Support
No items found.

The Latest with Australia’s Security of Critical Infrastructure Act (SOCI Act) and Critical Infrastructure Risk Management (CIRMP)

September 11, 2023

As of August 17, 2023, the Critical Infrastructure Risk Management Program (CIRMP) grace period has concluded. Critical infrastructure operators in Australia are in a race for time to establish and enforce a risk management program as required by the rule. The deadline to fulfill the cyber security framework specifications as laid out in this program is 18 August 2024. Additionally, the inaugural board-approved annual report must be submitted by 28 September 2024. The CIRMP outlines several framework options required for compliance, including:

  • Essential Eight Maturity Model published by the Australian Signals Directorate.
  • Framework for Improving Critical Infrastructure Cybersecurity from the National Institute of Standards and Technology of the USA. (Also known as NIST Cybersecurity Framework or NIST CSF). (See Industrial Defender’s automated compliance NIST CSF capabilities here)
  • Cybersecurity Capability Maturity Model by the Department of Energy of the USA.
  • The 2020 21 AESCSF Framework Core from the Australian Energy Market Operator Limited (ACN 072 010 327) (See Industrial Defender’s automated compliance AESCSF capabilities here)

The deadline to fulfill the cyber security framework specifications as laid out in this program is 18 August 2024. Additionally, the inaugural board-approved annual report must be submitted by 28 September 2024.

This is all ultimately enforced with regulatory obligations by the Cyber and Infrastructure Security Centre (CISC)

Legislative Measures and Enhanced Compliance Requirements

In recent developments, the Australian Government has significantly expanded the scope of the Security of Critical Infrastructure Act (SOCI Act) through the introduction of two key amendments: the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP). The preparedness and resilience of Australia's critical infrastructure are set to become stronger in the face of changing cyber threats and intricate interdependencies through these legislative changes.

New Components of the SOCI Act:

  1. Positive Security Obligations (PSO): These obligations require critical infrastructure entities to adopt proactive security practices. The PSO framework demands that entities conduct regular risk assessments, implement robust security measures, and maintain comprehensive security management plans. This proactive stance ensures that critical infrastructure remains resilient against both cyber and physical threats.

  2. Enhanced Cyber Security Obligations (ECSO): Under the ECSO, entities identified as operating Systems of National Significance must meet higher cybersecurity standards. This includes mandatory cyber incident reporting, involvement in national cyber exercises, and conducting regular vulnerability assessments to anticipate and mitigate potential cyber threats effectively.

  3. Government Assistance Measures: These measures are set up to facilitate greater collaboration between critical infrastructure entities and the federal government. In circumstances where significant risks are identified, government agencies are empowered to provide targeted assistance to entities, helping to manage and mitigate threats that could have national implications.

    The inclusion of these new measures underlines the government's commitment to a more dynamic and integrated approach to critical infrastructure protection. Entities affected by these changes are encouraged to review their compliance strategies and ensure alignment with the updated legislative requirements to not only meet legal obligations but also to enhance their overall security posture and resilience.

Sector-Specific Requirements Under the SOCI Act

The Security of Critical Infrastructure Act (SOCI Act) casts a wide net over a diverse range of sectors deemed critical to national security and economic stability. Understanding the breadth of its application is essential for entities across various industries to gauge their compliance responsibilities. As per recent expansions and clarifications, the SOCI Act now encompasses 22 asset classes within 11 critical sectors. These sectors include:

  1. Communications - Ensuring the security and resilience of communication networks.
  2. Data Storage and Processing - Protecting facilities that handle significant data storage and processing capabilities.
  3. Defence Industry - Covering manufacturers and service providers integral to national defense.
  4. Higher Education and Research - Including institutions that play a pivotal role in research and development.
  5. Energy - Encompassing electricity, gas, and other energy suppliers.
  6. Financial Services and Markets - Securing entities within the financial sector that are crucial for economic operations.
  7. Food and Grocery - Safeguarding supply chains that are essential to food security.
  8. Healthcare and Medical - Protecting infrastructure critical to health services and medical care.
  9. Space Technology - Including assets that contribute to space technology and exploration.
  10. Transport - Ensuring the security of transport networks that facilitate cargo and passenger movements.
  11. Water and Sewerage - Covering water supply and wastewater management systems.

Each of these sectors is required to adhere to specific regulations that are tailored to address the unique risks associated with their operations. This sector-specific approach ensures that the protective measures implemented are both appropriate and effective, enhancing the overall security posture of Australia's critical infrastructure.

Background: Putting the CISC, SOCI Act, CIRMP together

The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) places obligations on responsible entities for certain critical infrastructure assets in relevant critical infrastructure sectors.

Within this act is the requirement to “produce and comply with a Critical Infrastructure Risk Management Program (CIRMP).”

The CIRMP sets form a set of “CIRMP Rules” where this is a set of requirements geared toward “Cyber and Information Security Hazards”

CIRMP Cyber and information security hazards (excerpt)

  • (1) For paragraph 30AH(1)(c) of the Act, subsections (2) and (3) specify requirements for cyber and information security hazards.
  • (2) A responsible entity must establish and maintain a process or system in the CIRMP to—as far as it is reasonably practicable to do so:
    • (a) minimise or eliminate any material risk of a cyber and information security hazard occurring; and (b) mitigate the relevant impact of a cyber and information security hazard on the CI asset.
  • (3) Within 12 months after the end of the applicable period mentioned in subsection 4(2), a responsible entity must comply with subsection (4) or (5).
  • (4) A responsible entity must establish and maintain a process or system in the CIRMP to:
    • (a) comply with a framework contained in a document mentioned in the following table as in force from time to time; and
    • (b) meet any conditions mentioned in the list below
    • (c) list of documents referenced
  • Note:  Sections 30AN and 30ANA of the Act provide for the incorporation of the documents mentioned in this subsection as in force from time to time.
  • (5) A responsible entity must establish and maintain a process or system in the entity’s CIRMP to comply with a framework that is equivalent to a framework in a document mentioned in subsection (4), including any conditions.
  • (6)  For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard to whether the entity’s CIRMP describes the cyber and information security hazards that could have a relevant impact on the asset.

Framework Options for CIRMP Compliance

Australian  Standard AS  ISO/IEC 27001:2015
  • No conditions
Essential Eight Maturity Model published by the Australian Signals Directorate
  • Meet maturity level one as indicated in the document
Framework  for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology  of the United States of America
  • No conditions
Cybersecurity  Capability Maturity Model published by the Department of Energy of the United States of  America
  • Meet Maturity Indicator Level 1 as indicated in the document
The  2020‑21 AESCSF Framework  Core published by Australian Energy Market Operator  Limited (ACN 072 010 327)
  • Meet Security Profile 1 as indicated in the document

Industries that Must Comply

  • Communications
  • Financial services and markets
  • Data storage or processing
  • Defence industry
  • Higher education and research
  • Energy
    • Subcategories include:
    • Electricity
    • Energy Market Operator
    • Gas
    • Liquid Fuel
  • Food and grocery
  • Health care and medical
  • Space technology
  • Transport, including aviation and maritime assets
  • Water and sewerage

More specific guidance and definition can be found in the CISC’s Critical Infrastructure Asset Class Definition Guidance fact sheet here: https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-asset-class-definition-guidance.pdf

Implementing and Complying with Cybersecurity Frameworks – AESCSF as an Example

The cybersecurity framework requirement in CIRMP rules avoids recreating the wheel by leveraging known, established standards and industry frameworks to ensure maturity, consistency, and effectiveness. Utilizing these frameworks provides a common language and understanding, helping organisations align with recognized best practices.  

Across these established cybersecurity frameworks, core foundational elements that remain consistent. Though these frameworks may combine or delineate security controls and programs differently, at their core, they are universal areas of best practices.

In the following, we will look at how Industrial Defender enables CIRMP compliance through use of the AESCSF Framework.

(Before digging into framework areas, it's worth noting that in addition to providing key security controls directly,  Industrial Defender also automates compliance reporting for full frameworks and policies. This eases the burden on preparing audit-ready reports and gathering regulatory evidence.)

The AESCSF stands for the Australian Energy Sector Cyber Security Framework. It is a framework designed specifically for the Australian energy sector to provide a consistent foundation for evaluating and enhancing cybersecurity maturity across the sector. It was developed by the Australian Energy Market Operator (AEMO).

The Australian Energy Sector Cyber Security Framework (AESCSF) is organised around specific domains, each covering a distinct area of cybersecurity. The domains serve as categories or clusters of related cybersecurity practices and controls, guiding organisations within the Australian energy sector in their cybersecurity efforts.

DOMAIN 1: Asset, Change, and Configuration Management (ACM)

DOMAIN 2: Cybersecurity Program Management (CPM)

DOMAIN 3: Supply Chain and External Dependencies Management (EDM)

DOMAIN 4: Identity and Access Management (IAM)

DOMAIN 5: Event and Incident Response, Continuity of Operations (IR)

DOMAIN 6: Information Sharing and Communications (ISC)

DOMAIN 7: Risk Management (RM)

DOMAIN 8: Situational Awareness (SA)

DOMAIN 9: Threat and Vulnerability Management (TVM)

DOMAIN 10: Workforce Management (WM)

DOMAIN 11: Australian Privacy Management (APM)

Keep reading for summary explanations of the domain and how Industrial Defender helps. You can also download our detailed AESCSF Mapping Guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender

How Industrial Defender Supports Key AESCSF Domains

DOMAIN 1: Asset, Change, and Configuration Management (ACM)

This concerns the management of the organisation’s OT and IT assets, considering both hardware and software, relative to risks to critical infrastructure and organisational aims. Domain 1 of the AESCSF prioritises a current inventory of these assets, each categorised by its importance to function delivery. It's crucial to establish configuration baselines for consistency across assets and for deployments. These baselines, shaped by cybersecurity goals, are regularly reviewed and updated as determined by the organisation.

Change management in this domain ensures modifications to assets are evaluated, logged, and, where possible, tested for cybersecurity impacts before deployment. To maintain transparency, change logs record modifications that might influence the cybersecurity status (availability, integrity, confidentiality) of these assets.

How Industrial Defender supports:

Industrial Defender stands as the industry's forerunner in these capabilities, specialising in delivering the most comprehensive, in-depth OT asset data. Through a blend of active and passive techniques, coupled with manual data entry for network isolation scenarios, Industrial Defender delivers the most detailed asset inventory. Alongside this, it offers a superior capability to detect changes and furnish historical context. Users enjoy unparalleled visibility into asset functionalities. Setting itself distinctly apart from other "asset visibility" platforms, Industrial Defender delves deeper into endpoint configurations and changes, covering device information, software inventories, active services, network port utilisation, and user-designated specifications. Industrial Defender enables users to establish and maintain baselines, track deviations from policies, and ensure compliance and secure states using comprehensive OT asset data.

DOMAIN 2: Cybersecurity Program Management (CPM)

Domain 2 focuses on establishing and maintaining an enterprise cybersecurity program. The program aims to align the organisation's strategic objectives with its cybersecurity actions, considering risks to critical infrastructure. The organisation must have a defined cybersecurity strategy that outlines its objectives. This strategy should be well-documented and align with the organisation's overall strategic goals and risk considerations. The strategy also sets out the governance and oversight approach for cybersecurity activities. Active engagement and sponsorship from senior management are essential for the program's success.

How Industrial Defender supports:

Industrial Defender offers a broad suite features that support a robust cybersecurity program. Recognising the importance of a comprehensive cybersecurity approach, it not only provides a wide range of tools but also an extensive API for integration. The platform has a detailed asset classification mechanism and risk scoring system, ensuring critical assets and their risk levels are clearly identified for resource allocation. Industrial Defender stands as a foundational element for any cybersecurity strategy, offering real-time operational capabilities and historical data insights for program refinement and compliance with standards and policies. Moreover, users are equipped with high-level dashboards, diverse reports, and an API for custom reporting, all fostering continuous monitoring and improvement.

DOMAIN 3: Supply Chain and External Dependencies Management (EDM)

Domain 3 revolves around managing cybersecurity risks linked to dependencies on external entities, aligned with the threat to critical infrastructure and the organisation's goals. This domain emphasises identifying significant IT and OT supplier and customer dependencies, prioritising these based on the organisation’s risk criteria. Cybersecurity risks from suppliers and third-party affiliations are pinpointed and addressed. The criteria involve considering cybersecurity requirements when forming third-party relations, embedding these requirements in contracts, and selecting third parties based on their cybersecurity proficiency. The domain also necessitates periodic third-party reviews, manages risks using the organisation's risk management procedures, and mandates suppliers to report vulnerabilities in products. Lastly, procured assets undergo cybersecurity acceptance testing, and information sources are scrutinised for potential supply chain threats.

How Industrial Defender Supports:

Industrial accumulates detailed software inventory and firmware data, allowing users to assess and monitor dependencies by vendor. Through our collaboration with FoxGuard, the platform offers insights into supplier software, patch availability, and authenticity. The system vigilantly monitors logs for both authorized and unauthorized user access, raising notifications for unusual activity patterns. User accounts are cataloged as a fundamental part of the baselining, facilitating the detection of new account creations or modifications. Moreover, the platform's vulnerability and patch management features identify known vulnerabilities and procure available patches from OT vendors. Lastly, our platform conducts exhaustive inventories of software, firmware, and hardware, making it indispensable for reviewing supplier vulnerabilities and defects.

DOMAIN 4: Identity and Access Management (IAM)

Domain 4 focuses on Identity and Access Management (IAM). IAM is about the creation and management of identities that can be granted access, either logically or physically, to the organisation’s assets. This process involves provisioning identities for those who need access to specific assets and ensuring they're appropriately deprovisioned once not required. Regular reviews of identities and associated credentials are undertaken to maintain their validity. Determining and controlling access is paramount; it is granted based on set requirements, invoking principles like least privilege and separation of duties. Notably, access requests undergo scrutiny by the asset owner. Particularly sensitive privileges, like root or administrative access, receive enhanced oversight. The frequency of access privilege reviews is set by the organisation, and any unusual access attempts are monitored as potential cybersecurity threats.

How Industrial Defender supports:

For Domain 4, the Industrial Defender platform monitors authentication activity to validate compliance with cybersecurity policies. The platform collects user configurations across assets and applications, highlighting deviations or conformance to identity provisioning policies. Industrial Defender checks password and account policies against security benchmarks. Role-based and asset-based access controls within the platform support principles of least privilege and separation of duties. Industrial Defender maintains asset owner information for managing access requests. It also monitors authentication activity for anomalies, generating alerts. Finally, the platform reviews user configurations for account status, usage, and privilege levels.

DOMAIN 5: Event and Incident Response, Continuity ofOperations (IR)

This domain mandates that organisations have plans and technologies to detect, analyse, and respond to cybersecurity events, ensuring ongoing operations during such events. Key aspects include having a designated contact for event reports, consistent logging and reporting of detected events, set criteria for event detection, and a central repository for event logs. Event data should be analysed to identify patterns and trends. Additionally, event detection should adapt based on the organisation's risk and threat assessments, with continuous monitoring to quickly identify cybersecurity incidents.

How Industrial Defender Supports:

Industrial Defender identifies vulnerabilities in software, firmware, and operating systems at a level that supports event and incident response processes. The platform's administrative properties detail the point of contact, owner organisation, location, and criticality for each asset. It actively monitors OT and IT systems for cyber events using various mechanisms, such as host-based agents, remote log monitoring, and passive network traffic observation. Additionally, it standardises event streams from all assets for efficient analysis and offers event notification mechanisms like email and API. The platform can detect patterns across assets, identify deviations from asset baselines or cybersecurity policies, and facilitates external integration through APIs, database views, and reports. Furthermore, it employs a risk-based approach to analyse events, offers integrations for data sharing with SIEM systems, and utilises both rule-based and machine learning threat detection techniques.

DOMAIN 6: Information Sharing and Communications (ISC)

This domain pertains to the structured approach of establishing and fostering connections with both internal and external entities, centred on the efficient collection and dissemination of crucial cybersecurity information, spotlighting threats and vulnerabilities. It aims to mitigate potential risks, fortify critical infrastructure, and ensure that organisational objectives are met with resilience. Within this framework, selected individuals or organisations become pivotal points of information exchange, with dedicated personnel handling cybersecurity reporting. Moreover, this domain prioritises consulting expert technical sources, securely transmitting sensitive data, and emphasising swift and comprehensive information-sharing, whether in routine or emergent situations. An underpinning principle of Domain 6 is the cultivation of a trust-based network that spans both internal and external contacts, streamlining the verification of cyber event information.

How Industrial Defender Supports:

Industrial Defender enables external integration to other entities and applications through an API, asynchronous events via email, and scheduled reports. The platform has custom integrations for sharing data with SIEM systems, ensuring deep OT asset context for analysts. Its administrative properties list point of contact information for each asset, owner organisation, physical location, and criticality level. Industrial Defender's external integration points guarantee secure and encrypted data transfer, with proper tagging as sensitive or classified. Additionally, the platform offers granular control of integration points, managing the recipient and content of shared information.

DOMAIN 7: Risk Management (RM)

Domain 7, Risk Management (RM) revolves around the establishment, operation, and maintenance of a comprehensive enterprise cybersecurity risk management program. This program is designed to identify, analyse, and mitigate cybersecurity risks to the organisation, covering its business units, subsidiaries, interconnected infrastructure, and stakeholders. It mandates a documented cybersecurity risk management strategy that outlines an approach for risk prioritisation. Risks are identified and then either mitigated, accepted, tolerated, or transferred. These identified risks undergo assessments in line with the management strategy, ensuring they're documented, analysed, and then prioritised for response activities. Continuous monitoring of these risks is paramount, with the analysis further enriched by understanding the network architecture, be it IT and/or OT. To encapsulate, the risk management program clearly defines and enforces policies and procedures which are the embodiment of the overarching cybersecurity risk management strategy.

How Industrial Defender Supports:

Industrial Defender supports Risk Management requirement described by AESCSF by overseeing asset types, classifications, criticality, network and physical locations, organisation, and ownership; these factors are pivotal in forming a risk management strategy. The platform calculates real-time risk factors for assets, an essential aspect of risk prioritisation, combined with a static risk analysis for each asset. Industrial Defender's vulnerability monitoring identifies vulnerabilities in software, firmware, and operating systems. Additionally, it offers visibility into the risk mitigation process and allows for custom risk scoring based on the properties of network assets.

DOMAIN 8: Situational Awareness (SA)

Domain 8, titled Situational Awareness (SA), sets out guidance for establishing robust procedures and technologies that systematically gather, analyse, and present operational and cybersecurity data. It emphasises the creation of a holistic common operating picture (COP), which draws on summaries from other model domains. The guidance underscores logging pivotal assets associated with the function where feasible, with clear requirements for these assets, aggregation of log data, and their alignment based on the function's inherent risk. Concurrently, monitoring demands the consistent oversight of OT environments for anomalies, expedited event data reviews, and the integration of alerts designed to detect cybersecurity disruptions. Monitoring should not only reflect the function's threat landscape and prioritise risk but also seamlessly align with other business and security operations. Continuous surveillance of the OT environment, supplemented by a risk register, ensures any deviations are instantly recognised and flagged by tailored alerts.

How Industrial Defender Supports:

Industrial Defender's comprehensive OT asset data enhances situational awareness within the OT environment. The platform employs diverse monitoring mechanisms, from host-based agents to passive network traffic analysis, to oversee both OT and IT systems for cyber events. This event data is unified for seamless analysis and correlation. Leveraging an extensive rule library, Industrial Defender's active and passive scanning methods cater to a wide range of devices and support custom additions. The platform's nuanced log scanning is tailored per asset for flexibility. Monitoring includes configuration changes, key performance indicators, and removable media activity. An event review system with annotation capabilities aids analysis, while unreviewed event age is used as a risk factor for assets, bolstering risk assessment.

DOMAIN 9: Threat and Vulnerability Management (TVM)

Domain 9 highlights the imperative of establishing and maintaining plans, procedures, and technologies to effectively detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. This encompasses identifying information sources for threat management, interpreting cybersecurity threat information, addressing significant threats, and forming a comprehensive threat profile. It also involves prioritizing and monitoring information sources covering the entire threat profile, as well as analyzing, prioritizing, and addressing identified threats according to assigned priorities. Simultaneously, the domain stresses the importance of reducing vulnerabilities by identifying sources for cybersecurity vulnerability discovery, gathering and interpreting vulnerability information, addressing crucial vulnerabilities, and performing assessments. This includes analyzing and prioritizing vulnerabilities, considering operational impact before patch deployment, conducting independent vulnerability assessments at defined frequencies, and integrating vulnerability information into the risk register to inform decision-making.

How Industrial Defender Supports:

Another of Industrial Defender's core strengths is vulnerability management. The platform adeptly addresses this domain by employing various strategies, including preemptive vulnerability monitoring to identify known vulnerabilities in software, firmware, and operating systems using ICS Cert Advisories and OSINT. Collaborating with Foxguard's patch management system, Industrial Defender identifies vendor-approved patches for OT systems. Additionally, the platform offers transparency into the process of threat remediation.

Furthermore, Industrial Defender vigilantly monitors both OT and IT systems for cyber events, utilizing mechanisms such as host-based agents, remote log monitoring, and passive network traffic analysis. The platform updates asset risk scoring to reflect evolving conditions and support ongoing improvement initiatives. Industrial Defender also streamlines the vulnerability assessment process and provides raw vulnerability information to facilitate informed prioritization of mitigation efforts.

Again, you can also download our full detailed AESCSF Mapping Guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender

Achieve Compliance Swiftly, Easily and Confidently with Industrial Defender

Managing security programs and adhering to frameworks can be daunting. We can swiftly guide you towards compliance and assist you in its continuous maintenance. Remember, this isn't a one-time task; maintaining compliance and a robust security posture is a round-the-clock commitment

Industrial Defender possesses deep OT domain expertise and has an extensive history of catering to the distinct requirements of industrial companies — from the control room to the boardroom. Our team can help yours align with every domain in the AESCSF and enhance maturity across various stringent cybersecurity frameworks. With the experience of hundreds of successful audits under our belt, Industrial Defender can lessen the strain and bolster your confidence when audit time rolls around.

See first hand how we can assist you in aligning with the AESCSF and meeting CIRMP requirements.

Schedule a demo with our OT security architects to dive deeper into our capabilities: https://www.industrialdefender.com/demo/demo-request

You can also download our detailed AESCSF mapping guide here: https://www.industrialdefender.com/resources/aescsf-mapping-guide-industrial-defender