What is SOCI?
In the past 12 months, amendments to the Securing of Critical Infrastructure (SOCI) and the new Security Legislation Amendment (Critical Infrastructure Protection) (SLACIP) Acts passed parliament, expanding both the industries covered and requirements. The grace periods for most requirements have now ended, meaning that any organisation with assets considered critical under the Act needs to be already compliant.
The Act recognises that those industries providing the essential functions for everyday life are increasingly interconnected and at threat from hazards both natural like floods and pandemics, and human-like cyber attacks and the misuse of foreign control.
The original 2018 Act’s three industries (Energy, Water & Sewerage, and Transport) have been expanded by another eight:
- Financial Services and Markets
- Food and Grocery
- Healthcare and Medical
- Higher Education and Research
- Data Storage and Processing
- Space Technology
- Defence Industry
All industries holding assets that meet the detailed criteria (e.g.: a hospital with an ICU) are now required to:
- Register assets: Each critical asset needs to be described, including who and what it serves. Contact details for all direct interest holders and responsible entities (including data processing) need to be provided.
- Mandatory cybersecurity reporting: Any unauthorised access to data or impairment of an asset needs to be reported to the ACSC within 12 hours (if causing a significant impact on the asset’s ability to deliver), or 72 hours if causing a relevant impact to the assets availability, reliability or integrity.
- Government Incident Response assistance: In the event of an incident impacting national security or well-being, an asset’s operator can be directed to collect information and take specific actions. The ACSC may be directed to intervene. Mandatory assistance is considered to be a “last resort” and requires relevant ministerial approval.
- Risk Management program: This is still under consultation and is intended to uplift core security practices. Rules may cover cyber, physical, personnel and supply chain hazards.
- Inform data processing providers:
SOCI is forcing an uplift in our national cybersecurity posture by first generating a record of our critical assets, giving us the ability to know what we need to protect. Secondly, the incident and risk management obligations will improve cybersecurity resilience across the companies that fall under the Act. Finally, the consultation process will foster better collaboration between industry members and with the government.
If you know or suspect you are now subject to SOCI, you need to discover all your critical assets, including those being provided to you. You will also need to identify, rate and manage your priority cybersecurity risks. Most likely, you will need to improve your cybersecurity detection and response capability.
Given the recent cybersecurity breaches of the personal details of many Australians, expansion of SOCI or similar legislation can only be expected.