrate uplifted resilience capabilities into strategic business continuity and risk management efforts.
6. Establish processes to quickly identify reportable incidents, considering who in the organisation would become aware of incidents and how they assess the level of impact.
7. Assign clear internal reporting lines and responsibilities for submitting mandatory reports to ACSC within the required timeframes.
8. During the first 12 months, focus on understanding the reporting thresholds. The government will prioritize education and guidance, with enforcement only for egregious breaches like failure to report critical incidents.
9. Assess the specific impact of incidents on operations and services, referring to provided examples of "significant" vs. "relevant" impacts for different critical infrastructure sectors.
10. When in doubt about an incident's reportability, contact the Cyber and Infrastructure Security Centre for advice. Lean towards reporting to enable government support and gain full visibility of the threat landscape.

While the ECSO introduces new demands, it provides a clear pathway for SoNS entities to elevate their cyber maturity. Forward-leaning, collaborative engagement with government partners will be key to efficient compliance and realising the national security benefits envisioned by these critical reforms.