New and enhanced security obligations
At the lower end of the scale, the expanded list of critical infrastructure entities will be subject to the existing range of powers, functions and obligations that apply under the SOCI Act, including; registering ownership and operational information of critical assets, compliance with information gathering powers and ministerial directions. Network owners in these sectors may also attract “Government Assistance” if they fall victim to a cyber attack.
A middle tier of critical infrastructure entities will attract a positive security obligation. This obligation will set and enforce baseline protections (covering cyber security as well as physical, personnel and supply chain oversight), implement sector specific standards and strengthen sectoral oversight. CyberCX understands these sector-specific standards will be co-designed by government and industry.
A third tier, owners of ‘systems of national significance’ (SoNS), will be subject to enhanced cyber security obligations. It will be up to the Home Affairs Minister to declare which critical infrastructure providers are so important to the nation that they should be considered as SoNS.