On November 22nd 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 was passed.
The Australian Government’s Critical Infrastructure Resilience Strategy currently defines Critical Infrastructure (CI) as physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.
The program intends to increase resilience across critical infrastructure assets, address vulnerabilities across physical, cyber, supply chain, and personnel domains, provide a wholesale uplift in critical infrastructure security, and reassure the Government that critical infrastructure assets are appropriately safeguarded against all risks.
In this context, the new Bill will extend existing legislation, imposing new security obligations onto owners and operators of entities within CI. These sectors include:
- Electricity, gas, water and Maritime ports sectors
- Communications
- Financial services and markets
- Data storage and processing
- Defence industry
- Higher education and research
- Energy
- Food and grocery
- Health care and medical
- Space technology
- Transport
- Water and sewerage.
Further details of whether your organisation falls within these sectors can be found in the explanatory memoranda at Attachment B - Clause 1.2 ‘What is critical infrastructure’, page 239.
I operate in these sectors; what do I need to do?
The following table provides guidance on the new controls applicable to your entity based on your organisation’s position in the CI sector.
|
Entities within Critical Infrastructure Sectors |
Critical Infrastructure Assets |
Systems of National Significance |
Positive Security Obligations |
✖ |
✔ |
✔ |
Enhanced Cyber Security Obligations |
✖ |
✖ |
✔ |
Government Assistance |
✔ |
✔ |
✔ |
Ministerial Direction |
✖ |
✔ |
✔ |
Positive Security Obligations
Like any good Information Security Management System (ISMS), positive security obligations define the base requirements the enable the Government a mechanism for shared oversight of the key CI assets within Australia.
When these assets are involved in a significant cyber security incident, it ensures the Government is notified quickly and accelerated situational awareness. To reduce friction, the Government’s implemented the following controls:
- A Government-owned asset register is contributed to by entities (further clarification of whether your CI assets are in scope can be found in the explanatory memoranda at RIS Attachment 1, page 297)
- A Critical Infrastructure Risk Management Program to collectively uplift the security of CI assets, including:
- Sector-specific rules which will be designed in consultation with each sector and used to provide entities guidance on what would be considered a reasonable and proportionate response to meeting the obligations of the risk management program.
- Notification of cyber security incidents:
- A ‘significant incident’ is where there has been a disruption to the availability of essential service. In this case the entity must report this verbally or in writing within 12 hours of becoming aware of the incident. A written report must be given within 84 hours of verbal notification.
- A ‘relevant impact’ is where the confidentiality, integrity or availability has been impacted . In this case the entity must report this within 72 hours of becoming aware of the incident. A written report must be given within 48 hours of verbal notification.
The specific requirements under the Positive Security Obligations will be defined and activated by making rules for each class of CI assets. Until these rules are defined and activated, there will be delays in the immediate impact to regulatory requirements.
Enhanced cyber security obligations
This will apply to a significantly smaller group of entities, being those that, if interrupted, would have cascading impacts on other CI assets and sectors. The additional controls include:
- Developing and maintaining incident response plans
- Undertaking scenario-based exercises
- Conducting vulnerability assessments
- Providing access to system information relating to the functioning of a system.
Government assistance
Government assistance will potentially be the most significant change to how entities engage with Government during an incident. Importantly this provides the government powers to intervene and also provides necessary controls to limit overreach. There are three steps involved:
Information gathering direction
In the first stage of escalation, the Government will have the power to compel an entity to disclose information related to a cyber security incident, to determine the need for further escalation of support and intervention.
Action direction
Through active consultation and engagement with other federal agencies (e.g. Australia Federal Police, Australia Signals Directorate), the Government will be authorised to direct the entity to take action that is reasonably necessary and proportionate to achieving the objective of resolving the incident.
Intervention request
At the extreme end of the Government‘s authority and as a last resort, an intervention request would be leveraged where an entity is not responding to ‘information gathering direction’ or an ‘action direction’.
This would require agreement by the Minister for Defence and the Prime Minister and be executed through the Australia Signals Directorate (ASD) with support from the Australian Federal Police (AFP)
Let us make these new obligations simple
Our team is well placed to continue the great partnerships with our clients in the CI sector. As BDO takes charge navigating the evolving cyber threat landscape, we empower our clients through partnership and collaboration to ensure no one is left behind.
If your organisation is in the CI sector and you’d like some guidance on the next steps you should take, please get in touch with your local BDO adviser or submit an enquiry here.