Following our previous discussion on the draft legislation, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), which amends the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), was passed on 2 December 2021.
The SOCI Act has now been expanded from four critical infrastructure sectors (electricity, water, gas and ports) to include another nine sectors (communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage).
To recap, critical infrastructure is broadly defined in the SOCI Act as:
In recent times, there have been cyber attacks on the federal parliamentary computing network and other sectors, including transport, education, health and medical services, in Australia. During the COVID-19 pandemic, supply chains have been targeted and disrupted, worsening an already difficult situation with supply impacting food security and medical supplies.
In 2015, a cyber attack caused power outages for several weeks in Ukraine, while ransomware attacks in 2017 crippled communications, financial markets, transport and healthcare in Europe. In Australia, the bushfires in 2020 impacted significantly on critical infrastructure and the ability of the government to mitigate the impact on the social and economic wellbeing of the affected communities and to rectify services as quickly as possible.
The Australian Government enacted the SOCI Act in 2018 in response to threats and risks to Australia’s critical infrastructure to protect these assets and essential services from, and to mitigate the consequence of, natural disasters, sabotage, industrial incidents and most recently, cyber attacks. These threats, if realised, could destroy or cause significant damage to critical infrastructure which could in turn destabilise the economy and the country’s security.
With the amendments to the SOCI Act, the Australian Government has introduced a wide-reaching regulatory framework that includes infrastructure maintained by public and private sector entities and mandatory cyber incident reporting.
Entities that own and operate critical infrastructure will be required to have sector-specific critical infrastructure risk management programs developed in conjunction with the Australian Government, proportionate to the risk profile of the particular sector.
In the remainder of this article, we outline some of the major amendments to the SOCI Act and highlight key requirements for owners and operators of critical infrastructure under the new legislation.
There are two key changes to the Register of Critical Infrastructure Assets (Register).
With the addition of more critical infrastructure, the range of reporting entities has also increased. The intention is for the Australian Government to develop and maintain a comprehensive picture of the ownership and operational arrangements for critical infrastructure across all infrastructure sectors, to identify interdependencies and commonalities to protect against the flow-on effects when one sector is adversely affected.
The second change to the Register will allow the Minister to make rules as to what entities with critical infrastructure will be subject to Positive Security Obligations (PSO). Those entities will have six months to comply once their PSO commence and there are civil penalties for failing to comply.
Entities that are subject to PSO are required to identify material risks to the critical infrastructure they operate, take steps to mitigate the risks to prevent incidents and if the risk is realised, have programs and strategies in place to minimise the impact of realised incidents.
Entities operating critical infrastructure which are subject to PSO must comply with all or some of the following requirements as the Minister requires:
The information provided to the Register will be kept confidential and penalties apply for unauthorised disclosure of this information to any other party.
Critical assets that are already subject to PSO include telecommunication facilities, broadcasting transmission and domain name systems, internet services, data centres and storage (including cloud services), food and grocery distribution and supply to declared critical supermarket retailers or wholesalers.
As a result of the amendments, water and sewerage services provided to at least 100,000 water or sewerage connections may also be declared as critical infrastructure. Water services include wastewater, potable water, raw and recycled water, desalination plants and bulk water providers.
The Minister can declare critical infrastructure to be a System of National Significance (SNS) where there is a level of interdependency with other critical infrastructure assets. SNS forms part of the critical infrastructure that operates across sectors which are crucial to the Australian economy and security, e.g. electricity supply.
SNS will also be subject to Enhanced Cyber Security Obligations (ECSO), which will require the entity operating the SNS to undertake one or more prescribed cyber security activities.
Prescribed cyber security activities include developing and implementing response plans, programs and strategies to build preparedness, undertaking vulnerability assessments to identify vulnerabilities or gaps in processes for remediation and statutory incident response plans, a copy of which must be provided to the Secretary of Home Affairs (Secretary).
The entity will be required to provide a systems information plan about the operations of the SNS to the Secretary. If the entity is not capable of obtaining or is unwilling to provide that information, the Secretary may install and maintain a specified computer program to collect and record the required system information and send that information to the Australian Signals Directorate electronically. This will facilitate greater sharing of information concerning cyber threats in real-time to reduce the risks and consequences of a significant cyber attack on critical assets in all affected sectors.
In some circumstances, government assistance will be provided to assist entities in both the public and private sectors to respond to serious cyber attacks to protect assets which are at risk.
The Australian Government will also have last resort powers to resolve an incident or mitigate a risk and may issue a direction to an entity operating a critical infrastructure to take action to mitigate a cyber attack, an imminent attack or a material risk where the incident has or will seriously prejudice social, economic stability, defence or national security.
The decisions made by the Minister to impose PSO on entities with critical infrastructure, to declare a critical infrastructure as a SNS or to cause system information to be provided to the Australian Signals Directorate will not be subject to the Administrative Decisions (Judicial Review) Act 1977.
Public and private entities which own or operate critical infrastructure, as declared by the Minister, are required to:
Owners and operators of declared critical infrastructure with PSO will need to ensure they have programs, processes and procedures approved by the Minister in place within six months of the declaration to comply with the SOCI Act.
Declaration of an asset as critical infrastructure or as a SNS is at the Minister’s discretion and these decisions are exempt from judicial review.
The regulatory framework places significant obligations on entities operating critical infrastructure and penalties apply for failure to comply with these obligations or within specific time frames.
The sharing of confidential system information to mitigate risk across critical infrastructure sectors is protected under the SOCI Act and penalties will apply for unauthorised disclosure of this information.
Holding Redlich works with public and private sector entities in the development, operation and security of major projects, including critical infrastructure. If you have any queries or would like more information, please contact us or send us your enquiry here.
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.