The Commonwealth of Australia just issued its Critical Infrastructure Risk Management Program (CIRMP) requirements. (1) Covered entities have until August 18, 2023, to start the implementation process. This piece looks at the CIRMP requirements.

Purpose

The purpose of the requirements is to provide guidance to organizations which have responsibility for critical infrastructure in the development of a CIRMP.

What Is A CIRMP?

A CIRMP is a program which details the requirements with which an infrastructure responsible organization must comply. There are three key requirements.

1. To identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset.
2. So far as reasonable to do so minimize or eliminate any material risk of such a hazard occurring.
3. So far as practicable to do so to mitigate the relevant impact of such a hazard on the asset.

Who Are The Infrastructure Responsible Organizations?

The list of infrastructure responsible organizations is extensive. Below are listed the types of organizations which, if they have one of the following, must develop a CIRMP.

• A critical broadcasting asset.
• A critical domain name.
• A critical data storage or processing asset.
• A critical electrical asset.
• A critical gas asset.
• A designated hospital.
• A critical food or grocery assets.
• A critical liquid fuel asset.

Subject Matter Categories For CIRMP Reporting

The are five subject matter categories which must be considered when meeting the CIRMP reporting requirements. These subject matter categories are as follows.

1. General – all hazards. This category sets out the general processes or systems that must be established. They include identification of operational context, identification and mitigation of material risks and review and update of the CIRMP.
2. Cyber and Information Security Hazards – This covers hazards involving improper access or misuse of information or computer systems, or use of a computer system to obtain unauthorized control of or access to critical infrastructure assets that might impair it functioning.
3. Personnel Hazards – This covers the “trusted insider” risk posed by critical workers who have the access and ability to disrupt the functioning of the asset or to cause significant damage to the asset.
4. Supply Chain Hazards – This covers the risk of disruption to critical supply chains leading to a relevant impact on the critical infrastructure asset. It also includes over-reliance on a particular supplier.
5. Physical Security Hazards and Natural Hazards. – This over physical security and natural disaster risks to parts of the asset which can be critical to the functioning of the asset. (2)

Reporting Under Material Risks Category

An example of the types of risks that must be reported under the Material Risks category is below. It exemplifies the information requirements for each category.

• A stoppage or major slowdown of the asset’s functioning for an unmanageable period.
• A substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the critical infrastructure asset.
• An interference with the critical infrastructure asset’s operating technology or information communication technology essential to the functioning of the asset.
• The storage, transmission, or processing of sensitive operational information outside Australia.
• Remote access to operational control or operational monitoring of critical infrastructure systems assets. (3)

Discussion

In many ways Australia is a head of the United States and other countries in critical infrastructure risk management requirements. CIRMP is a prime example. It covers a wide swath of business organizations, such as, broadcasting, data storage or processing, electricity, gas, hospitals, food or grocery, and liquid fuel which have responsibility for aspects of critical infrastructure.

The CIRMP requires these private sector organizations to implement a risk management program. This program means an organization must identify and report on any risk which might cause interference with the critical infrastructure, remote access to operational control or operational monitoring of critical infrastructure systems assets, or a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the critical infrastructure asset. In addition, the organization must establish and maintain within the CIRMP a process for mitigating the adverse impact associated with the risk.

While not specifically stated. The requirements of risk identification and mitigation, along with the five risk categories that must be covered, effectively mandate that critical infrastructure organizations adopt Enterprise Risk Management.

Since Australia is one of the first nations to formally mandate a critical infrastructure risk management plan, the CIRMP is likely to become a model for other governments around the world. As more critical infrastructure risk management plans, like Australia’s are implemented, the use of ERM will spread.

Endnotes

1. Minister for Home Affairs, 2023, Explanatory Statement: Security of Critical Infrastructure Act 2018, https://www.legisation.gov.au/Details/F2023600112/Download.
2. Cheng Lim, Kirsten Bowe and Intan Eow, 2023, The Risk Management Program Rules Under the SOCI Act Have How Come Into Force, Lexology, February 20, https://www./exology.com/library/detail.aspx?g=f9388368-46ao-b106-1edb22bc75.
3. Minister for Home Affairs, 2023 op cite page 7.

BIO

James J. Kline, Ph.D., CERM, He has worked in federal, state, and local government. He has authored numerous articles on quality in government and risk analysis. His book Enterprise Risk Management in Government: Implementing ISO 31000:2018 is available on Amazon. He is also the editor of Quality Disrupted. It is also available on Amazon. He can be reached at jamesjk1236@outlook.com.