The Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) introduces a Positive Security Obligation (PSO) requiring entities to manage the security and resilience of their critical infrastructure assets. Building on existing obligations under the
Security of Critical Infrastructure Act 2018 (SOCI), these reforms will embed preparation, prevention and mitigation activities into the business as usual operation of critical infrastructure assets.
The Rules will determine which elements of the PSO are ‘switched on’ for particular types of critical infrastructure assets. Elements can be switched on in isolation to allow for tailored requirements that recognise (not duplicate) existing arrangements.
What does the PSO include?
Register of Critical Infrastructure Assets
The existing Register of Critical Infrastructure Assets under Part 2 of SOCI currently requires critical assets from the electricity, gas, ports, and water sectors to provide ownership and operational information. The Rules may ‘switch on’ these reporting obligations for critical assets in the 11 critical infrastructure sectors introduced through the Bill, to provide Government with greater visibility of who owns, controls and has access to critical infrastructure assets, including board structures.
Critical Infrastructure Risk Management Program
This element of the PSO will require entities to take an all hazards approach (both natural and human induced hazards) to identifying and mitigating material risks to the availability, integrity, reliability or confidentiality of the asset or information associated with the asset. If the obligation is ‘switched on’ for a critical asset, the responsible entity will be required to adopt, comply with, and keep up to date, a Critical Infrastructure Risk Management Program.
The Bill sets out the overarching obligations for the Critical Infrastructure Risk Management Program, with detailed, sector-specific requirements to be contained in Rules, to be developed during the co-design phase. These Rules will provide clarity around expectations for the Critical Infrastructure Risk Management Program, with a focus on four key domains of physical, personnel, cyber and supply chain security.
Co-designing Rules with industry will ensure required actions under the Critical Infrastructure Risk Management Program are reasonable and proportionate, take into account sectoral risk profiles, and security objectives are achieved with minimal regulatory burden or duplication.
Notification of cyber security incidents
The Rules may ‘switch on’ a requirement for responsible entities for critical assets to report cyber security incidents to the Australian Cyber Security Centre. Once an entity is aware of a cyber incident, it must be reported within:
12 hours if having a significant impact on the availability of the asset; or,
72 hours if having a relevant impact on the availability, integrity, reliability or confidentiality of the asset.
These reports will help Government develop an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. This will better inform both proactive and reactive cyber incident response options, ranging from providing voluntary assistance to industry, to building a culture of cyber security.
Consultation doesn’t end here. From early 2021 the Department of Home Affairs will work with industry and government to bring the reforms to life through a comprehensive consultation process. A key element of this will be co-design of the sector-specific requirements to underpin the Risk Management Program. These requirements will recognise (and not duplicate) existing approaches, be proportionate to sectoral risk profiles, and impose the least regulatory burden necessary. The Department of Home Affairs will provide updates to industry throughout the co-design phase and invites industry to get involved by contacting