A recap on Australia’s SOCI Act
In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.
Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.
A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.
SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).
In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.
How is a ‘critical worker’ defined?
Part 1, Divn 2, Section 5 of the SOCI Act
The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:
(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);
(b) the absence or compromise of the individual:
(i) would prevent the proper function of the asset; or
(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;
(c) the individual has access to, or control and management of, a critical component of the asset
Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.
Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.
What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?
Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.
Section 9 Personnel hazards
(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:
(a) to identify the entity’s critical workers; and
(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and
(c) as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:
(i) arising from malicious or negligent employees or contractors; and
(ii) arising from the off-boarding process for outgoing employees and contractors.
Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.
The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.
What are the implications for employers?
Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:
- Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
- Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
- Employees (or employees of a critical supplier) fail the AusCheck process
Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.
Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.
- Commonwealth of Australia Security of Critical Infrastructure Act 2018
- Commonwealth of Australia Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023
- Curwell, P. (2022). How can Insider Threats manifest in the Supply Chain?
- Curwell, P. (2023). Designing your workforce screening program
- Curwell, P. (2023). Understanding High Risk Roles
- Curwell, P. (2023). Workforce Screening Programs should include your suppliers
- Curwell, P. (2023). What is a Personnel Security Risk Assessment?
- Department of Home Affairs (2023). AusCheck background checking, www.homeaffairs.gov.au
- Department of Home Affairs (2023). Critical Infrastructure in Legislative Information and Reforms, www.homeaffairs.gov.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.