Implementing the Critical Infrastructure Risk Management Program
A windfarm may be classed as a Critical Infrastructure Asset depending on its capacity.
After a period of substantial industry consultation the Security of Critical Infrastructure Risk Management Program (CIRMP) was registered under the Security of Critical Infrastructure Act 2018 (SOCI Act) at the end of 2022. This legislation places a substantial obligation on firms that operate assets which fall under the Critical Infrastructure Asset classification.
In the following paragraphs we provide an overview of the main requirements of the new legislation and use a recent case study where a critical infrastructure risk management program was implemented at a solar farm in central NSW.
Deadlines for Action
The rules of the CIRMP come into effect on February 17, 2023. Fortunately for many businesses, there is a six month grace period that allows affected employers to prepare their risk management plan. An entity’s CIRMP must be signed off by its board.
The plan must be reviewed and reported annually to the Secretary of the Department of Home Affairs and the first mandatory report is due 90 days after 30 June 2024 (the end of the 2023-24 financial year), although the Cyber and Information Security Centre (CISC) is encouraging voluntary submission of an annual report for the 2022-23 financial year.
The deadline for a relevant business entity to be compliant with the Critical Infrastructure Risk Management Program rules is August 18, 2023 for all risk aspects except cyber security, which was granted a one year extension.
Is your business affected?
The CIRMP details the Critical Infrastructure Assets that are affected by the program, and a summary list is provided here. Often the size of the asset is a trigger for compliance, for example electricity assets over 30 Megawatts capacity are considered CIA’s. Here is the summary list:
a critical broadcasting asset;
a critical domain name system;
a critical data storage or processing asset;
a critical electricity asset;
a critical energy market operator asset;
a critical gas asset;
a designated hospital;
a critical food and grocery asset;
a critical freight infrastructure asset;
a critical freight services asset;
a critical liquid fuel asset;
a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act;
a critical water asset.
Industry Obligations under the Act
Responsible entities under the Act are required to take an “all hazards” approach to developing the risk management plan for the CIA. This means that all they must identify each hazard where there is a material risk that the occurrence of such hazard may impact the availability, reliability, integrity or confidentiality of an entity’s CIA.
Once a hazard is identified the entity must then, so far as reasonably practicable to do so, minimise and mitigate the material risk and relevant impact of such hazards. The Act provides specific guidance on the types of hazards that must be identified as a minimum requirement, although there are likely to be many others identified during the risk management process :
Cyber and information security hazards
Supply chain hazards
Physical security hazards and natural hazards
Case study of the hazards identified in a solar farm
As a working example of the application of the legislation, we have provided a recent case study where BWC Safety senior consultants facilitated a series of workshops to identify and assess the risks associated with a 48 Megawatt solar farm in central NSW.
Participating in the workshops were a cross section of key stakeholders and the relevant subject matter experts from the relevant functions of the business. Working collaboratively, the following hazards were identified (see below) and controls identified to minimise the risks so far as is reasonably practicable:
Natural Hazards: Solar farms are susceptible to damage from natural disasters such as hailstorms, tornadoes, lightning strikes, and extreme weather events, which can lead to physical damage and downtime.
Environmental Factors: Factors like dust accumulation, bird droppings, and other environmental conditions can reduce the efficiency of solar panels and overall energy production.
Cybersecurity Vulnerabilities: Solar farms rely on digital control systems, and vulnerabilities in these systems could be exploited by cyber attackers to disrupt operations or steal sensitive data.
Theft and Vandalism: Solar panels and related equipment can be targets for theft and vandalism, leading to financial losses and operational disruptions.
Supply Chain Disruptions: Dependence on suppliers for components like solar panels, inverters, and tracking systems can introduce risks if supply chains are disrupted.
Grid Integration Challenges: Connecting to the electrical grid can present challenges in terms of compatibility, grid stability, and regulatory compliance.
Maintenance and Monitoring: Inadequate maintenance and monitoring can lead to performance degradation and reduced energy production over time.
Operational Errors: Human errors in installation, maintenance, or operation can lead to underperformance or damage to the solar farm.
Interconnection Failures: Problems with interconnections between solar panels or equipment can affect the overall performance of the solar farm.
Resource Availability: Availability of sunlight (solar insolation) is crucial for solar energy production, and factors such as cloud cover or shading can impact energy generation.
Land and Permitting Issues: Legal and regulatory challenges related to land use, permits, and zoning can delay or impact the development and operation of solar farms.
Economic Factors: Changes in market conditions, government incentives, and energy prices can affect the financial viability of solar farms.
Technology Obsolescence: Rapid advancements in solar technology can lead to the risk of investments becoming outdated if new technologies offer greater efficiency.
Data Security and Privacy: As solar farms incorporate data collection and communication technologies, there are concerns about data security and privacy.
Operational Resilience: Ensuring the resilience of solar farms to recover quickly from disruptions and continue energy production is crucial.
Health and Safety: Safety concerns for workers during installation, maintenance, and repair need to be addressed.
Public Perception and Community Engagement: Engaging with local communities and addressing concerns about visual impacts, land use, and environmental impacts is important.
Climate Change Impacts: Solar farms may be affected by changing climate patterns that impact solar resource availability and environmental conditions.
Technical Expertise: Adequate technical expertise is necessary for the design, installation, and maintenance of solar farms.
By engaging experienced senior consultants to facilitate workshops which adopt the CIRMP risk management framework and work with the relevant subject matter experts it is possible to develop the “all hazards” risk management approach that is described in the Act.