Following our previous discussion on the law Projectthe Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth), which amends the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), was adopted on December 2, 2021.
The SOCI Act has been extended from four critical infrastructure sectors (electricity, water, gas and ports) to nine other sectors (communications, financial services and markets, data storage and processing, defense industry, higher education and research, energy, food and groceries, healthcare and medicine, space technology, transport, water and sanitation).
To recap, critical infrastructure is broadly defined in the SOCI Act as:
- “those physical facilities, supply chains, information technology and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would have a significant impact on social or economic well-being of the nation or affect Australia’s ability to conduct national defense and provide national security.”
Purpose of the SOCI law
In recent times, there have been cyberattacks on the federal parliamentary computer network and other sectors, including transport, education, health and medical services, in Australia. During the COVID-19 pandemic, supply chains have been targeted and disrupted, worsening an already difficult situation with supply affecting food security and medical supplies.
In 2015, a cyber attack caused power outages for several weeks in Ukraine, while ransomware attacks in 2017 crippled communications, financial markets, transport and healthcare in Europe. In Australia, the 2020 bushfires had a significant impact on critical infrastructure and the government’s ability to mitigate the impact on the social and economic well-being of affected communities and to rectify services as quickly as possible.
The Australian Government enacted the SOCI Act in 2018 in response to threats and risks to Australia’s critical infrastructure to protect these essential assets and services from natural disasters, sabotage, industrial incidents and, more recently, cyberattacks, and to mitigate their consequences. These threats, if realized, could destroy or cause significant damage to critical infrastructure, which in turn could destabilize the country’s economy and security.
With the amendments to the SOCI Act, the Australian government has put in place a far-reaching regulatory framework that includes infrastructure maintained by public and private sector entities and mandatory cyber incident reporting.
Entities that own and operate critical infrastructure will be required to have sector-specific critical infrastructure risk management programs developed in conjunction with the Australian Government, commensurate with the risk profile of the particular sector.
In the remainder of this article, we outline some of the key changes to the SOCI Act and highlight key requirements for critical infrastructure owners and operators under the new legislation.
Critical Asset Register
There are two key changes to the Registry of Critical Infrastructure Assets (Register).
With the addition of more critical infrastructure, the range of reporting entities has also expanded. The intention is for the Australian Government to develop and maintain a comprehensive picture of ownership and operational arrangements for critical infrastructure across all infrastructure sectors, to identify interdependencies and commonalities to protect against the effects of flows when a sector is negatively affected.
The second registry amendment will allow the Minister to establish rules on critical infrastructure entities that will be subject to positive security obligations (PSO). These entities will have six months to comply once their PSO begins and civil penalties are provided for non-compliance.
Positive Security Bonds
Entities subject to PSOs are required to identify significant risks to the critical infrastructure they operate, take steps to mitigate the risks to prevent incidents and, if the risk materializes, put in place programs and strategies to minimize the impact of actual incidents.
Entities operating critical infrastructure that are subject to PSOs must comply with some or all of the following requirements, as required by the Minister:
- adopt and maintain critical infrastructure risk management programs related to all hazards
- mandatory reporting of incidents of cyberattacks to the Australian Directorate of Communications (CSCA)
- provide the registry with information about the ownership and operations of their critical infrastructure.
Information provided to the Registry will be kept confidential and penalties will apply for unauthorized disclosure of such information to any other party.
Critical assets that are already subject to OSP include telecommunications facilities, broadcast and domain name transmission systems, internet services, data centers and storage (including cloud services), distribution of food and grocery products and the supply of retailers or wholesalers declared to be critical of supermarkets.
As a result of the amendments, water and sewer services provided to at least 100,000 water or sewer connections can also be declared as critical infrastructure. Water utilities include wastewater, drinking water, raw and recycled water, desalination plants and bulk water suppliers.
Systems of National Importance
The Minister may declare critical infrastructure to be a system of national significance (SRS) where there is a level of interdependence with other critical infrastructure assets. The SNS is part of the critical infrastructure that operates in sectors crucial to the Australian economy and security, for example electricity supply.
The SNS will also be subject to enhanced cybersecurity obligations (ECSO), which will require the entity operating the SRS to undertake one or more prescribed cybersecurity activities.
Prescribed cybersecurity activities include developing and implementing response plans, programs and strategies to enhance preparedness, conducting vulnerability assessments to identify vulnerabilities or gaps in remediation processes and statutory incident response plans, a copy of which must be provided to the Secretary of the Interior (Secretary).
The entity will be required to provide the Secretary with a systems information plan regarding the operations of the SNS. If the Entity is unable to obtain or unwilling to provide such information, the Secretary may install and maintain a specified computer program to collect and record the required system information and send such information electronically to Australian Management signals. This will facilitate greater sharing of real-time cyber threat information to reduce the risks and consequences of a major cyber attack on critical assets across all affected sectors.
In certain circumstances, government assistance will be provided to help public and private sector entities respond to severe cyberattacks to protect assets at risk.
Powers to address or mitigate a cybersecurity risk
The Australian Government will also have powers of last resort to resolve an incident or mitigate a risk and may order an entity operating critical infrastructure to take action to mitigate a cyberattack, imminent attack or significant risk where the incident has or will seriously damage social, economic stability, defense or national security.
Decisions by the Minister to impose PSOs on entities with critical infrastructure, to declare critical infrastructure as an SNS or to have system information provided to the Australian Signals Directorate will not be subject to the 1977 Act on administrative decisions (judicial review) .
Key Requirements for Owners and Operators of Critical Infrastructure
Public and private entities that own or operate critical infrastructure, as declared by the Minister, are required to:
- Develop a Critical Infrastructure Risk Management Program, which must be submitted to the Secretary for approval. Program content should identify each hazard, material risk to minimize or eliminate the risk and mitigate the impact of the hazard
- comply with the program approved by the Minister
- regularly review and update the program
- submit an annual report to the Secretary within 30 days of the end of the fiscal year. The report must be signed by the entity’s board, council or governing body
- notify the Secretary of any cyber security incident within 12 hours of the incident if it has a significant impact on the availability of the affected asset.
Key points to remember
Owners and operators of critical infrastructure declared with OSP will need to ensure that they have programs, processes and procedures approved by the Minister in place within six months of declaration to comply with the SOCI Act.
Declaring an asset as Critical Infrastructure or SNS is at the discretion of the Minister and such decisions are exempt from judicial review.
The regulatory framework imposes significant obligations on entities operating critical infrastructures and sanctions apply in the event of non-compliance with these obligations or within specific deadlines.
Sharing confidential system information to mitigate risk in critical infrastructure sectors is protected by SOCI law and penalties will apply for unauthorized disclosure of this information.
This publication does not address all major topics or changes in law and is not intended to be relied upon as a substitute for legal or other advice which may be relevant to the specific circumstances of the reader. If you found this publication interesting and would like to know more or would like legal advice relevant to your situation, please contact one of the people named on the list.