Protecting Critical Infrastructure
Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced into Parliament on 10 December 2020.
All Australians rely on critical infrastructure to deliver essential services that are crucial to our economic prosperity and our way of life, such as electricity, communications, transport and banking.
Critical infrastructure is increasingly interconnected and interdependent. Connectivity without proper safeguards creates significant vulnerabilities. Interconnectedness means that compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across Australia’s economy and national security.
Threats across the range of hazards, from natural threats (including meteorological or climate hazards) to human induced threats (including unlawful interference, cyber incidents, espionage, chemical or oil spills, and trusted insiders), all have the potential to significantly disrupt critical infrastructure.
As the majority of Australia’s critical infrastructure is owned and operated by private industry or state and territory governments it is vital that our approach to ensuring the resilience of Australia’s critical infrastructure is clear, effective, consistent and proportionate.
Coverage of the reforms
Security of Critical Infrastructure Act 2018 currently covers specific entities in the electricity, gas, water and ports sectors. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 seeks to expand the scope of the Act to include critical infrastructure entities in a wider range of sectors including: communications; financial services and markets; data storage or processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.
Underpinned by an enhanced partnership with industry, predominantly through a reinvigorated Trusted Information Sharing Network, the reforms will introduce:
Positive Security Obligation, including the provision of information for the Critical Infrastructure Asset Register, Risk Management Plans and cyber incident reporting, which can only be activated for a sector following consultation with affected entities;
Enhanced Cyber Security Obligations for the most critical entities (systems of national significance); and
Government Assistance to respond to cyber attacks on critical infrastructure in a cyber emergency.
Not all elements will apply to all entities:
Application of the reforms
|Entities within Critical Infrastructure Sectors||Critical Infrastructure Assets||Systems of national significance|
Positive Security Obligations*||No||Yes||Yes|
Enhanced Cyber Security Obligations||No||No||Yes|
*The obligations under the Positive Security Obligations will need to be 'switched on' (through the making of a rule) for each class of assets, meaning that there will be no regulatory burden experienced by industry under the Positive Security Obligations until defined within the Rules.
Benefits of the reforms
The Department of Home Affairs will work in partnership with critical infrastructure operators to develop requirements that strike a balance between uplifting security and ensuring businesses remain viable and their services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean that all businesses benefit from strengthened protections to the networks, systems and services they rely on.
What consultation was undertaken on the reforms?
The Department of Home Affairs engaged with over 3,000 individuals across two phases of consultation between August and November 2020.
Consultation revealed broad in-principle support for the uplift to the security and resilience of critical infrastructure and the need to enhance Government’s relationship with industry. The below table outlines the consultation process underpinning the development and implementation of the reforms.
|Phase ||Activities ||Goal |
August - September 2020||1. Initial consultation|
- Consultation Paper
- Town Halls
|Sector-specific consultation on broad reform framework|
|September 2020 - early 2021|| 2. Amend legislation |
- Draft and consult on Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020
|Introduction of Bill to Parliament on 10 December 2020 |
|2021|| 3. Sector design|
- Sector workshops
- Design of sector specific requirements
|Work with industry to design sector-specific requirements|
To ensure the successful implementation of the reforms, the Department of Home Affairs will work with industry peak bodies, existing regulators, state and territory governments, and critical infrastructure entities from January 2021 to bring the reforms to life through a comprehensive consultation process. Home Affairs will undertake a staged, sector-by-sector approach to co-designing relevant requirements to reduce regulatory burden and minimise duplication with existing regulatory frameworks. Please refer to the below table to see how Home Affairs will engage with industry on each element of the reforms.
|Element of legislation||Detailed outline of element||Further industry consultation through implementation phase|
|Critical Infrastructure Asset|
Definitions of critical infrastructure assets are:
- set out entirely in the Bill
- identifiers set out in Bill with further specifics to be established through rules, or
- privately declared by the Minister.
- Where definitions rely on further specifics being established through rules, those rules will be made following commencement of the legislation drawing on feedback from industry.
- Entities must be consulted before a private declaration of an asset is made.
|Positive Security Obligations|
The Bill sets out three obligations that may be switched on through rules for critical infrastructure assets:
- Report information to the Register – obligations will continue as they currently exist in the Act.
- Report cyber security incidents – obligations entirely in the Bill.
- Maintain a Risk Management Program – high level obligations in Bill to be supported by requirements in the rules.
- Sector to be consulted prior to any of the obligations being switched on.
- Co-design of sector-specific rules and guidance to support the Risk Management Program to occur progressively from early 2021.
- Four week consultation prior to rules being made.
- Guidance and advice to be provided on Register and cyber incident reporting obligations.
|Systems of National Significance|
The Bill sets out the criteria for the declaration of a system of national significance:
- Critical infrastructure assets that are of national significance noting interdependencies across key sectors in the economy and consequences should the asset be impacted.
- Privately declared by the Minister subject to legislative criteria being met and direct consultation with the entity.
- Guidance to be developed and provided to entities declared to be a system of national significance.
- Entity may seek review of a declaration should circumstances change.
|Enhanced Cyber Security Obligations||
The Bill sets out four obligations that may be imposed on systems of national significance by written notice:
- Incident Response Plan
- Cyber Exercises
- Vulnerability Assessments
- Access to System Information
- Consultation required with the entity prior to issuing notices for any of these obligations.
The Bill sets out how Government could provide assistance immediately prior, during or following a significant cyber security incident to ensure the continued provision of essential services. This includes:
- Information gathering directions
- Action directions
- Intervention requests
- Further guidance to be provided to industry on how and when these powers may be used.
- Consultation with affected entities to occur prior to authorisations being made.