In today’s interconnected and digitised world, critical infrastructure sectors such as telecommunications, energy, water, and transport are increasingly threatened by cyber attacks, espionage, sabotage, and other malicious activities. The Australian Government recognises the potential impact of these threats and has taken steps to address them through the Security of Critical Infrastructure Act 2018 (Act).
The Act seeks to create a regulatory framework in which risks posed to critical infrastructure assets may be better identified, understood and managed in order to help ensure the security and resilience of Australia’s critical infrastructure. To this end, the objects of the Act are to:
- improve the transparency of the ownership and operational control of critical infrastructure;
- facilitate cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure;
- require responsible entities for critical infrastructure assets to identify and manage risks relating to those assets;
- impose enhanced cyber security obligations on relevant entities for systems of national significance in order to improve their preparedness for, and ability to respond to, cyber security incidents; and
- provide a regime for the Government to respond to serious cyber security incidents.
Who and what does the Act apply to?
The critical infrastructure sectors for the purposes of the Act are:
- Communications
- Data Storage and Processing
- Financial Services and Markets
- Water and Sewerage
- Energy
- Healthcare and Medical
- Higher Education and Research
- Food and Grocery
- Transport
- Space Technology
- Defence Industry
Accordingly, many private companies and government owned businesses now have compliance obligations under the Act.
The Act broadly defines an asset as a system, network, facility, computer, computer device, computer program, computer data, premises and “any other thing”.
In this article, we refer to entities that are responsible for critical infrastructure assets as Critical Infrastructure Entities.
What obligations does the Act impose?
The Act imposes a range of obligations on Critical Infrastructure Entities, some of which only apply to certain sectors or assets.
The key positive security obligations under the Act include:
- reporting of ownership and operational information relating to critical infrastructure assets to be included in the Register of Critical Infrastructure Assets; and
- mandatory cyber security incidents notification.
The Act was recently amended to provide that Critical Infrastructure Entities responsible for the following critical infrastructure assets are required to adopt, maintain and comply with a written Critical Infrastructure Risk Management Program (CIRMP):
- critical electricity assets
- critical energy market operator assets
- critical gas assets
- critical liquid fuels assets
- critical water assets
- critical financial market infrastructure assets used in connection with the operation of a payment system
- critical data storage or processing assets
- certain critical hospitals
- critical domain name systems
- critical food and grocery assets
- critical freight infrastructure assets
- critical freight services assets
- critical broadcasting assets
Failure to adopt, maintain or comply with a CIRMP attracts a penalty of 200 penalty units (currently $55,000).
Under the Act, the Minister for Home Affairs has the power to declare a critical infrastructure asset a System of National Significance and require the responsible Critical Infrastructure Entity to comply with enhanced cyber security obligations. These obligations may include:
- developing cyber security incident response plans to prepare for a cyber security incident;
- undertaking cyber security exercises to build cyber preparedness;
- undertaking vulnerability assessments to identify vulnerabilities for remediation; and/or
- providing system information to develop and maintain a near-real time threat picture.
Government powers
The Act provides the Government with the ability to provide assistance to Critical Infrastructure Entities in the wake of a serious cyber attack. Entities covered by the Act should ensure they are familiar with the rules around government assistance in order to be best placed to respond to a cyber attack. The Act also provides the Government with the power to intervene in critical infrastructure operations to prevent or mitigate a security risk.
To manage security risks to critical infrastructure, the Act establishes and is regulated by the Cyber and Infrastructure Security Centre (CISC). The CISC serves as the focal point for managing security risks to critical infrastructure. It works with Critical Infrastructure Entities to identify risks and develop strategies to mitigate them. The CISC is responsible for conducting risk assessments, providing guidance, and coordinating responses to security incidents.
Penalties
The Act establishes criminal offences for certain conduct relating to critical infrastructure. These offences include unauthorised disclosure or use of information relating to critical infrastructure, which attracts a penalty of 2 years’ imprisonment, 120 penalty units or both.
What do you need to do?
If your organisation is a Critical Infrastructure Entity, you need to ensure you are familiar with and are complying with the relevant obligations under the Act. If you are unsure whether your organisation is a Critical Infrastructure Entity or if you are unclear on which obligations apply, feel free to get in touch and we can advise on and assist with compliance.
More information
If you have any queries or would like further information about this article, please contact:
Kathryn Speed
Principal
M: 0408 446 013
E: kspeed@pageseager.com.au
Published: 2 May 2023
