Like most Australian utilities, energy giant Jemena \u2014which owns and operates more than $11 billion worth of gas and electricity assets for more than 1.4 million customers across Victoria, New South Wales, and the east coast of the country\u2014has been keenly watching the evolution of significant new legislation that will impose new cybersecurity obligations on critical infrastructure operators in 11 key industries.While the details aren\u2019t yet written in law, David Worthington knows enough about the new obligations that he has been working with business leaders ever since the Security of Critical Infrastructure (SOCI) Act was passed in 2018 and its Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced in December 2020. Worthington is the general manager for digital security and risk at Jemena.Many of the proposed changes were reminiscent of the guidelines already embodied in the Australian Energy Sector Cyber Security Framework (AESCSF), whose development as a private-public partnership was overseen by industry regulator AEMO. AESCSF borrows heavily from existing cybersecurity guidelines, including the US Department of Energy\u2019s Cybersecurity Capability Maturity Model (ES-C2M2), the NIST Cyber Security Framework (CSF), the Australian Cyber Security Centre (ACSC) Essential Eight, and the Australian Privacy Principles.How Jemena is preparing for the new cybersecurity standardsWorthington\u2019s team has been actively engaging with Jemena\u2019s executive and board to raise awareness of the significant change in cybersecurity obligations, he told attendees of a recent Splunk webinar. \u201cThe energy sector overall has been prepping for this for quite some time. \u2026 It has gone well, and we have a good idea of what we need to do and where we\u2019re at.\u201dWhile \u201cby and large I think this is a positive step for the industry in terms of cybersecurity,\u201d Worthington said, \u201cin businesses that are quite lean [like utilities], across the whole business, it takes a lot of planning and a lot of time.\u201dIn practical terms, he said, that has so far meant working with a \u201ccoalition of the willing\u201d, which includes general managers across all impacted areas of the business who are working together on a \u201cvery high-level program of work\u201d that includes intensive training of executives around cybersecurity, physical security, and other related issues.\u201cWe are working through it slowly,\u201d Worthington said, \u201cbut one of the key things that we\u2019re looking at is working with the executive and the board around getting them to understand what the changes are, and what we need to do to address them.\u201dBoard education has been a major issue for CISOs across Australia and New Zealand, with competing priorities and sometimes-sketchy grasp of cybersecurity concepts making it hard to get enough funding to drive major change.Building on Jemena\u2019s work to date implementing AESCSF\u2014which has so far been voluntary and self-assessed, but is likely to become a mandatory compliance framework once the SOCI amendments and industry-led, co-designed standards take effect\u2014the company is setting up the working groups and governance committees that will be necessary to support the likely new obligations.Many of the \u201cpractically no- or low-cost\u201d organisational adjustments simply accelerate many changes that were already on the cards, or add new urgency to ongoing work that is already in play. For example, escalating governance forums that are \u201cthree or four levels down from the executive\u201d, Worthington said.\u201cWe need [executive] support on moving forward on this, and they have a good understanding of risk management,\u201d he added, \u201cand risk and governance are really at the heart of what we need to do here. But subject matter expertise in these areas is going to be required.\u201dAustralia is moving fast to protect critical infrastructureThe ongoing work inside Jemena is undoubtedly being replicated to some degree in every Australian utility company, after SOCI\u2019s original passage in 2018 put them on notice to improve their cybersecurity operations in light of an increasing cybersecurity threat against critical infrastructure operators.Yet the continuous evolution of the SOCI amendments has kept industry watching and waiting\u2014most recently, through a Parliamentary Joint Committee on Intelligence and Security (PJCIS) report that recommended the legislation be split to fast-track new powers deemed urgently necessary to counter the \u201cserious, considerable, and increasing\u201d threat of \u201ccyber-enabled attack and manipulation of critical infrastructure assets\u201d.That recommendation came in the wake of ongoing concern from many industry sectors, which have expressed concerns around issues such as potential liability for cybersecurity breaches and the implications of a mooted obligation to report potential compromises within 12 hours.Fast-tracking the most urgent elements of the SOCI amendments will likely see them pushed through Parliament before it rises for the year on 2 December 2021. But the bulk of the work around the bill will bleed into 2022 as widespread industry interest drives complex ongoing discussions\u2014the enquiry has already met with more than 1,000 individuals and received 129 submissions regarding its Exposure Draft.That leaves Jemena and other operators in what Worthington termed a \u201churry-up-and-wait situation\u201d, although he heralded constrained availability of resources as a key challenge over the next 12 months. \u201cI don\u2019t have any great answers for this,\u201d Worthington said, noting that even though many firms are tapping consulting businesses for the necessary skills \u201cI don\u2019t think that\u2019s going to be an unlimited resource either.\u201dThose constraints may present challenges for companies that have so far adopted AESCSF as a best-practices guideline but may not have yet implemented controls at a level that would survive an audit.\u201cWe\u2019ve operationalised a lot of the things we\u2019ve done in AESCSF,\u201d Worthington said, \u201cbut have we done this in a way that is auditable? My gut feeling is that we\u2019re going to be way off in a number of areas, and we\u2019ll have go to back and reengineer some of the processes we\u2019ve already got in place to make a more auditable and workable solution.\u201dYet for all its potential requirements around new governance, the plodding progress of the SOCI amendments to date has left many executives comfortable that they still have time to spare.Worthington is well aware that the perception of extra time may allow other business priorities to creep into the discussion, noting that \u201cour priorities today are a bit different to what they will be when we have a deadline to meet. The challenge through this is going to be not just being compliant, but also being effective in managing the business side of risk for the long term,\u201d he said. \u201cThere are always some people who feel that if you\u2019re doing compliance you only do the minimum, and that\u2019s enough\u2014but as a lot of us have seen, in the cybersecurity space, that\u2019s a mindset that has had some pretty dramatic results over the past years.\u201dWorthington added,\u201cI\u2019m not that excited about ticking compliance boxes. I\u2019m not just planning to implement the rules, but to really use this as [a guide to] continue to manage the risk in the business in the future. Ultimately, that\u2019s what the act is trying to do, rather than compliance.\u201dA different standard of risk governance for critical infrastructureThat degree of risk governance, technology lawyer Patrick Fair said, will become a key part of the new obligations on operators of critical infrastructure that will include data storage or processing facilities, higher education and research, and healthcare and medical.\u201cThis is not like mandatory data breach reporting, where there\u2019s a \u2018serious harm\u2019 test and it only involves the disclosure of personal information,\u201d he said. \u201cThis is about cyber incidents that might have a relevant impact on your asset, defined to include the performance and availability of that asset.\u201dUnder the SOCI amendments as currently posited, annual reporting obligations will force boards of critical infrastructure operators to sign off on their risk-management program, including reporting of any hazards that occurred during the year and an internal audit of the risk-management program. \u201cThis is designed to keep you focussed on the additional security obligations,\u201d Fair said.