There have been major changes to the nation’s security of critical infrastructure laws in recent months with the Government passing amendments to the existing Security of Critical Infrastructure (SOCI) Act both in December last year and in March this year. The changes come following increasing concerns over rising cyber-attacks and foreign interference.
The laws have a number of key provisions affecting private and public sector organisations.
With the grace periods for these provisions due to expire in the coming months, we discuss the key provisions, grace periods and expiry dates.
Expanded sector coverage
In December 2021 the SOCI amendment laws increased the number of sectors classified as ‘critical infrastructure assets’.
Initially, critical infrastructure only referred to the electricity, gas, water and maritime/ports sectors.
However, following the amendments the laws applied to a broad range of sectors including:
- healthcare and medical sectors
- financial services and markets
- data storage or processing
- defence industry
- water and sewerage
- higher education and research
- space technology
- food and grocery provision
Under the SOCI amendments, critical infrastructure assets are defined according to their specific sector. For example, a ‘critical water asset’ is defined as ‘one or more water or sewerage systems or networks that are managed by a single water utility and deliver services to at least 100,000 connections.’
Organisations should consider which of their assets are defined as critical infrastructure and consult with government and/or consider legal advice where necessary.
Mandatory reporting of cyber incidents
The SOCI laws place obligations on entities responsible for critical infrastructure assets to report cyber security incidents to the Australian Signals Directorate (ASD).
The grace period for this provision is due to expire on 8 July 2022.
There are two levels of reporting:
- critical cyber security incidents – a responsible entity must report (orally or in writing) that a critical cyber incident has occurred within 12 hours of the entity becoming aware of the incident. A critical security incident is where an attack (direct or indirect) is having a significant effect on the availability of the asset. A written report must also be provided within 84 hours.
- other cyber security incidents – a responsible entity must also report any incident that has occurred, is occurring or is imminent that would have a “relevant impact on the asset”. This must occur (orally or in writing) within 72 hours. The entity must also provide a written report within 48 hours of the initial report being given.
Registration of critical assets
The SOCI laws place obligations on ‘reporting entities’ for critical infrastructure assets to provide information to the Federal Government to be recorded on its Register of Critical Infrastructure Assets. A reporting entity for an asset is either the ‘responsible entity’ for the asset or the ’direct interest holder’ for the asset. The responsible entities differ depending on each industry sector.
Organisations should consider whether they are a reporting entity for an asset and consult with government and/or consider legal advice where necessary.
The grace period for this provision is due to expire on 8 October 2022.
Positive security obligation
The positive security obligation passed Federal Parliament in late March this year.
This obligation requires entities responsible for critical infrastructure assets to adopt and maintain a risk management program. The purpose of the program is to enable entities to identify hazards and proactively maintain programs to minimise or eliminate the hazards from occurring. It requires the responsible entity to maintain and comply with a risk management program and provide an annual report to the relevant Commonwealth regulator regarding the program.
This obligation initially applies only to the following sectors:
- critical broadcasting assets
- critical domain systems
- critical data storage or processing assets
- critical hospitals
- critical energy market operator assets
- critical water and sewerage assets
- critical electricity assets
- critical gas assets
- critical liquid assets
- critical financial market infrastructure assets.
A six-month grace period will apply once the Minister for Home Affairs triggers this measure. This process involves the Minister ‘switching on’ the provision and informing asset holders. The grace period then commences from that date.
Enhanced cyber security obligation
This obligation allows the Minister for Home Affairs to privately declare a critical infrastructure asset to be a ‘system of national significance’. Before making the declaration, the minister is required to regard the asset’s interdependencies with other critical infrastructure assets and the consequences to Australia’s national interest if a hazard were to occur. A responsible entity can be required to comply with the following measures:
- a statutory incident response planning obligation – the entity must adopt, maintain and comply with an incident response plan with respect to its assets and provide a copy to the Secretary of Home Affairs
- a requirement to undertake cyber security exercises – these exercises are intended to test the relevant entity’s ability and preparedness to respond to cyber incidents
- a requirement to undertake vulnerability assessments – may require responsible entities to undertake a vulnerability assessment in respect of the relevant asset, the purpose of which is to test the vulnerability of the asset to cyber incidents, and
- provision of access by ASD to system information – a relevant entity for the system may be required to give the ASD periodic or event-based reports of system information, or install software that transmits system information to the ASD
The Federal Government is unlikely to provide a list of ‘systems of national significance’ for national security reasons. However, officials state that they will have one-on-one meetings with affected organisations.
This provision allows the government to intervene to respond to serious cyber incidents that impact the ability of Australia’s critical infrastructure assets to provide services.
This provision is in theory already operating, however the Federal Government states that it has not yet used the power.
Government intervention can occur where:
- a cyber incident has occurred, is occurring or is imminent
- the incident is having or is likely to have a relevant impact on a critical infrastructure asset, and
- the material risk that the incident has, or is likely to, seriously prejudice: a) the social or economic stability of Australia or its people, b) the defence of Australia or c) its national security
- no existing regulatory system could be used to provide a practical and effective response to the incident.
Additional information is available on the Government’s Cyber and Infrastructure Security Centre website. Governance Institute has also published news updates on critical infrastructure and lodged submissions on: