Industry faces close to $10bn in SoCI costs

Five
industries
will
bear
almost
all
of
the
$9.9
billion-plus
cost
of
gearing
up
to
meet
infrastructure
security
rules

announced
yesterday
by
cyber
security
minister
Clare
O’Neil.

Owners
of
critical
infrastructure
now
have
to
comply
with
the
risk
management
program
(RMP)
obligation,
the
final
“positive
security
obligation”
covered
by
the

Security
of
Critical
Infrastructure
Act
(SoCI).

According
to
an
assessment
by
the
Office
of
Impact
Analysis
[pdf],
the
ongoing
costs
of
the
program
will
total
just
over
$9.9
billion,
and
when
one-off
costs
are
included,
the
cost
over
10
years
will
be
$11.5
billion.

The
bulk
of
the
costs
will
fall
on
owners
of
electricity
assets,
gas
assets,
water
assets,
data
processing
or
storage
assets,
and
hospitals.

Combined,
those
industries
will
spend
nearly
$1.04
billion
a
year
in
ongoing
costs
over
10
years.

The
other
sectors
covered
by
the
program
are
broadcasting
and
domain
name;
financial
market
infrastructure;
liquid
fuels;
energy
market
operators;
freight
infrastructure
and
services;
and
food
and
grocery.
They
face
a
total
of
just
over
$113
million
in
annual
costs.

The
top
three
(electricity,
data
processing
and
hospitals)
alone
will
foot
an
$821
million
ongoing
annual
bill
over
10
years.

Under
the
RMP,
in
force
since
February
17,
critical
infrastructure
owners
must
identify
hazards
that
put
an
asset
at
“material
risk”;
minimise
or
eliminate
that
risk
“so
far
as
it
is
reasonably
practicable
to
do
so”;
and
mitigate
the
impact
of
a
hazard
on
the
asset.

Those
hazards
are
both
physical
and
cyber,
and
represent
both
direct
and
indirect
hazards.
For
example,
extreme
weather
may
have
a
direct
impact
on
gas
infrastructure,
but
as
well,
it
may
result
in
increased
energy
usage
that
puts
the
infrastructure
under
pressure.

Infrastructure
operators
have
six
months
to
prepare
an
RMP,
and
12
months
to
achieve
compliance
with
the
cyber
security
framework
identified
in
their
RMPs.

From
the
2023-2024
financial
year,
entities
will
also
be
required
to
prepare
board-approved
annual
reports
declaring
their
ongoing
compliance
with
the
program,
disclosing
whether
their
infrastructure
experienced
a
relevant
hazard
in
the
year,
whether
there
were
any
variations
to
the
RMP,
and
whether
the
mitigations
outlined
in
the
RMP
were
effective.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts