Australia: Increased security and new regulation for critical infrastructure

Following our previous discussion on the draft legislation, the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), which amends the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), was passed on 2 December 2021. 

The SOCI Act has now been expanded from four critical infrastructure sectors (electricity, water, gas and ports) to include another nine sectors (communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage).

To recap, critical infrastructure is broadly defined in the SOCI Act as:

• "those physical facilities, supply chains, information technologies and communication networks which if destroyed degraded or rendered unavailable for an extended period would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security."

Purpose of the SOCI Act

In recent times, there have been cyber attacks on the federal parliamentary computing network and other sectors, including transport, education, health and medical services, in Australia. During the COVID-19 pandemic, supply chains have been targeted and disrupted, worsening an already difficult situation with supply impacting food security and medical supplies.

In 2015, a cyber attack caused power outages for several weeks in Ukraine, while ransomware attacks in 2017 crippled communications, financial markets, transport and healthcare in Europe. In Australia, the bushfires in 2020 impacted significantly on critical infrastructure and the ability of the government to mitigate the impact on the social and economic wellbeing of the affected communities and to rectify services as quickly as possible.

The Australian Government enacted the SOCI Act in 2018 in response to threats and risks to Australia's critical infrastructure to protect these assets and essential services from, and to mitigate the consequence of, natural disasters, sabotage, industrial incidents and most recently, cyber attacks. These threats, if realised, could destroy or cause significant damage to critical infrastructure which could in turn destabilise the economy and the country's security.

With the amendments to the SOCI Act, the Australian Government has introduced a wide-reaching regulatory framework that includes infrastructure maintained by public and private sector entities and mandatory cyber incident reporting.

Entities that own and operate critical infrastructure will be required to have sector-specific critical infrastructure risk management programs developed in conjunction with the Australian Government, proportionate to the risk profile of the particular sector.

In the remainder of this article, we outline some of the major amendments to the SOCI Act and highlight key requirements for owners and operators of critical infrastructure under the new legislation.

Register of critical assets

There are two key changes to the Register of Critical Infrastructure Assets (Register).

With the addition of more critical infrastructure, the range of reporting entities has also increased. The intention is for the Australian Government to develop and maintain a comprehensive picture of the ownership and operational arrangements for critical infrastructure across all infrastructure sectors, to identify interdependencies and commonalities to protect against the flow-on effects when one sector is adversely affected.

The second change to the Register will allow the Minister to make rules as to what entities with critical infrastructure will be subject to Positive Security Obligations (PSO). Those entities will have six months to comply once their PSO commence and there are civil penalties for failing to comply.

Positive Security Obligations

Entities that are subject to PSO are required to identify material risks to the critical infrastructure they operate, take steps to mitigate the risks to prevent incidents and if the risk is realised, have programs and strategies in place to minimise the impact of realised incidents.

Entities operating critical infrastructure which are subject to PSO must comply with all or some of the following requirements as the Minister requires:

• adopt and maintain critical infrastructure risk management programs in relation to all hazards
• mandatory reporting of incidents of cyber attacks to the Australian Signals Directorate (ACSC)
• to provide ownership and operations information about their critical infrastructure to the Register.

The information provided to the Register will be kept confidential and penalties apply for unauthorised disclosure of this information to any other party.

Critical assets that are already subject to PSO include telecommunication facilities, broadcasting transmission and domain name systems, internet services, data centres and storage (including cloud services), food and grocery distribution and supply to declared critical supermarket retailers or wholesalers.

As a result of the amendments, water and sewerage services provided to at least 100,000 water or sewerage connections may also be declared as critical infrastructure. Water services include wastewater, potable water, raw and recycled water, desalination plants and bulk water providers.

Systems of National Significance

The Minister can declare critical infrastructure to be a System of National Significance (SNS) where there is a level of interdependency with other critical infrastructure assets. SNS forms part of the critical infrastructure that operates across sectors which are crucial to the Australian economy and security, e.g. electricity supply.

SNS will also be subject to Enhanced Cyber Security Obligations (ECSO), which will require the entity operating the SNS to undertake one or more prescribed cyber security activities.

Prescribed cyber security activities include developing and implementing response plans, programs and strategies to build preparedness, undertaking vulnerability assessments to identify vulnerabilities or gaps in processes for remediation and statutory incident response plans, a copy of which must be provided to the Secretary of Home Affairs (Secretary).

The entity will be required to provide a systems information plan about the operations of the SNS to the Secretary. If the entity is not capable of obtaining or is unwilling to provide that information, the Secretary may install and maintain a specified computer program to collect and record the required system information and send that information to the Australian Signals Directorate electronically. This will facilitate greater sharing of information concerning cyber threats in real-time to reduce the risks and consequences of a significant cyber attack on critical assets in all affected sectors.

In some circumstances, government assistance will be provided to assist entities in both the public and private sectors to respond to serious cyber attacks to protect assets which are at risk.

Powers to resolve or mitigate a cyber security risk

The Australian Government will also have last resort powers to resolve an incident or mitigate a risk  and may issue a direction to an entity operating a critical infrastructure to take action to mitigate a cyber attack, an imminent attack or a material risk where the incident has or will seriously prejudice social, economic stability, defence or national security.

The decisions made by the Minister to impose PSO on entities with critical infrastructure, to declare a critical infrastructure as a SNS or to cause system information to be provided to the Australian Signals Directorate will not be subject to the Administrative Decisions (Judicial Review) Act 1977.

Key requirements for owners and operators of critical infrastructure

Public and private entities which own or operate critical infrastructure, as declared by the Minister, are required to:

• develop a critical infrastructure risk management program, which must be provided to the Secretary for approval. Contents of the program must identify each hazard, the material risk to minimise or eliminate risk, and to mitigate the impact of the hazard
• comply with the program approved by the Minister
• regularly review and update the program
• submit an annual report to the Secretary within 30 days of the end of the financial year. The report must be signed by the board, council or governing body of the entity
• notify the Secretary of any cyber security incidents within 12 hrs of the incident if it has a significant impact on the availability of the relevant asset.

Key takeaways

Owners and operators of declared critical infrastructure with PSO will need to ensure they have programs, processes and procedures approved by the Minister in place within six months of the declaration to comply with the SOCI Act.

Declaration of an asset as critical infrastructure or as a SNS is at the Minister's discretion and these decisions are exempt from judicial review.

The regulatory framework places significant obligations on entities operating critical infrastructure and penalties apply for failure to comply with these obligations or within specific time frames.

The sharing of confidential system information to mitigate risk across critical infrastructure sectors is protected under the SOCI Act and penalties will apply for unauthorised disclosure of this information.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.