Building a risk management program for critical infrastructure
14 Jul 2023|

In Australia’s bustling cities and vast remote regions lie the critical infrastructure assets that are fundamental to people’s lives: electricity, water, health care, telecommunications, transport, food and more. Critical infrastructure is vulnerable to an array of hazards, including threats from people with malicious intent, and needs to be protected.

In recent years, owners and operators of critical infrastructure assets in Australia have faced a number of challenges, including the impacts of the Covid-19 pandemic, natural disasters, economic fluctuations, cyberattacks, supply-chain disruptions and data breaches.

To safeguard our society by maintaining the vital services we depend on, in 2022 the government introduced amendments to the Security of Critical Infrastructure Act 2018 that require owners and operators of critical infrastructure to develop and maintain a written critical infrastructure risk management program (CIRMP). The CIRMP enables the identification of risks and informs investment in measures to protect critical infrastructure against potential threats. The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 outline the baseline security standards that must be met by 17 August 2023.

In navigating the road to compliance, owners and operators that are subject to the rules must provide an annual report to the Department of Home Affairs (or other relevant regulator). The report will assess the effectiveness and maturity of the entity’s risk-mitigation measures and must be approved by the entity’s board or governing body. The first report is due between 30 June and 28 September 2024.

The CIRMP must address risks across four key hazard vectors: cyber and information, personnel, supply chain, and physical and natural hazards. It is essential for critical infrastructure entities to establish and maintain processes or systems that minimise, mitigate or eliminate potential impacts arising from these hazards.

While implementing the protective security requirements outlined in the legislation may seem daunting, it also presents an opportunity to strengthen critical infrastructure enterprises. The design of the act and the rules draws heavily on the Commonwealth Protective Security Policy Framework (PSPF), which has been evolving over the past couple of decades.

The PSPF serves as a guide for government entities in implementing protective security measures. It emphasises a risk management approach rather than a compliance mindset, allowing entities to tailor their security measures to their specific goals, risk environment and capabilities. It also encourages the maturation of security measures over time, empowering management to determine the appropriate level of investment in protective security controls based on evolving threats.

It’s important to remember that there’s no one-size-fits-all template for the CIRMP: it should be customised to suit the unique circumstances and risks of each entity. However, the PSPF provides some key insights that can help entities to develop effective CIRMPs.

Integrate security into governance. Integrating security into existing business processes is key to creating a robust CIRMP. This involves fostering regular discussions and making security an integral part of organisational decision-making. Establishing clear governance at the board level ensures accountability and proper allocation of resources.

Utilise existing resources. Building on existing best practices, standards and procedures provides a solid foundation for an effective CIRMP. Identifying and prioritising efforts to bridge any gaps in security measures helps maximise the use of available resources.

Set a realistic budget. Aligning security objectives with adequate resources demonstrates a strong commitment to protecting critical infrastructure assets. It is essential to allocate a realistic budget that supports the implementation of necessary security measures.

Move beyond compliance. Moving beyond a compliance mindset is crucial for a comprehensive CIRMP. That could include a focus on understanding contextual factors and deploying dynamic security controls that adapt to evolving threats. It’s also important to cultivate a security culture that establishes clear expectations, promotes effective communication, demonstrates best practices and provides ongoing education throughout the organisation.

Establish performance metrics. Establishing specific, measurable and achievable metrics is vital to evaluate the effectiveness of security measures. These metrics should provide insights into overall enterprise activity and risk management. Regular reporting and continuous evaluation are important to monitor security maturity and drive improvements.

By incorporating these insights from the PSPF, critical infrastructure owners and operators can confidently develop robust and tailored CIRMPs that enhance the protection of their assets, bolster the resilience of their operations, and enable them to report their risk maturity in line with legislation.