SOCI Act 101 – Operational Information explained

Understanding SOCI is inherently complex

I’ve said it before and I’ll say it again – Australia’s Security of Critical Infrastructure Act, or SOCI for short, is a big, complex piece of legislation comprising the Act itself, supported by (5) legislative instruments (Rules) which provide more guidance on implementation. Anyone who claims the legislation is simple really hasn’t read it!

Working with legislation like this is likely to be completely new for many Australian executives and security professionals unless they have prior experience in highly regulated industries or in regulatory compliance.

If you are new to compliance or would like to understand how to build an ISO 37301:2021 Compliance Obligation Register, have a read of this article I wrote in March 2023:

Each time I read the legislation I pick up something new – this often requires my flicking back and forth throughout the various documents and sections of the Act to cross-reference each obligation or definition and understand its intent.

With legislation like this, you only start to understand it’s nuances as you apply it to real world examples, decomposing each element of a critical asset and applying the legislative tests to determine the appropriate treatment.

Developing a compliant CIRMP whilst minimising unnecessary costs and the impact on a critical infrastructure operators business, workforce and supplier ecosystem is the challenge.

SOCI creates two key documents

Information or data (as opposed to information system security) is a domain of SOCI, just like Personnel referenced in my previous article on Critical Workers:

Under SOCI, there are effectively two key documents which relate to information and information protection:

  • Register of Critical Infrastructure Assets – this Register is not public and is maintained by the Secretary of Home Affairs. It comprises information on specific critical assets and beneficial ownership and control information for every piece of Australian critical infrastructure.
  • Critical Infrastructure Risk Management Plan (CIRMP) – all Reporting Entities are required to have a complete RMP by six months after the day of commencement of the Rules, or 18 August 2023.

The Register needs to include your Operational Information

Operational Information is different to Sensitive Operational Information under SOCI. Divn 2 (19) of the Act requires Responsible Entities to provide an initial version of their Operational Information to the Department for inclusion in the Register.

Under s26 of the Act, should a Notifiable Event arise then an updated version of the Responsible Entities’ Operational Information must be provided to Home Affairs. Presumably, this information will enable the Australian Government to rapidly perform a damage assessment and to support any crisis or national security response that may be required.

big waves under cloudy sky
Photo by GEORGE DESIPRIS on Pexels.com

Under SOCI, Operational Information related to a Critical Infrastructure Asset means:

  • The asset’s location and a description of the area the asset services; 
  • Information about each organisation that is the Responsible Entity for (or an operator of) the asset, comprising: the entity’s name, business registration number, head office or principal place of business address, and country of incorporation or formation
  • Information about the CEO (or equivalent) comprising their full name and citizenship(s),
  • A description of the arrangements under which each operator operates the asset (or a part of the asset), including details of any control system of the asset if it is managed by a separate body;        
  • A description of the arrangements under which data prescribed by the rules relating to the asset is maintained;
  • Information prescribed by the Rules for the purposes of this paragraph (see below)

The ‘information prescribed by the Rules‘ referenced above is currently only defined in Division 2.2 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021, where Operational Information comprises six categories:

  • Personal Information for at least 20,000 people (as defined in the Privacy Act 1998)
  • Sensitive Information (as defined in the Privacy Act 1998)
  • Critical Infrastructure Asset related Research and Development information
  • Information on systems needed to operate the Asset
  • Information about risk management (including security) and business continuity / crisis management / operational resilience about the Asset
  • Other sector-specific information as defined in 2.2 (17) (1) (vi) of these Rules

For any of the above Operational Information, Responsible Entities must provide a description of the arrangements for the Department’s Register that comprises:

  • The name of the entity that maintains the data; and
  • If that entity is not the responsible entity for the asset (e.g. Microsoft, Google etc), the entity’s business registration number, head office or principal place of business address, and country of incorporation; and,        
  • The address where the data is held (e.g. where computers or servers holding the data are located) and whether the computers or servers are part of a cloud service; and if using a cloud service—the name of the cloud service (e.g. Microsoft) and the kind of data that the entity maintains in these computers / servers / cloud environment.

What is Sensitive Operational Information?

Sensitive Operational Information is only mentioned in the CIRMP Rules in relation to identifying Material Risks to a Critical Infrastructure asset. These Rules list six examples of what would be constitute sensitive information:

  • Layout diagrams
  • Schematics
  • Geospatial information
  • Configuration information
  • Operational constraints or tolerances information
  • Data that a reasonable person would consider to be confidential or sensitive about the asset

The above category of information is primarily technical in nature – such as pertaining to engineering or ICT applications – but is focused on minimising the disclosure of information about a critical infrastructure asset’s vulnerabilities, particularly where this information is stored, transmitted or processed outside of Australia.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Who are SOCI Act Critical Workers?

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime
Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

(c) the individual has access to, or control and management of, a critical component of the asset

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

        (1)     For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a)   to identify the entity’s critical workers; and

(b)   to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(c)   as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:

             (i)  arising from malicious or negligent employees or contractors; and

            (ii)  arising from the off-boarding process for outgoing employees and contractors. 

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

  • Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
  • Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
  • Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Never heard of Research Security? Why safeguarding your research today is critically important

How did we get here?

Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

Source: Why safeguard your research? Government of Canada (2021).

Photo by Chokniti Khongchum on Pexels.com

Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

“The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”

HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

Is all research and development the target of theft?

Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.


Does this article resonate with you? Please vote below or subscribe to get updates on my future articles


One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

What is research security?

Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

What is the impact of research theft?

  1. Diminished trust and confidence in your research data and results
  2. Loss of research data
  3. Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
  4. Legal or administrative consequences
  5. Loss of potential future partnerships
  6. Tarnished reputation

Source: Why safeguard your research? Government of Canada (2021).

In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

Source: US Director of National Intelligence, dni.gov

Canada’s Safeguarding Your Research program

The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

  • Tools for building Security Awareness in the Academic Community
  • A checklist to help determine whether you are at risk
  • Information on mitigating economic and/or geopolitical risks in sensitive research projects
  • National Security Guidelines for Research Partnerships

United Kingdom

In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

  • Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
  • Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
  • Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

United States

Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

Australia – time for a change of attitude?

In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

Photo by Pixabay on Pexels.com

I’m a research or commercialisation manager – what can I do about it?

Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Australia’s Critical Technology and Supply Chain Principles – a new reality for industry (part 2)

What are the Principles?

As I outlined in an earlier post, Critical Technologies are those new or niche technologies which will confer a competitive advantage for Australia into the 21st Century.

On 15 November 2021, the Department of Home Affairs published the final version of the Critical Technologies Supply Chain Principles, after approximately one year’s public consultation. These principles come off the back of similar efforts in the USA, UK, New Zealand and other countries, all of which recognise the risks associated with Supply Chain Integrity and Security (SCIS).

Photo by Kateryna Babaieva on Pexels.com

Importantly, supply chain integrity and security is applicable to all industries, not just critical infrastructure operators (covered under the Security of Critical Infrastructure Act, or SOCI and its subsequent amendment, SLACI) or those industries involved in Critical Technologies. AgriFutures Australia published its study entitled ‘Product fraud: Impacts on Australian agriculture, fisheries and forestry industries‘ in late 2021, is a prime illustration of this (I will take a look at this report later).

Relevant Definitions

  • Foreign Ownership, Control and Influence (FOCI): A company is considered to be operating under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorised access to sensitive operational information / confidential information or may affect adversely the performance of contracts in Australia’s national interest (adapted from US Government DCSA). Whilst this language originated in the U.S., it also is used by Australia’s Foreign Investments Review Board (see here) as well as Defence.
  • Supply Chain Integrity: “a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (United States Pharmacopeial Convention)
  • Supply Chain Security: activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world’s cargo and to “facilitate legitimate trade” (Government of Canada)
  • Product protection: the collection of programs, internal controls and security countermeasures designed and deployed to protect tangible and digital products against fraud, security and integrity threats in the supply chain and marketplace. This includes Anti-Piracy, Anti-Counterfeiting, Track and Trace, and Product Authentication measures (Curwell, 2022).

The Critical Technologies Supply Chain Principles establish 10 ‘agreed principles’ generally applicable to brand integrity, supply chain integrity, and product protection in any Australian industry:

Agreed PillarsAgreed Principles
A. Security by design

Security should be a core component of critical technologies. Organisations should ensure they are making decisions that build in security from the ground up.
1. Understand what needs to be protected, why it needs to be protected and how it can be protected.
2. Understand the different security risks posed by your supply chain.
3. Build security considerations into all organisational processes, including into contracting processes, that are proportionate to the level of risk (and encourage suppliers to do the same).
4. Raise awareness of and promote security within your supply chain.
B. Transparency

Transparency of technology supply chains is critical, both from a business perspective and from a national security perspective.
5. Know who your critical suppliers are and build an understanding of their security measures
6. Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement.
7. Encourage suppliers to understand and be transparent in the depth of their supply chains, and provide this information to customers.
C. Autonomy and Integrity

Knowing that suppliers demonstrate integrity and are acting autonomously is fundamental to securing your supply chain.
8. Seek and consider the available advice and guidance on influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy.
9. Consider if suppliers operate ethically, with integrity, and consistently with international law and human rights.
10. Build strategic partnering relationships with critical suppliers.
Final Principles – in Critical Technology Supply Chain Principles

Businesses looking to uplift their supply chain and third party risk management practices would do well to incorporate these principles into their policies, supported by a robust framework to faciliate implementation. So what might such a framework look like exactly?


Does this article resonate with you? Please vote below or subscribe to get updates on my future articles


How do the Principles relate to other standards and guidelines?

The Critical Technology Supply Chain Principles are useful as a starting point for businesses which haven’t really focused on this area before when developing their policies or supply chain risk management programs. In my day to day interactions across many industries, whilst domains like cybersecurity are very mature, supply chain risk management is something many businesses have largely overlooked for decades, despite our status as an island nation.

So, if the Principles provide high level guidance, how much similarity is there between them and other commonly cited standards or guidelines focused on developing more holistic programs? And which, if any, standards might be best used by Australian businesses to compliment the Principles when building their programs to manage supply chain risk? The following table compares the principles against three main guidelines used in this area:

CTSCPISO 28000 Supply Chain Security ManagementSOCI RulesAPRA CPS231 OutsourcingANSI/ASIS SCRM.1-2014
1. Identify critical assets & protection requirementsExistingNot yet finalisedIndirectlyYes
2. Identify risksExistingNot yet finalisedYesYes
3. Design in securityPartial – focus on supply chain, not product protectionNot yet finalisedYesYes
4. Raise awarenessNot directly addressedNot yet finalisedNot directly addressedYes – using ISO31000 principles
5. Know Your Suppliers & assess their securityYesNot yet finalisedPartialYes
6. Work with suppliers to increase transparencyPartialNot yet finalisedNoYes
7. Encourage suppliers to map and understand extended supply chainsIndirectlyNot yet finalisedNoYes
8. Consider foreign interference risks to suppliersIndirectlyNot yet finalisedNot directly addressedNot directly addressed
9. Consider supplier ESG* & Integrity risksNot directly addressedNot yet finalisedYesYes
10. Build partnerships with key suppliersYesNot yet finalisedYesYes
Author: Paul Curwell, 2022.

*ESG risks: refer to the collection of Environmental, Social and Governance risks faced by public and private sector organisations today. For those new to ESG, this article from MSCI provides a useful introduction. ESG risks include Modern Slavery – see here for my previous post on Modern Slavery, Human Trafficking & People Smuggling (part 1)? and here for How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?

As you can see from the above table, ANSI/ASIS SCRM.1-2014. Supply Chain Risk Management Standard: A compilation of best practices is one of the more comprehensive references for any business looking to build or enhance its supply chain risk management program. Additionally, note that the Critical Technologies Supply Chain Principles introduces a range of new measures not previously. Managing these risks likely requires new skills for many security practitioners (both cybersecurity and protective security disciplines).

Photo by Matheus Natan on Pexels.com

What might implementation and adoption challenges look like?

One observation from me is the interdisciplinary or converged nature of legislation and government policy relating to risk and security that started to emerge with the introduction of the SOCI Act in 2018. There is an increasing emphasis on integrated, enterprise-wide programs which remove the traditional silos that existed between protective security, cyber security and fraud / financial crime, risk and compliance, procurement and operations. Foreign Ownership, Control and Influence – traditionally the domain of Anti-Money Laundering / Counter Terrorist Financing and Trade Compliance – is one example.

Whilst all of these measures are positive and heading in the right direction given the complex threat environment we all now operate in, the question for me is how Australian businesses will respond to guidance such as the Principles and whether they will be embraced and enacted, particularly in Australian industries which have traditionally given their security-related concerns minimal priority. The protection of Australian Intellectual Property (beyond legal protections such as a patent or claiming copyright) is a prime example here. Hopefully our historical Australian attitudes and perceptions of a benign risk environment are evolving given increasing cyber attacks, frauds, and changing priorities for company directors and boards. Only time will tell.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Australia’s Critical Technology and Supply Chain Principles (part 1)

What are critical technologies?

As we move into the fourth industrial revolution and a changing geostrategic landscape the likes of which haven’t been seen since World War II, global society is again forging a new path. Whilst resources and labour have been the currency of previous era, now it is advanced technology. The ubiquity of most forms of technology mitigates some of the competitive advantage enjoyed by nations and businesses, with the exception of new or niche technology that addresses the needs of 21st century society. In Australia, this class of technology is now referred to as ‘critical technologies‘.

Photo by Pok Rie on Pexels.com

The Australian Government has defined critical technologies as being those which have been identified as “having a significant impact on our national interest (economic prosperity, national security and social cohesion)“, which the Australian Government has set as its baseline. Whilst some technologies on the list have implications for defence and security, the Action Plan acknowledges these technologies often have broader applications (i.e. they are what is referred to as ‘dual use’ goods or technologies).

Key terms used in the policy documents

  • Critical technologies – Current and emerging technologies that have the capacity to significantly enhance or pose a risk to our national interest (prosperity, social cohesion or national security).
  • Emerging technology – Technologies that are currently developing, or that are expected to be available within the next five to ten years

Critical technologies are exposed to some unique risks

Many of the risks associated with critical technologies have been widely publicised in recent years, ranging from efforts by the US Government to purchase more rare earth resources after a buying spree by the Chinese government (see Scheyder, 2022), through to methods of Intellectual Property theft occurring under the guise of technology transfer (see my previous post). However, it’s worth recapping the key critical technologies risks as listed in the Blueprint:

  • Lack of competitive and diverse markets
  • Highly geographically concentrated supply chains
  • Critical infrastructure interdependencies
  • Creation of an increased cyber threat surface
  • Influence of foreign actors on international technology standards development which may run contrary to Australia’s values and objectives
  • Undermining institutional integrity through mis- and dis-information operations
  • Exploitation of Australian knowledge – such as through economic espionage or foreign interference

Each of these presents it’s own set of risks which is not purely a problem for government to manage. Industry owns the asset and with limited exception industry is responsible for managing those risks. The challenge for many Australian businesses is that these risks are quite unique in nature, and require a specialist set of skills and knowledge to manage which is not readily found in the Australian market. Stay tuned for Part 2 of this post which will go into these risk management steps in relation to supply chain integrity and security in more detail.


Does this article resonate with you? Please vote below or subscribe to get updates on my future articles


Enter November 2021 and the release of Australia’s Critical Technology Blueprint and Action Plan

When the consultation drafts first came out for critical technology in 2020, my first question was which technologies are we actually referring to. When it comes to risk management, knowing what comprises your critical assets is a pre-requisite to safeguarding them effectively.

With the release of Australia’s Critical Technologies Action Plan by the Critical Technologies Policy Coordination Office (CTPCO), Australia’s critical technologies are now clearly defined. The Action Plan identifies 63 technologies across seven disciplines, each of which broadly aligns to an Industry Sector.

So what are Australia’s Critical Technologies?

  • Additive manufacturing (incl. 3D printing)
  • Advanced composite materials
  • Advanced explosives and energetic materials
  • Advanced magnets and superconductors
  • Advanced protection
  • Coatings
  • Continuous flow chemical synthesis
  • Critical minerals extraction and processing
  • High-specification machining processes
  • Nanoscale materials and manufacturing
  • Novel metamaterials
  • Smart materials
  • Advanced data analytics
  • Advanced integrated circuit design and fabrication
  • Advanced optical communications
  • Advanced radiofrequency communications
  • Artificial Intelligence (AI) algorithsm and hardware accelerators
  • Distributed ledgers
  • High performance computing
  • Machine learning (incl. neural networks and deep learning)
  • Natural language processing (incl. speech and text recognition and analysis)
  • Protective Cyber Security Technologies
  • Biological manufacturing
  • Biomaterials
  • Genome and genetic sequencing (Next Generation Sequencing)
  • Nanobiotechnology
  • Nanoscale robotics
  • Neural engineering
  • Novel antibiotics and antivirals
  • Nuclear medicine and radiotherapy
  • Synthetic biology
  • Vaccines and medical countermeasures
  • Biofuels
  • Directed energy technologies
  • Electric batteries
  • Hydrogen and ammonium for power
  • Nuclear energy
  • Nuclear waste management and recycling
  • Photovoltaics
  • Supercapacitors
  • Post-quantum cryptography
  • Quantum computing
  • Quantum sensors
  • Quantum communications (including quantum key distribution)
  • Advanced imaging systems
  • Atomic clocks
  • Gravitational-force sensors
  • Inertial navigation systems
  • Minature sensors
  • Multispectral and hyperspectral imaging sensors
  • Magnetic field sensors
  • Photonic sensors
  • Radar
  • Satellite positioning and navigation
  • Scalable and sustainable sensor networks
  • Sonar and acoustic sensors
  • Advanced aircraft engines (including hypersonics)
  • Advanced robotics
  • Autonomous systems operation technology
  • Small satellites
  • Drones, swarming and collective robots
  • Space launch systems (incl. launch vehicles and supporting infrastructure)

Many of the risks associated with critical technologies will be managed through existing regulatory frameworks

The Action Plan outlines the policy levers – including economic, national security and diplomatic levers – available to it to manage critical technologies in Australia’s national interest and in accordance with Australian values. The Australian Government has commited to “ensure all actions to protect and promote critical technologies are proportional, targeted and sustainable”.

To this end, the Action Plan presents four policy response categories available when pursuing actions on critical technologies, as shown in the figure below:

A response framework for critical technologies – in The Action Plan for Critical Technologies

The Action Plan also conveniently provides a map of the Australian Government’s “comprehensive suite of recent actions to promote and protect critical technologies across all four policy response categories”:

Government actions to promote and protect critical technologies – in The Action Plan for Critical Technologies

As you can see, many of Australia’s actions to promote and protect our critical techologies are already in place, meaning the introduction of new regulation or initiatives affecting industry should be minimal. Some of these fall within this scope of what I write on here at ForewarnedBlog.com – follow me for future posts on the Foreign Interference Guidelines, Supply Chain Resilience Initiative, changes to export control regulations and trade compliance (i.e. the Defence & Strategic Goods List), and foreign investment restrictions for critical technology (including what is referred to as Foreign Ownership, Control and Influence or FOCI). Part 2 of this post will focus on one new announcement, the Critical Technology Supply Chain Principles.

Part 2 – Critical Technology Supply Chain Principles

With a good understanding of the policy landscape and assets requiring protection, Part 2 of this post looks at what this means for the protection and integrity of critical technologies, supply chains, IP and products.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Natural Hazards and Accidents, and their intersection with physical threats

Author: Paul Curwell

Introduction

With the impending passing of the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (referred to as SOCI, or Security of Critical Infrastructure) in the Australian Parliament, and the Department of Home Affairs working through definitions of the Rules which prescribe the requirements for critical infrastructure operators around integrated risk management, there is a lot of movement and discussion underway within Australia’s expanded eleven critical infrastructure sectors to ensure readiness to comply with the new legislation.

As it currently stands, the legislation refers to “physical and natural hazards” which is out of alignment with terminology used in various Australian / New Zealand and International Standards (ISO). When it comes to physical threats and hazards, there are effectively three categories:

  • Physical threats – pertains to security risks and are caused, ultimately, by humans. The difference between physical threats, natural hazards and accidents is intent to do harm or otherwise impact the ‘security’ of something. These are generally assessed via a ‘Threat and Risk Assessment’ or ‘Security Risk Assessment’.
  • Natural hazards – are those which derive from nature (sometimes referred to by insurers as ‘acts of god’). These are generally assessed using different techniques, such as risk bowties.
  • Accidents – includes industrial accidents and similar events which can have the same / similar impact as natural hazards but are caused by humans, rather than nature. There is a possibility that what appears as an accident might actually be caused by a physical threat, such as an insider seeking to perpetrate an act of workplace sabotage or terrorism.

In my work, I primarily focus on risks with a root cause in national security or crime, as opposed to working on business continuity generally. I regularly encounter situations in my work with clients where I am requested to assess natural hazards (including accidents) and physical threats using the same underlying risk assesment methodology.

Whilst you can aggregate the results of risk assessments against physical threats with natural hazard and accident risk assessments (some of which have a close relationship to occupational health and safety or Health Safety Environment risk management), trying to apply the same underlying risk assessment methodology on an asset by asset or site basis is not leading practice.

Photo by Genaro Servu00edn on Pexels.com

Types of Natural Hazard

So what is a hazard anyway? A hazard is defined by ISO31000 as “a source of potential harm’ and is different to a risk. In fact, hazards (like physical threats) both cause risk events if controls to prevent their occurance either do not exist or are inadequate. Have a read of this excellent article from the team at Broadleaf Capital International if you want more information.

For the purposes of this article I have used the Centre for Research on the Epidemiology of Disasters (CRED) EM-Dat taxonomy, an excellent resource, which records 17 types of natural hazard across 6 categories:

Natural Hazard CategoryNatural Hazard
GeophysicalEarthquake
Dry mass movement
Volcanic activity
MeteorologicalExtreme temperature
Fog
Storm
HydrologicalFlood
Landslide
Wave action
ClimatologicalDrought
Glacial Lake Outburst
Wildfire (bushfire)
BiologicalEpidemic / Pandemic
Insect infestation
Animal accident
ExtraterrestrialImpact event
Space weather
CRED EM-DAT General Classification (emdat.be/classification)

You will recall that the core risk assessment methodology focuses on Consequence (or impact) and Likelihood. When assessing Likelihood, or the chances of a natural hazard arising, you need to determine whether your asset is in a geographical area impacted by that given type of hazard. There are two main considerations here:

  • Regional geographical factors – this relates to where your asset is situated on the planet and is something you can’t readily influence. If your asset lies within an earthquake or cyclone (hurricane) prone zone, this increases the likelihood of the risk.
  • Local geography – is more specific to where exactly your asset is sited. An asset situated at the bottom of a deep valley is likely to be more prone to flooding than an asset situated at the top of a hill.

Governments and scientific research organisations all publish data on natural hazards which inform their likelihood. Some produce complex scientific models which can also be used to help understand factor such as when a natural hazard might arise, where exactly it will impact within a given geographical area, and how severe it might be. For many natural hazards, there are underlying indicators which are monitored by governments and research centres that provide advance warning of an impending natural hazard. One example here is the amount of dry fuel load in the case of bushfire risk. You can quickly locate relevant data for your risk assessments with the help of Google, most of which is free.

Photo by Recognize Productions on Pexels.com

Accidents

For the purposes of any risk assessment, the second main category of hazard is that of accidents. Sometimes, this category is referred to as ‘manmade accidents’ as the cause of an accident is effectively poor controls, human error, negligence etc – all of which are foreseable and theoretically preventable. The key difference between accidents and physical threats is intent. A worker at a chemical plant might accidentally drop a barrel which results in a chemical spill (an accident), or they could intentionally empty a barrel of chemicals to for example commit physical sabotage in the workplace (an ‘insider threat’).

Where accidents such as those outlined below are possible, it is not sufficient to simply address these from a safety or HSE perspective. Physical threats (in the form of insider threats) could intentionally cause one of these events which might pass undetected as an ‘accident’. A complete assessment of physical threats will reflect this.

Technological HazardAccident type
Industrial AccidentChemical spill
Collapse
Explosion
Fire
Gas leak
Poisoning
Radiation
Oil Spill
Other
Transport AccidentAir
Road
Rail
Water
Miscellaneous AccidentCollapse
Explosion
Fire
Other
CRED EM-DAT General Classification (emdat.be/classification)

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.