New critical infrastructure obligations to cost $1bn annually

Brandon How

Critical infrastructure operators could face a collective regulatory burden of $1 billion each year following the commencement of the final tranche of obligations under the Security of Critical Infrastructure Act.

Entities responsible for critical infrastructure assets will need to “establish, maintain, and comply” with a risk management program that manages potential impacts caused by cyber and information security risks, personnel risks, and supply chain risks, among others.

Some cyber risks to digital systems, computers, datasets, and networks that underpin critical infrastructure systems include improper access, misuse, or unauthorised control, according to a government fact sheet.

According to the Office of Impact Analysis (OIA), the cost of complying with the rules is estimated to be a “one-off aggregated cost of [around $1.6 billion], across critical infrastructure assets nationally…and an ongoing aggregated cost of [around $1.08 billion] per year”. This equates to a regulatory cost of $11.5 billion over the first 10 years.

The OIA says that the likely benefits of compliance with the critical infrastructure risk management plan (RMP) “will be at least (and are expected to be more than) the costs of the regulation”.

city data

The highest average one-off cost of compliance per entity is for critical energy market operator assets at $22.1 million, while the highest average ongoing annual cost is for critical hospital assets at $10.1 million.

The critical infrastructure RMP is the final of three obligations under the SOCI act and applies to 13 critical infrastructure industries. It commenced on February 17.

The two existing positive security obligations under SOCI require the provision of operational and ownership information to the Register of Critical Infrastructure Assets, as well as mandatory reporting of cyber incidents.

The cybersecurity component of the critical infrastructure RMP must reach level one of the Australian Signals Directorate’s (ASD) Essential Eight Maturity Model. The model details eight cybersecurity measures of which the top four alone can prevent up to 85 per cent of unauthorised intrusions, according to the ASD.

The top four measures are application whitelisting, regularly patching applications, restricting administrative privileges, and regularly patching operating systems.

Existing critical infrastructure asset holders will have six months to adopt a written RMP followed by a further 12 months to allow for compliance with the cybersecurity framework identified in the plan.

Critical infrastructure assets identified or established after the commencement of the rules must meet their requirements within six months.

Home Affairs and Cybersecurity minister Clare O’Neil said that the rules would boost the resilience of Australia’s critical infrastructure assets.

“As a nation we must continue to ensure the security of our essential services – things such as energy and water, food, health care, transport, supply chains and communications – and to protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” she said.

“The RMP rules will strengthen the resilience of essential services by embedding preparation, prevention and mitigation activities into standard business practices, and provide responsible entities greater situational awareness of threats to critical infrastructure.”

An updated Critical Infrastructure Resilience Plan and Strategy has also been released and includes a “roadmap for protecting essential services and assets”, according to the government. It was devised through industry and government collaboration in the Trusted Information Sharing Network, which is the federal government’s engagement platform with critical infrastructure.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty. We need to ensure our critical infrastructure security arrangements keep pace with the evolving threat environment and continue to deliver the essential services we all rely on,” Ms O’Neil added.

Consultation on the proposed critical infrastructure RMP rules was undertaken over a 45-day period between October and November 2022.

A risk management program townhall will be held online on February 23.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories