How critical infrastructure operators can achieve cyber security compliance

The Security of Critical Infrastructure (SOCI) legislation amendments have been designed to make reporting of security incidents mandatory and covers a broad cross-section of the Australian economy. The definition of critical infrastructure includes 11 industry sectors, covering everything from communications and energy operators to financial services, healthcare, food, and transportation.

Under the SOCI framework, operators of assets deemed to be critical infrastructure must notify the government within 12 hours of a critical cyber security incident occurring. For incidents that occur but are not deemed to be critical, an organisation has 72 hours to lodge a report.

Elevating the importance of cyber security

Overseen by the Cyber and Infrastructure Security Centre in the Department of Home Affairs, the SOCI amendments are an opportunity for critical infrastructure operators to make improvements to their security while remaining competitive over the longer term. When regulations apply to an entire industry sector, all entities incur an impact on their operating margins in the short term, effectively levelling the playing field, but also enabling economies of scale by stimulating demand for cyber security products and services.

Over the longer term, increased cyber security resilience results in cost savings by avoiding or minimising disruptive outages and expensive incident response activities that follow a cyber security incident.

The SOCI Act amendments mandate reporting of cyber incidents. An incident having a “significant impact” on the availability of a critical infrastructure asset, meaning a material disruption, must be reported to the Australian Cyber Security Centre (ACSC) within 12 hours of the operator becoming aware of the incident. If the report to ACSC is verbal, a written record must be submitted via ACSC’s website within 84 hours of the verbal report.

For incidents that are having or likely to have an impact on the confidentiality, integrity, availability, or reliability of an asset, this is classed as a “relevant impact” and must be reported within 72 hours, with an additional 48 hours to follow a verbal report with a written report. Any cyber incursion that reaches exploitation stage has at least “relevant impact” must be reported. Incident reports need to include all relevant information including at a minimum, the date and time, impact, mode of discovery, type of incident, and affected assets.

VIEW ALL

For the operators of critical infrastructure assets, it is especially important to meet reporting requirements in order to maintain the trust of the regulator. If the operator of an asset is unable or unwilling to conduct incident response, the minister of home affairs may exercise powers of government assistance to mandate an intervention. To meet the stringent reporting timeframes required for disclosure of security incidents and avoid the perception of being unable to conduct incident response, a regulated organisation would be well-served to invest in a system of record and develop rigorous processes to ensure that incident response plans and details of specific incidents are kept up to date. The Cyber and Infrastructure Security Centre warns that sophisticated malicious actors may be monitoring an organisation’s communication channels to understand the response and evade further detection, so it is important to ensure that incident response plans, collaboration, and communications are kept secure.

Incident response plans

To ensure they will have the ability to respond within the require time periods, operators of critical infrastructure should have in place a detailed incident response plan. This plan should clearly show what steps will be taken and by whom.

A detailed plan would spell out how data will be collected, formatted, approved internally, and then released to authorities. It is appropriate for each step to be fully documented and explained to everyone who will be involved in the process.

Regular testing

The next step in the preparatory process is to conduct regular tests of the plan to ensure that it can actually enable the organisation to meet its obligations. Having a document is one thing, however, ensuring it can deliver what’s required is another.

An effective way to conduct testing is by holding a simulation or “tabletop” exercise. A mock incident is declared after which designated teams should collect required data and create reports suitable for submission to government authorities.

The exercises should be held in real time to ensure deadlines can be met and all required information can be obtained in a timely manner. They should also be conducted at regular intervals during the year to confirm that capabilities remain in place.

Review data gathering processes

A third important step is to carefully review the processes in place designed to collect relevant data in the context of a cyber incident. Ideally, these processes should be able to collate details from across the entire infrastructure and deliver them to a central location quickly and reliably.

The organisation also should have a trustworthy system of record to capture and organise the data once it has been captured. This system also should ideally have the ability to automate the collation and processing steps where possible.

Once these steps have been completed, an operator of essential infrastructure can be confident in its ability to respond to authorities within the mandated timeframes. The steps also ensure that, should an incident occur, an accurate picture of exactly what has happened can be created as quickly as possible.

For all organisations, having effective cyber security measures in place is important. When an organisation is responsible for critical infrastructure, those measures become even more vital.

Vaughan Shanks is the co-founder and CEO of Cydarm Technologies.