Five industries will bear almost all of the $9.9 billion-plus cost of gearing up to meet infrastructure security rules announced yesterday by cyber security minister Clare O’Neil.
Owners of critical infrastructure now have to comply with the risk management program (RMP) obligation, the final “positive security obligation” covered by the Security of Critical Infrastructure Act (SoCI).
According to an assessment by the Office of Impact Analysis [pdf], the ongoing costs of the program will total just over $9.9 billion, and when one-off costs are included, the cost over 10 years will be $11.5 billion.
The bulk of the costs will fall on owners of electricity assets, gas assets, water assets, data processing or storage assets, and hospitals.
Combined, those industries will spend nearly $1.04 billion a year in ongoing costs over 10 years.
The other sectors covered by the program are broadcasting and domain name; financial market infrastructure; liquid fuels; energy market operators; freight infrastructure and services; and food and grocery. They face a total of just over $113 million in annual costs.
The top three (electricity, data processing and hospitals) alone will foot an $821 million ongoing annual bill over 10 years.
Under the RMP, in force since February 17, critical infrastructure owners must identify hazards that put an asset at “material risk”; minimise or eliminate that risk “so far as it is reasonably practicable to do so”; and mitigate the impact of a hazard on the asset.
Those hazards are both physical and cyber, and represent both direct and indirect hazards. For example, extreme weather may have a direct impact on gas infrastructure, but as well, it may result in increased energy usage that puts the infrastructure under pressure.
Infrastructure operators have six months to prepare an RMP, and 12 months to achieve compliance with the cyber security framework identified in their RMPs.
From the 2023-2024 financial year, entities will also be required to prepare board-approved annual reports declaring their ongoing compliance with the program, disclosing whether their infrastructure experienced a relevant hazard in the year, whether there were any variations to the RMP, and whether the mitigations outlined in the RMP were effective.