Legal Insights

All Roads Lead to SOCI: Approaching SOCI

• 06 September 2024 • 17 min read
  • Share

The following is a transcription of Episode 2 of our All Roads Lead to SOCI podcast series.

Host Sonia Sharma was joined by Jamie Morse, Head of Industry & Policy and James Rabey, Principal Consultant Government, from Macquarie Technology Group, to discuss the practicalities of complying with the SOCI Act.

Jamie and James provide valuable insights into how Macquarie Technology Group is supporting its critical infrastructure asset clients and other stakeholders to understand their obligations under the SOCI Act. The episode unpacks some important considerations that responsible entities for critical infrastructure assets, and their suppliers, should be considering in relation to the SOCI Act.

Sonia Sharma: I'm really curious, Jamie, are you seeing customers coming to you saying, “Hey, we're regulated by SOCI. We need help.” What's happening in practice? What are you seeing on the ground when you have a customer who is regulated by SOCI?

Jamie Morse: It's probably not as direct as that, but we are seeing more and more organisations that know they are subject to the regime, the SOCI regime. They are requiring providers, particularly data storage and processing sector which we operate. They're expecting us - that we're also in compliance with that regime. It's very simple for us, because we are both SOC-ers and SOC-ing, we are compliant every which way, up ways, sideways and all other ways that you can imagine, and we're able to provide that not only confidence to prospects and customers, but even some guidance as to where the compliance regime - how it pertains to - the cyber security data space in particular.

What we’ve seen more of in recent months is organisations that are suppliers into critical infrastructure operators, currently, or maybe they are prospecting to become suppliers into critical infrastructure asset owners, or those broader sectors that are covered under SOCI. And with that cohort, there's almost a need for some guidance from us as to what the future may hold for them. We all know that SOCI is required to be regularly reviewed. I think it's every two years the reviews have to begin.

So the prospect of expanding into other sectors in future is very real, and those organisations that have provided services which are currently used by critical infrastructure asset operators and owners, or may potentially be in future – it’s those organisations that have got that sort of question mark over what their obligations under what that regime might look like. They subsequently ask us to give them that peace of mind in terms of how we are storing and protecting their data.

Sonia Sharma: That's so interesting, because that's the same from our perspective. They’re the sorts of questions we're getting is from, you know, the supply chain, the suppliers to critical infrastructure, saying, hey, how does this impact us? So it's really interesting that we're seeing that alignment. And I think what we're also seeing is a maturing of those discussions.

What’s your take on how prepared entities actually are? Our sense is that we have some organisations who are regulated or impacted in some way, you know, maybe they're in the supply chain. Some organisations obviously are really well advanced and very mature. But we consider that many are still in that development stage of compliance. Is that your kind of sense as well? Jamie, where do you see organisations? Are they practically ready?

Jamie Morse: Yeah, very much so. And we talk a lot about cyber security as being the ‘in’ into digital transformation and where there are organisations that are wanting to utilise, you know, a new application, a new SaaS product, that is going to offer them some sort of transformational benefit. In the past, the prevalence has been towards, to go towards the tech. Get that productivity dividends. But not enough questions have been asked about security by inviting this or that product. So a good example here is the recent incident affecting Clubs New South Wales, which purchased an application to help with its digital transformation across its member sites and clubs. And that application was provided to it by a multinational organisation who then utilised their own third party suppliers in an offshore jurisdiction.

That model has obviously, as the situation now has revealed, has being fraught with challenges, and as a result, Clubs New South Wales is in the middle of a situation now that is really beyond its ability to be able to control the outcome. Now, what this shines a light on is the vulnerabilities that exist across supply chains, whether they be local or international. And if organisations can't have confidence in how those supply chains actually work from a cyber security perspective, can you really trust them to resolve things from a security perspective, can you really trust them from just the ability to be able to control an effective outcome across that supply chain? These are really important questions now that organisations in Australia are increasingly asking of themselves, and certainly when they come to us, that has been a really emerging long discussion that we're having with them just how we provide services that they can trust, based on the regular governance that we apply to the construction of services that we see.

Sonia Sharma: Yeah, I mean those supply chain risks and those third party risks are really emerging as such a key issue, and it's really hard to navigate. Many organisations really don't have visibility or understanding of the risks deep within their supply chains, like beyond, you know, their sort of first supplier, the sub-contractors. A lot of organisations simply don't have that understanding. It's a lot harder when it's offshore, to control that.

Jamie Morse: And that's certainly been a focus of the current Minister for Cyber Security and the work that she has done around the Australian Cyber Security Strategy 2023-30, and it's you know, that thinking is very much baked into a lot of senior reforms and the SOCI regime and also the forthcoming Cyber Security Act.

Sonia Sharma: It was really amazing to walk through the data centres and actually think about all the data that's stored right here in Sydney. It really blew my mind to be able to be walking through that. It's a really key year for SOCI responsible entities for specified critical infrastructure assets now must comply with reporting requirements under the SOCI Act for the first time this year. This will include, you know, being able to identify any material cyber information, personnel, physical security, supply chain, or natural hazards that could have a relevant impact on that asset and from a cyber and information security hazard perspective, can you give us an example of how you've helped minimise or eliminate that risk? You know, perhaps that's effective network separation is a good example.

Jamie Morse: If you look at that, it's not just that network separation, although that is important Sonia, it's the layers of security appliances you put between those networks, it's actually having multiple devices from multiple vendors that each apply their own unique way of detecting and then blocking a threat.

A classic example is that we've talked before about sandboxing and it’s not just the filters and the firewalls that may seem like an attack, but it looks pretty benign. It's actually exploding that in the sandbox - might be a PDF file that’s just got some nasty new links - and actually seeing where they go, that is probably the main thing that protects customers. So I couldn't give you a single event that I'd say that we help our customers because we've got millions of threats every week. So that's what's happening all the time.

Sonia Sharma: It's so important, I think in my observations of getting that outside help to assess risks, it's impossible to mark your own homework. And a really good example of that was, you know, Western Australian energy provider, Horizon Power, and they distribute electricity across the largest geographical catchment of Australia as an energy provider. And in early 2023 they partnered with the ASD to conduct a range of activities to help them examine and test their cyber security posture and controls. And those teams sort of worked side-by-side with ASD experts to help improve threat detection, security, event triage and response, practice, forensic artifact collection and enhance security communication across that whole enterprise.

How important is it to test assumptions about a company's network security, its segmentation practices and vulnerability management, and get that visibility. How important is it to really test that from an outside-in perspective?

James Rabey: Look, I can answer from bitter experience, with the emphasis on the word bitter. So around about 12 years ago, a system that I was responsible for was successfully targeted by a nation-based threat actor. So you know, to me, don't trust what you said, trust what you see, and probably more importantly, trust what you tested. One of the things we do against our infrastructure is what we call breach attack simulation, where we actually take de-fanged attacks, things like ransomware, and we actually run that through our own systems, on a daily, even on an hourly basis. We do this for some of our customers that are doing sensitive areas of whole data, for some of our most at-risk systems, to actually determine, not only test the tech I've talked about, but the actual organisation’s own controls and ability to both detect and then block, or at least respond to those threats, as they happen.

Sonia Sharma: James, I just have to backtrack to that bitter experience. How did you feel?

James Rabey: Yeah, I actually felt let down. It actually, it was probably the main factor that led to me leaving the organisation. I felt let down by my colleagues, so I was certainly angry at the threat actors who did it. They certainly made a lot of noise about it. It was embarrassing to do that. So when you're operating systems on behalf of a customer, you feel like entrusted to their well-being.

Sonia Sharma: Absolutely and I think it's so interesting when we talk about cyber security, we talk so much about the tech, but the humans involved in it, and the emotions involved in it are so high, and that feeling of, you know, letting your customer down, I can really empathise with that. And I think people who are attracted to cyber security, have such a degree of wanting to fix problems and help and I'm so fascinated by, not only the tech, but the humans behind cyber security.

Looking at SOCI, at its core, it imposes these three positive security obligations on responsible entities that own critical infrastructure, you know, to register their critical infrastructure assets, mandatory reporting around cyber incidences and implementing these really important written risk management programs.

Now these are mandatory, and we expect the Australian Government is really going to start hardening its approach to compliance. We know Macquarie Technology Group has been very active in responding to the government's cyber security consultation. Is your sense that we are well and truly moving out of the education and information stage for SOCI, and we're moving into enforcement, Jamie. Is that where we're heading?

Jamie Morse: I wonder if there's some equivalent to the sort of five stages of grief here. You'll be closer to this than I am, Sonia, but when new legislative regimes are put in place, you know what are the stages that organisations go through. My sense is that we are you would definitely here in education and organisations - there's so many affected by SOCI, and rightly so. You know, change is difficult, and organisations for which they haven't been necessarily having to uplift or radically alter their incident response planning, readiness training. They're the ones that I see as having the greatest challenge, and those were the ones that have been expressing the higher levels of anxiety that I've seen in the consultations around the Cyber Act and the reforms, security and political infrastructure Act. But I would say I think we're working through that. The people that I speak to are starting to find some confidence in understanding what's going to be required of them. And you know, I think that's the first step towards reaching compliance that the Federal Government is expecting of them.

Sonia Sharma: Yeah, and I think that's right, Jamie, those stages of grief that you talked about, what I see work really well is where an organisation has a really good understanding of how they're impacted by the regime, what the requirements are, then they've mapped out practically what is the roadmap to compliance, who's responsible. What are the milestones in terms of prioritising risk and having a really clear plan?

That's where organisations are able to, you know, proactively manage their obligations. I think where you get into trouble is where you're reactive. It's much better to be prepared, have a plan and be really clear about how you're going to implement that.

Jamie Morse: I think that's right. Because, certainly it's those sectors that have been, many of the sectors who are now subject to SOCI, have been for a very long time, very, very mature in how they plan and execute emergency or incident response plans and operations. And many of those sectors are for the first time having to grapple with doing the same digital space where they've been doing it for decades in physical world, and that has proven quite challenging for some, just that shift – notwithstanding they've invested heavily in many respects over many years to build up that teams responsible for designing and applying that response to physical emergencies and physical incidents.

Sonia Sharma: That's right. So it's like we've got a long history of being able to manage physical security, but the digital space, it evolves so quickly, and a lot of these organisations or sectors who are regulated just haven't addressed that, because these risks are relatively new, emerging so quickly. And in terms of those mandatory reporting obligations, the reporting time frames look they're naturally very tight because the consequences are so significant. So for example, a critical cyber security incident impacting electricity assets operations and technology, which impacts generation, transmission, distribution of electricity, that's going to be notified to the government within 12 hours after the critical infrastructure owner or operator becomes aware of the incident.

So we're really coming up to the conclusion of grace periods, and we're moving into this sort of mandatory phase, as we say, and part of that is achieving cyber security requirements against recognised frameworks. And there's a number of those, including Essential Eight, and there's others as well. And that's, you know, that's quickly coming up. How does Macquarie Technology help customers with compliance when it comes to those cyber security requirements against recognised frameworks.

James Rabey: Yeah, look firstly and foremostly it’s that most of those services are built to deliver against the controls that are within any of those frameworks. So 27,001 is probably a classic example of that. But for our government customers, there's also the Information Security Manual (ISM), which has a fair bit of crossover with the institutional level as well. Your cybersecurity responsibilities can never be outsourced, you own that responsibility yourself, but the way that we help our customers is de-risk and accelerate their retainment of meeting those obligations. And probably more important than that, it's about sustainability as well. Those frameworks harden over time. The reason they harden over time is because the threat landscape hardens.

I'll give you an example, in November, the Essential Eight was hardened around the time to patch a critical vulnerability that was discovered, and so that was done in response to the fact that those vulnerabilities are being targeted by more sophisticated threat actors.

Sonia Sharma: They've been exploited so quickly, right? So you need to change the standards.

Jamie Morse: Absolutely, so what we do is, because we have to do that for all of our customers, we actually lift the services that we do so we help them with that sustainment of those controls as well. It's one thing to be essential, like maturity level two compliant. It's another thing to stay that way, as the controls themselves are, but also things slip over time as well,

Sonia Sharma: And never set and forget, right? It is like constant assurance, constantly looking at the evolution of that evolution, right? And going back to that, you just mentioned the customer and I know that the customer experience is a core value of Macquarie Technology. There was even a book released about it, and the way that you do that, and how unique that is, the customer experience. And the thing with SOCI is that there's no one size fits all approach, right, while those positive security obligations help strengthen protection around critical infrastructure assets and every owner operator is going to be at a different maturity level, have different requirements depending on their sector, have different risks. So practically speaking, how does Macquarie Technology deal with that, from a customer’s perspective, dealing with different customers from different sectors? How do you deal with that?

James Rabey: So first of all, it's by working closely with the customer to understanding your threats in their trade craft that's often specific to your industry and your assets as well.

A lot of our services are designed to be standard, and so what they address is those standard things that are universal across any industry that represent their cyber assets, that then allows each of our customers to focus on those things that are unique, but we also guide them in that, because we get that intel from dealing with other customers like that, and sometimes it's actually a really good approach not to actually get into your own industry echo chamber, but learn from the experiences of other industry, particularly those like saying health and finance, that are so much more generally advanced in their ability and their experience in responding to cyber threats.

Sonia Sharma: Well, thanks so much, James, it's been so interesting to talk about how you've been dealing with this issue with your clients as we move into the next phase, really for SOCI, and it's been really helpful to understand how Macquarie Technology is addressing SOCI with your customers and some of the practical considerations for organisations as we lead into this new mandatory phase under the act.

  • Share

Recent articles

Online Access