Tensions involving Iran and disruptions in the Strait of Hormuz have put pressure on global supply chains. For Australia, this matters because we rely heavily on many imported materials. The federal and state governments are implementing measures to respond to the situation, particularly in relation to the supply of fuel, including steps as diverse as:
- A four level National Fuel Security Plan to manage supply chain pressure.
- The establishment of a Liquid Fuel Emergency Operations Centre in Parramatta by the NSW Government to map supply chains, track shortages and co-ordinate with industries.
- The purchase of an additional 4 million litres of diesel by the WA Government from alternative suppliers.
- Free public transport by the Victorian Government until the end of May to reduce fuel usage.
Despite this, the supply chain disruption of fuel and other essential materials remains a high risk.
For organisations covered by the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), this situation is a practical reminder to keep your risk management up to date and working effectively.
CIRMP – Supply Chain Hazards
The SOCI Act applies to critical infrastructure in the following 11 industry sectors: communications, data storage/processing, defence, energy, financial services/markets, food/grocery, healthcare/medical, higher education/research, space technology, transport, and water/sewerage.
If your organisation is a Responsible Entity for a critical infrastructure asset, there are a few key things you need to do in light of the current volatility in global supply chains.
Under s30AC of the SOCI Act, most Responsible Entities are required to adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP) that documents material risks and mitigation measures that -are in place or being developed for those risks.
Under s10 of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 (SOCI Rules), “Supply Chain Hazards” is one of the four hazard categories that must be specifically addressed within your CIRMP.
Key point: review your CIRMP to ensure there is adequate consideration of supply chain disruption, including fuel shortages or other materials that may affect your production or distribution, and appropriate controls.
Mandatory cyber incidents reporting
The volatile geopolitical situation and global conflict has also resulted in increased cyber risk for Australian organisations. CI-ISAC, an Australian industry organisation focused on enhancing cyber resilience across the 11 critical infrastructure sectors, has increased Australia’s cyber threat level to “Elevated”.
Under Part 2B of the SOCI Act, Responsible Entities of certain critical infrastructure assets must provide a report to the Australian Cyber Security Centre (ACSC) of cyber security incidents within 12 hours (for incidents with a significant impact) or 72 hours (for all other incidents with relevant impact). Failure to report attracts a civil penalty.
Key point: follow guidance from relevant bodies such as the Critical Infrastructure Security Centre, ACSC and CI-ISAC regarding elevated cyber security risk associated with the current geopolitical conflicts. In addition, review the adequacy of both your preventative and detective controls relating to cyber risk and have a process in place for identifying and reporting any cyber incidents to the relevant authorities.
How Coleman Greig can assist
The SOCI Act requires relevant Responsible Entities to undertake a review of their CIRMPs at least annually and to ensure that it remains up to date. Now is a good time for Responsible Entities to review their CIRMPs, controls, and processes to ensure they consider current global volatility.
At Coleman Greig, we can help you conduct a review of your CIRMP to make sure that your legal obligations under the Act is complied with. For guidance on this process or to discuss what a CIRMP review looks like for your organisation, please contact Coleman Greig’s Commercial Services team.
