The government’s Cyber and Infrastructure Security Centre (CISC) fielded 47 cyber incident reports from critical infrastructure providers in the first nine months of a new mandatory reporting regime.
Mandatory reporting of information security incidents came into effect for 11 critical infrastructure sectors last year after changes to ‘security of critical infrastructure’ laws, often shortened to SOCI.
The inaugural head of the Australian Cyber and Infrastructure Security Centre (CISC) Hamish Hansford told senate estimates on Monday that the centre had been ready to start receiving incident reports under the mandatory scheme from April 1 last year.
Providers were given a three-month grace period – until July 8 2022 before mandatory reporting came into full effect.
Now, if they experience an incident with an impact rated as either ‘critical’ or ‘relevant’, they must report it via the Australian Cyber Security Centre (ACSC), which then passes it to the CISC.
“The portal for mandatory cyber incident reporting is hosted by the ACSC within the Australian Signals Directorate, and then as part of that process, people can tick the fact that they’re reporting for their regulatory compliance requirement, and then that is automatically forwarded to the Cyber and Infrastructure Security Centre in Home Affairs,” Hansford said.
“There’s been a steady number of mandatory cyber incident reports tabled into both the ACSC but also given to us as well, to get a true understanding of the nature of successful cyber incidents occurring on critical infrastructure.
“Forty-seven (47) reports have been provided that we say meet the criteria of the mandatory cyber incident report between the period of April 1 2022 and December 31 2022.”
Providers have between 12 hours and 72 hours to lodge a mandatory incident report, depending on the severity.
Hansford said that broadly, a “lot of work” had been put into the implementation of SOCI on the government side; similar large-scale efforts and investments are occurring with industry as well.
Recently, this covered a consultation on the design of a risk management program (RMP), which Hansford described as “a significant body of work really designed to uplift the security settings and the preventative risk management of Australian critical infrastructure.”
Under SOCI, the owner or operator of a critical infrastructure asset “will need to develop RMPs that are endorsed by their board, council or other governing body”, according to documentation.
“The government expects that to be finalised very, very shortly,” Hansford said.
“That’ll have a foundational impact.
“I think for the first time in Australia’s history, we’ll have a critical infrastructure baseline set of security obligations for all critical infrastructure providers, if there’s not otherwise already regulatory obligations in place.”
Hansford said that substantial efforts had also gone into community-building for critical infrastructure operators, particularly those whose systems had been declared as “of national significance”.
“Over the last seven months, we’ve been doing a lot of work with those systems to create a community of the most highly interdependent critical infrastructure in Australia to really look at how do we do exercises so we’ve done a number of planning exercises, including in the last couple of weeks with a major financial entity, as well as state and territory governments,” he said.
“We’ve put in place incident response planning obligations for the majority of those systems of national significance.”
He added that further systems of national significance may be declared in the future. A consultation on the expansion of the list is due out at the end of this month.