Australian organisations must now show they can work inside of SoCI laws
Within months, it won't just be about having plans on paper; organisations subjected to SoCI laws and experiencing a cyber incident face a significant test of their operational response capability.
Australia is approaching a key milestone in the multi-year process to get to grips with the ransomware pandemic that is severely testing, and in many cases crippling, many of the country's top infrastructure operators and largest commercial brands.
Approaching swiftly is the final grace period for compliance under the Security of Critical Infrastructure (SoCI) laws ends on August 18, requiring a demonstration of compliance with one of a set number of cybersecurity frameworks, such as ISO27001, Essential Eight (E8) or NIST.
Importantly, compliance will need to be continuously met and demonstrated. That means that as the frameworks are updated in line with emerging security risks and concerns, organisations subject to SoCI will need to make the requisite changes on their end, and to document those changes in a written critical infrastructure risk management program (CIRMP).
A second key date is September 28, which is when organisations must submit an annual report to the government on the status of their CIRMP, including variations made or additional hazards discovered over the previous 12-month period.
A third temporal factor on organisations' radars should be the changing role of the Cyber and Infrastructure Security Centre (CISC), which will move from an "education and awareness raising" posture to one of compliance checks and enforcement. This will officially change in the new financial year, but - in line with the other dates - will practically mean that SoCI compliance starts to receive key regulatory oversight from October.
These dates won't come as a surprise to any organisation that is under the SoCI laws.
But the practical impacts of having all of the rules in force has organisations checking and re-checking their postures, preparedness and technology enablement and support systems to ensure everything is ready for them to meet these key milestones in the SoCI journey.
In addition - and perhaps more importantly - affected organisations are now moving from a phase of documenting their preparedness to knowing and showing they can put these documented actions into practice.
The focus now shifts to understanding the operational impacts of SoCI and the gamut of potential obligations or interventions that could be invoked in the event of a cyber incident.
How smoothly these first incident responses under SoCI run - with government authorities becoming a key part of the response mechanism - will come down to how well SoCI rules are operationalised, embedded and understood by organisations, and how well-prepared the people, processes and technology are to adjust to this revised response model.
The system capability needed to support a new SoCI-led IR model
Organisations can meet some of their SoCI requirements by working in partnership with their security vendors or managed service partners.
Organisations need to understand the importance of cybersecurity and the necessary steps that need to be taken. They can use purchased products and expertise to meet some of these requirements.
A robust incident program is required to identify, protect, detect, respond, and recover from any potential cyber attacks across networks, personal systems, cloud infrastructure and data.
Organisations that come under SoCI laws can benefit from having systems, as well as managed detection and response services, that can contextualise and correlate telemetry data from assets and that use AI-powered analytics to anticipate threats, manage vulnerabilities and protect critical infrastructure assets.
Ideally, organisations should invest in SOC and IR platforms that leverage AI to autonomously protect against breaches and allows humans to be more effective during review and investigation. This is a pivotal shift in IR operations by being on the front foot instead of constantly playing whack-a-mole on intrusions.
In addition, incident responders will need to be able to easily collect forensic artefacts, auto deploy incident response tools, and more, to accelerate investigation and response. How this works operationally will be critical, because the incident responders may be a mix of internal, technology partner and government-backed personnel and resources. The advancements in Generative AI will assist in upskilling staff with various levels of skills, quickly.
Having effective systematised ways to keep the expanded incident response mechanism and team on the same page and able to contribute to a successful mitigation and remediation outcome, is crucial to the success of a SoCI-led incident response mechanism and model.
https://www.cisc.gov.au/how-we-support-industry/regulatory-obligations
If every Australian organisation across the breadth of industries impacted by SoCI - from communications, food and grocery and financial services, to healthcare, transport and utilities - does its part in adopting AI powered platforms whilst documenting and operationalising compliance with security standards and best practices, there is the potential to significantly uplift Australia's overall resilience to damaging cyber-attacks.
The timing is critical. While Australian organisations of all sizes continue to experience cyber incidents, it's the incidents that impact the largest companies or the most sensitive sectors that cause the most concern.
The rolling commitment of players in these critical sectors to positive security obligations - to meet accepted security standards, to report incidents in a timely fashion and accept assistance - is a game-changer for Australia, as well as being broadly in line with the direction being taken by other jurisdictions such as the United States.
Being ready on paper and in practice is the key to meeting system preparedness.