Expired deadline threatens critical infrastructure as compliance lags

The Australian Government’s Security of Critical Infrastructure (SOCI) Act, designed to bolster the resilience of the nation’s vital assets, faces a potential compliance crisis. With the deadline for achieving cybersecurity framework alignment having expired on 17 August, many organisations responsible for critical infrastructure (CI) scrambled to meet this crucial benchmark.

Framework options include varying levels of resilience and complexity, starting with a base of the Essential Eight Maturity Model — level one maturity — and ranging across more globally recognised cyber standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, ISO 27001/27002 for information security, and equivalent industry-specific frameworks such as the Australian Energy Sector Cyber Security Framework (AESCSF) for the energy sector.

The SOCI Act also mandates that ‘responsible entities’ — organisations that own, operate or have a direct interest in critical infrastructure assets across 11 sectors — submit a report on the status of their Critical Infrastructure Risk Management Program (CIRMP). The deadline for this requirement is within 90 days from the end of the financial year — for this year 28 September — and requiring sign-off from the board of directors.

What is causing the lag?

Several factors are likely contributors to the current compliance shortfall. The complexity of the Act itself, coupled with a relatively short timeframe for implementation, has left many organisations overwhelmed.

The SOCI Act goes well beyond simply ticking boxes. It demands a holistic approach to cybersecurity, requiring responsible entities to demonstrate a cultural shift towards proactive risk management, not only to meet a particular cyber framework compliance level but also to maintain and update it, and accordingly to align with uplifts, such as seen in revisions to the Essential Eight Maturity Model in November last year.

Also, a lack of readily available resources and skilled personnel to navigate the technical aspects of framework implementation has further hampered progress. The talent pool for cybersecurity professionals remains tight, making it challenging for organisations to find the expertise needed to effectively implement the frameworks.

The consequences of non-compliance are significant. Aside from potential reputational damage, organisations face hefty fines for failing to meet their obligations under the SOCI Act. More importantly, inadequate cyber defences leave critical infrastructure vulnerable to attacks, potentially jeopardising national security and public wellbeing.

Consider the ramifications of a successful cyber attack on a power grid, disrupting essential services and plunging entire cities into darkness. Or a cyberattack infiltrating a water treatment facility, potentially compromising the safety of the drinking water supply. These are not hypothetical scenarios, but rather the very real threats that the SOCI Act seeks to mitigate.

Building a culture of cyber resilience

While achieving compliance by 17 August was critical, it’s important to recognise that the SOCI Act also represents a paradigm shift towards building a culture of cyber resilience within organisations responsible for critical infrastructure. This culture is characterised by proactive risk management, continuous improvement and shared responsibility.

While the clock has kept ticking, there are a series of practical steps organisations can take to achieve SOCI Act compliance while simultaneously building a strong foundation for long-term cyber resilience.

The steps include:

• Conducting a gap analysis: Assess the organisation’s current cybersecurity posture by comparing it against the chosen security framework, which will identify areas where existing controls fall short and highlight the gaps that require immediate attention.
• Prioritising and remediating: Focus on addressing the most critical security gaps first, which could involve implementing multi-factor authentication, strengthening password protocols, or patching vulnerabilities in outdated software.
• Seeking expert guidance: Consultants with experience in implementing security frameworks can provide invaluable guidance and ensure efforts are aligned with the SOCI Act requirements: seek out consultants who understand the specific needs of your industry sector and have a proven track record.
• Investing in awareness training: Staff should be trained in cybersecurity best practices: educate them on common threats like phishing attacks and social engineering scams, and empower them to identify and report suspicious activity.
• Maintaining continuous improvement: Even after achieving compliance, it’s vital to continuously monitor and update your organisation’s security posture to adapt to evolving threats and vulnerabilities: schedule regular security assessments to identify new vulnerabilities and ensure existing controls remain effective.

Government recommendations

For those high-priority critical infrastructure assets declared a System of National Significance (SoNS), a number of measures have been recommended as best practice and could become a mandatory addition to the SOCI Act in the future, in the form of enhanced cybersecurity obligations.

They include:

• Developing incident response plans to prepare for a cybersecurity incident.
• Undertaking cybersecurity drills to build and test cyber preparedness (tabletop exercises).
• Undertaking vulnerability assessments to identify vulnerabilities for remediation.
• Providing system information to develop and maintain a near real-time threat picture (telemetry data and event logs).

A collaborative effort for a secure future

The SOCI Act represents a significant step forward in safeguarding Australia’s critical infrastructure. By prioritising these recommended steps, embracing collaborative efforts, and fostering a culture of cyber resilience, responsible entities can significantly reduce cyber risks and ensure the continued smooth operation of essential services that underpin Australia’s wellbeing.

The ultimate goal should not just be to meet a compliance deadline, but to create a future where the nation’s critical infrastructure is shielded from cyberthreats. This requires a collective effort from government, industry and the broader community. By working together, it will be possible to build a more secure and resilient future for all Australians.

*Sadiq Iqbal is Cyber Security Advisor at Check Point Software Technologies based in Sydney, where he leads the regional strategic technical sales team of senior pre-sales engineers and provides cybersecurity thought leadership and consulting advice to major enterprise organisations. He has more than 20 years' experience in the ICT industry, having evolved from systems engineering through solution architecture to strategic consulting and building and leading pre-sales teams.

Top image credit: iStock.com/Torsten Asmus