Policymakers are repeatedly strengthening risk management requirements for critical infrastructure. But how can Australia’s energy providers navigate this evolving compliance environment?
Cyberattacks on Australia’s critical infrastructure assets are increasing apace – according to the Australian Signals Directorate, which tracked a 50 per cent increase in incidents from 2021–22 to 2022–23.
Within the critical infrastructure sector, though, energy assets seem particularly vulnerable. Some of the latest available industry survey data revealed that more than 89 per cent of electricity, manufacturing, oil and gas companies had experienced cyberattacks impacting production and energy supply over the past 12 months.
The regulatory picture
Policymakers have become aware of the deteriorating cyber-environment. Citing the industrialisation of cybercrime as a factor, the 2023–30 Australian Cyber Security Strategy document notes that “Malicious activity targeting Australians through cyberspace continues to grow at an unprecedented rate, with cybercriminals and state-based or state-sponsored actors routinely targeting our networks and data”.
That very same document points to Australia’s “strong legislative and regulatory frameworks”, including the Security of Critical Infrastructure Act 2018 (SOCI Act).
This particular act has seen a lot of changes in recent years – including new reforms that went into effect in November 2024 with the passage of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (ERP Act).
Of importance for energy providers, the ERP Act increases the government’s ability to respond to a wider range of all-hazards – not just cyberattacks.
The reform also expands government powers to directly compel regulated entities to modify their critical infrastructure risk management programs, should the program be shown to be seriously deficient.
But what should energy providers do to navigate this evolving picture and ensure ongoing compliance?
Taking a proactive approach
As laws continue to change, policymakers are consistently demanding stronger critical infrastructure risk management programs from industry actors, and digital strategies will be a key to compliance for energy providers.
In particular, integrated resilience software helps provide the industry the functionality it needs to take a proactive approach to identifying and mitigating material risks across all hazards, using a standardised methodology to bring consistency to risk management programs.
The digital solutions also provide energy providers with the threat-intelligence capabilities needed to stay ahead of potential risks to assets and operators. They do so by using real-time threat intelligence alerts and leveraging situational-awareness dashboards to consolidate feeds from multiple sources and streamline threat detection.
Finally, policymakers are ratcheting up the pressure on the critical infrastructure industry. To ensure ongoing compliance, energy providers should look to invest in software like Noggin that helps empower enterprises to meet their obligations, enable their teams to work together to anticipate and manage threats, as well as conduct preparedness activities to effectively respond to disruptions and continually learn from insights.
For more information, visit noggin.io
