Critical infrastructure law reform remains a major focus for the Australian Government in 2021. This is part of the government’s ongoing efforts to bolster national cyber security and resilience, following publication of Australia’s Cyber Security Strategy 2020.
The key reform to watch is the Security Legislation Amendment (Critical Infrastructure) Bill (‘the Bill’), introduced into parliament late last year. Cµrrently sitting with parliament’s powerful intelligence and security committee (the PJCIS) for review, it’s expected to return to the House in the second half of 2021.
The cyber threat to critical infrastructure is real and growing. In May, a ransomware attack temporarily shutdown major American oil pipeline, Colonial Pipeline. Australian and New Zealand essential services and critical infrastructure providers are attractive targets for a range of cyber threat actors, with recent disruptive attacks against Melbourne’s Eastern Health and Waikato Hospital, the New Zealand Stock Exchange, and Australian broadcasting, logistics and food companies.
A critical infrastructure definition for the 21st century
The Bill will significantly expand the definition of critical infrastructure and the way cyber security is managed in infrastructure networks. Currently, critical infrastructure is broken into five high-risk sectors:
- Electricity, gas, water and ports, which are regulated under the Security of Critical Infrastructure Act 2018 (SOCI Act); and
- Telecommunications providers, which are regulated under the Telecommunication and Other Legislation Act 2017, known as the Telecommunication Sector Security Reforms (TSSR).
The Bill expands the definition of critical infrastructure well beyond these more traditional definitions of infrastructure, to capture assets essential to Australia’s security and prosperity, and the safety and wellbeing of Australians, such as in the banking, food and healthcare sectors. It also reflects the criticality of 21st century industries– like data storage and space technologies — to Australian governments, businesses and citizens. Under the proposed Bill, Australian critical infrastructure will comprise eleven sectors:
- data storage and processing
- defence industry
- financial services and markets
- food and grocery
- healthcare and medical
- higher education and research
- space technology
- water and sewerage
New and enhanced security obligations
At the lower end of the scale, the expanded list of critical infrastructure entities will be subject to the existing range of powers, functions and obligations that apply under the SOCI Act, including; registering ownership and operational information of critical assets, compliance with information gathering powers and ministerial directions. Network owners in these sectors may also attract “Government Assistance” if they fall victim to a cyber attack.
A middle tier of critical infrastructure entities will attract a positive security obligation. This obligation will set and enforce baseline protections (covering cyber security as well as physical, personnel and supply chain oversight), implement sector specific standards and strengthen sectoral oversight. CyberCX understands these sector-specific standards will be co-designed by government and industry.
A third tier, owners of ‘systems of national significance’ (SoNS), will be subject to enhanced cyber security obligations. It will be up to the Home Affairs Minister to declare which critical infrastructure providers are so important to the nation that they should be considered as SoNS.
What does this mean for CyberCX customers?
The critical infrastructure reforms are a test case for government-industry partnership. The government’s focus on critical infrastructure highlights how important the private sector is to Australia’s security and resilience.
The Department of Home Affairs continues to engage with industry on implementation details for the Bill, and has released draft definitions for assets and systems which are likely to be designated as critical by the Minister. Home Affairs is also working with industry on the co-design phase for the rules which will underpin the Critical Infrastructure Risk Management Program. See the Home Affairs website for information on how to have your say.
As the Bill moves through Parliament, it is also likely to continue to attract debate, and possibly amendments. In particular, the scope and nature of the government assistance powers are likely to receive sustained scrutiny. The cyber security industry has raised concerns about the broad definitions used in the Bill which could capture entities with distant links to the nation’s critical infrastructure. Prioritisation will be key — not everything can be “critical”. So too will continued open dialogue and consultation on both the Bill and the draft definitions proposed by Home Affairs .
How can CyberCX help?
If you would like to further understand the likely impact of this legislation to your organisation or seek assistance in implementing the obligations, please reach out to us at www.ccxstage.wpengine.com/contact-us/ or call 1300 031 274.