What is the SLACIP Act?
On March 31 2022, the Senate and the House of Representatives of the Australian Parliament passed the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, approving the SLACIP Act. The purpose of the SLACIP Bill is to improve the resilience and risk management practices of Australia’s critical infrastructure sector. The SLACIP Bill should also make it easier for affected organisations and governments to share information.
The SLACIP Bill is one of two updates to the Security of Critical Infrastructure Act 2018 (SOCI Act).The Australian government enacted the first update through the Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act) which went into effect on December 2, 2021.
The SLACIP Act is intended to improve security of Australia’s critical infrastructure by making risk management, preparedness, prevention and resilience a part of day-to-day business practices for the owners and operators of critical infrastructure assets. The SLACIP Act should also improve the exchange of information between industry and government to allow for more complete visibility into the threats and protections facing Australia’s critical infrastructure providers.
What are responsible organisations required to do?
The SLACIP Act centers around two key measures:
- the first requires responsible organisations to create and maintain a critical infrastructure risk management program
- the second involves additional requirements for enhanced cyber security for operators of systems of national significance (SoNS): Australia’s most important critical infrastructure assets.
At the time of posting this article, it is unknown which assets will be declared SoNS. The rest of the article will focus on the first measure: the risk management program.
Critical Infrastructure Risk Management Program
The risk management program of the SLACIP Act requires critical infrastructure owners and operators to adopt and maintain a risk management program in order to manage the risk of hazards that could affect the delivery of their essential services.
The scope of the program is broad. The program looks to have the responsible organisations identify, prevent and mitigate risks from all hazards, both natural and man-made, including: cyber and information security hazards, personnel hazards, supply chain hazards and physical security hazards, and natural hazards. The government wants the responsible organisations to identify hazards that present a material risk to the availability of their critical infrastructure assets and to proactively minimise or eliminate the risk of such hazards occurring.
The risk management program rules have yet to be finalized, though a draft of the rules and high-level guidance has been provided about what is expected in a risk management program, including:
- a process or system for identifying the operational context of each relevant critical infrastructure asset
- a principles-based risk identification process used to identify risks to the critical infrastructure asset
- a risk management process or system that includes, for each material risk to the asset, a process or system to consider the risk and minimise or eliminate the risk
- a process for reviewing the program, and for keeping the program up to date
Which critical infrastructure does the risk management program apply to?
The program will initially apply to the following ten categories of critical infrastructure:
- critical broadcasting assets
- critical domain name systems
- critical data storage or processing assets
- critical hospitals
- critical energy market operator assets
- critical water and sewerage assets
- critical electricity assets
- critical gas assets
- critical liquid fuel assets
- critical financial market infrastructure assets that are a critical payment system
Additionally, three other industries are expected to be added no earlier than January 1, 2023: critical food and grocery assets, critical freight services assets and critical freight infrastructure assets. These industries have a delayed requirement due to the supply chain impacts resulting from the COVID-19 pandemic.
How much will the risk management program cost responsible entities?
There are two potential costs that responsible organisations need to consider: the cost of implementation and the cost of non-compliance.
With regards to implementation costs, Home Affairs Secretary Mike Pezzullo previously said the costs for running the risk management program, on average, would set organisations back a one-off AU$9.7 million payment to set the program up and an ongoing annual cost of AU$3.7 million.
20 Years of Exposure and Vulnerability Management: What Really Works
Learn from a seasoned cybersecurity practitioner on prioritizing risks, leveraging data, and proving ROI.
On the flip side, failing to comply with the various requirements of the critical infrastructure risk management program carries notable civil penalties:
- Failure to adopt, maintain, comply with, regularly review, and take all reasonable steps to ensure the currency of a critical risk management program can result in a fine of AU$44,400, or AU$222,000 for corporations
- Failure to submit an annual report in a form approved by the Secretary and where relevant, approved by the entity’s board, council or other governing body, can result in a fine of AU$33,300, or UA$166,500 for corporations
How can Balbix help?
Organisations that own or operate critical infrastructure assets should consider whether their existing risk management processes will be sufficient to comply with the risk management program requirements of the SLACIP Act, or whether they will need to put new measures into effect. Balbix can help organisations prepare to meet these requirements, and generally improve their cyber risk management programs, including:
- Enterprise-wide visibility: Organisations can continuously inventory all digital assets and vulnerabilities, on-premises and in the cloud, and predict their likelihood (in %) of being breached
- Real-time dashboards: Organisations can report on risk issues, key SLAs and overall breach risk (in AU$)
- Automated cybersecurity posture: Organisations can save money by continuing to use their existing IT and security investments; and can reduce headcount costs by automatically discovering, prioritizing and remediating vulnerabilities (including CVEs, misconfigurations and other risk issues)
Frequently Asked Questions
- What does SLACIP stand for?
-
SLACIP stands for Security Legislation Amendment (Critical Infrastructure Protection), and refers to the Australian 2022 SLACIP Act outlining requirements for critical infrastructure risk management.