Legal Insights

All Roads Lead to SOCI: Adapting to the SOCI Act

• 17 October 2024 • 13 min read
  • Share

The following is a transcription of Episode 5 of our All Roads Lead to SOCI podcast series.

Host and Maddocks Senior Associate, Hemant Vijaykumar, is joined by Head of Industry & Policy, Jamie Morse and Principal Consultant Government, James Rabey, Macquarie Technology Group, who share lessons and insights they have learnt from the process of adapting to the SOCI Act.

Hemant Vijaykumar: Under the SOCI Act, responsible entities for critical infrastructure assets must have, and comply, with the risk management program which supports the entity to identify, as far as reasonably practical, minimise or eliminate material risks that could impact the asset. What risks have Macquarie Technology identified in its risk management program, and what steps is it taking to minimise or eliminate such risks, including within its supply chain?

Jamie Morse: Well, to unpack that, because there's a bit to unpack. So it's probably relevant, just to give you a little bit of information about our organisation. We're four business units (BU), telecommunications, cloud services, data centres and government. Because we are a telco provider with critical infrastructure asset, because we build data centres that house Federal Government data, we are a system of national significance. And notwithstanding our cloud capabilities, we're hosting hyperscalers. We've got tentacles, if you like, into the SOCI regime, here, there and everywhere.

In terms of answering your question, we've had to map out a risk management profile, BU by BU. And that profile exists both in terms of both physical risk as well as digital or cyber risk, and the prospect then, or the process that we've gone through then to identify what those risks are, has been relevant to both the service profile that we provide to different customers through each of those business units, but also the customers that we are servicing within each of those business units. And layered into that then is our obligations to stakeholders, including Federal Government regulatory bodies, in terms of how we interact and continue to communicate through relevant incidents, and obviously how we respond to each of those incidents be those physical, impacting us physically, or impacting us in digital space.

James Rabey: Look the risk profile, there are common elements to that across the business, and then there are ones specific to each business unit as well. I work for the government business unit, so the threats that are facing us to the threats that are facing government as well. That means that when we've adopted our risk management program, there's a compliance piece – we have to be as compliant as a government department to the PSPF (Protective Security Policy Framework) as well as the Information Security manual and the Essential Eight.

That really guides how we implement those security controls as a critical asset owner. Now, the thing is, the other business units could choose something else, a MO or one of those other frameworks that we've talked about before, because that's applicable to both the assets they're protecting as well as the customers that they're protecting. But those controls may be described different, there's a lot of common elements there as well.

It can be really confusing to unpick all these different frameworks, but there's a lot of commonality around them, and they're also often very practical. We shouldn't be seeing this as a tick boxing exercise that has no practical benefit. I'll give the Essential Eight as an example. Every time you got maturity level with Essential Eight you are hardening and uplifting your cyber security. You are minimising and mitigating those threats.

Hemant Vijaykumar: That all makes sense from a cyber mitigation risk point of view. Now, talking about some of the personnel risks, we noticed there's some, well, a lot security to get into the data centres. Maybe we can drill down to some of the specific nuts and bolts here, to give the audience an example of the types of infrastructure that goes into building the data centre to prevent security issues from happening. In a previous episode, we talked to Hayden about what the data centre looks like, and when chatting to him, he gave me an example that the gates around the servers, were so small, well the holes in them, that USBs couldn't be passed through. Are there other things that would be interesting to know that you could point to that would prevent personnel risks?

James Rabey: Yeah, sure, absolutely. I think before we’ve talked about multi-factor authentication and that access, as you get into the more secure areas of this data centre, become more stringent. Something I am, which is my fingerprint, something I have, which is my security card, something I know, which is a PIN number, for example, just to get through some of those people traps as well. I think we’ve also mentioned up at the higher security classifications, you actually need to create a Faraday Cage. You’ve talked about the cage being that small that you can’t get a USB key in. Well, how about a virtual cage that stops mobile phone traffic or any other traffic as well, to secure that?

We’ve got that capability here to do that, and probably more importantly, we talk about risk management plan, bringing that back to SOCI, and there’s four areas. We talk about physical security, we’ve talked about personnel security, we’ve talked about supply chain, probably not enough supply chain hazards, and securing those, as well as the cyber security, which we’ve probably focused a lot on in this series. Going back to the supply chain security, particularly on the government side of things, we only work with supply chain partners that either fit with what they call a common criteria. Really, the government has vetted their technology organisations where possible that are sovereign, just like us as well, so that they remain, and the services that they provide, remain under Australia’s control at all times, as well as their staff need to be vetted to the appropriate level as well. Keeping that consistent across those other three vectors for your supply chain is really important.

Just to add to all of that, as well as there is just some very practical measures that go into the construction of data centres such as this. For instance, our ‘Zone Four’ facility in Canberra, that’s ASIO rated 'Zone Four'. It's constructed with a wire mesh, a steel mesh, throughout the superstructure, if you like, such that you couldn't actually penetrate even from the roof if you kind of cut through the roofing, if you like, or you're going to hit is this steel mesh so you couldn't physically get through there. They are constructed not only to be very robust, but also to be basically impenetrable, if you were, eager or so inclined to try and break in and exfiltrate data, well, it would be impossible to do so in that instance.

Aside from all those physical elements that we talked about, a lot of the data that is protected or held within our data centres has to go through a defense in depth network, right? A series of appliances that not only sort of look for malicious patterns, but work together to actually correlate all that data so that we can actually see, not just necessarily one pinpoint attack on a customer's data set, but see that as part of an overall coordinated attack, and be able to block that. One of the things that we have in terms of just the breadth of customers that we protect, is we see a threat in one customer. We work out how to block it, we can immediately apply those blocks straight across all of our other customers as well, so they get protected from threat even before it hits them. And the tech behind that, the security incident and event management, security orchestration, automation platforms that are behind that, all work together to be able to do that in millisecond time. When in traditional sort of operations where you've got a human being looking and responding to alert and have to kind of pull things together, can take days, and by that time, the damage has been done.

Hemant Vijaykumar: Very fascinating. Thank you, James and Jamie for that insight into the risks that Macquarie Technology's handling. Talking about technology, technology is changing rapidly, as we all know. What do you think the future holds for Macquarie Technology's data centres in Australia? Does the fact that it onshores data affect your answer?

Jamie Morse: It's certainly core to our offer, and certainly central to the work that we do with our Federal Government customers, is the fact that we are onshore, the fact that we are able to provide the Federal Government with certain assurances as to the ownership, as to the controls that are in place in relation to the physical data centres, the land on which the data centres are constructed, the management and control of the business behind all of us who are who are and operating our data centres, all of which is Australian.

Gets me up out of bed every day in the morning to want to work for an organisation that is proudly Australian and supporting and protecting Australian sovereign data. And insofar as that is concerned, as I say, that's core to our offer, and doubling down of the investment that we are making into building more centres such as this one underscores that commitment.

Hemant Vijaykumar: And given the speed of technology advancements and increased cyber threats, how quickly do you think we need to move to increase regulation?

Jamie Morse: Yeah, it's a great question. I don't think that regulation should be designed to sort of address point problems or the problems of the day from a technology perspective. I think the regulation needs to be frameworks such that they can be applied to respond to – as you've rightly described, an ever-evolving threat. But I think that technology's got a really important role to play in how we are responding to those changing threats.

But from a regulatory perspective, I think it's really regulation needs to follow the kind of game-changing technology uplift that we are now sort of in the midst of. And I think that certainly the regulators that I speak to, I think they're aware of this. Where it was cyber in the last five years that we're now, you know, regulating such that we can have confidence in Australia's digital networks and systems. The next one will be AI, and we're already, the Federal Government is already moving to consult and develop frameworks that will respond to that next evolution. And after that, it will be, no doubt it'll be quantum, and we'll go through similar exercises to develop regulation that will be right-size for the Australian environment, when that technology is upon us.

Hemant Vijaykumar: As a lawyer, I’ve certainly noticed that regulators are definitely behind the increasing speed of technology advancements. So Jamie and James, just a take home message for our listeners, how can organisations prepare themselves in relation to SOCI?

Jamie Morse: Well, I think it's probably an environment where look first and foremost, and I think we've spoken about this before, just educate yourself and your organisation on what compliance with SOCI looks like for critical infrastructure organisations that are swept up under the regime. Even if you're not one of those organisations, but particularly if you're an organisation that is supplying into a critical infrastructure organisation, then you really do need to get across what their obligations are, because A, they're your customers, and B, you may also be swept up in that regime by virtue of your critical supply into a critical sector. That's the first point I'd make.

The second point I'd make, which is a sort of correlates to that, is that SOCI has been designed to be reviewed every two years, the prospect of it being extended into other sectors, deeper into supply chains, is very real. Again, I would just encourage organisations to educate themselves on what compliance looks like for SOCI, and to partner with organisations who are in compliance with SOCI such that you can avail yourself of their expertise and their security bona fides.

Following on from what Jamie was saying, I think one of the things that you can do that's practical but very meaningful is to create a positive security culture within your organisation.

We've talked about technology, we've talked about regulations, we've talked about controls. A lot of those things have to be put in place, because human beings, all of us, are still the weakest link in the cyber chain. The most effective uplift that you can do is to have all of your colleagues and your supply chain, and if you're a supply chain member yourself, all of your downstream supply chain, just think security, just like you should be thinking privacy, right? The information that you hold on behalf of your clients is extremely valuable to them, and should, you should be treating it with the level of care that you would of anything that was valuable that was put in your trust.

Hemant Vijaykumar: So that ends the series, 'On All Roads Lead to SOCI'. You've given us a lot to think about on how we can better prepare for our data for future security threats in order to protect critical Australian infrastructure assets, and I hope our audiences gained valuable insights from both of your ideas and lessons.

  • Share

Recent articles

Online Access