Protecting Critical Infrastructure
Security Legislation Amendment (Critical Infrastructure) Act 2021 amended the
Security of Critical Infrastructure Act 2018 (SOCI Act) on 2 December 2021.
All Australians rely on critical infrastructure to deliver essential services that are crucial to our economic prosperity and our way of life, such as electricity, communications, transport and banking.
Critical infrastructure is increasingly interconnected and interdependent. Connectivity without proper safeguards creates significant vulnerabilities. Interconnectedness means that compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across Australia’s economy and national security.
Threats across the range of hazards, from natural threats (including meteorological or climate hazards) to human induced threats (including unlawful interference, cyber incidents, espionage, chemical or oil spills, and trusted insiders), all have the potential to significantly disrupt critical infrastructure.
As the majority of Australia’s critical infrastructure is owned and operated by private industry or state and territory governments it is vital that our approach to ensuring the resilience of Australia’s critical infrastructure is clear, effective, consistent and proportionate.
Coverage of the reforms
The SOCI Act has been amended, expanding coverage of specific entities across four sectors to specific entities across eleven sectors, including: communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage.
Underpinned by an enhanced partnership with industry, predominantly through a reinvigorated Trusted Information Sharing Network, new obligations under the amended SOCI Act are introducing:
Positive Security Obligation, extending the provision of information for the Register of Critical Infrastructure Assets for entities not previously captured by the SOCI Act and mandatory cyber incident reporting, both of which can only be activated for a sector following consultation with affected entities
Government Assistance to assist industry where necessary respond to cyber attacks on critical infrastructure in a cyber emergency.
Not all elements will apply to all entities:
Application of the reforms
|Entities within Critical Infrastructure Sectors||Critical Infrastructure Assets||Systems of national significance|
Positive Security Obligations*||No||Yes||Yes|
*The obligations under the Positive Security Obligations will need to be 'switched on' (through the making of a rule) for assets, meaning that there will be no regulatory burden experienced by industry under the Positive Security Obligations until defined within the Application Rules.
Benefits of the reforms
The Department of Home Affairs is working in partnership with critical infrastructure operators to develop requirements that strike a balance between uplifting security and ensuring businesses remain viable and their services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean that all businesses benefit from strengthened protections to the networks, systems and services they rely on.
What consultation was undertaken on the reforms?
The Department of Home Affairs has been engaging industry on these reforms since August 2020 starting with engagement in August/September 2020 on a Consultation Paper and in November 2020 via a public consultation process on an exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) which was subsequently introduced into Parliament in December 2020.
The Parliamentary Joint Committee for Intelligence and Security (PJCIS) reviewed the Bill, received 75 public submissions in 2020, and conducted public hearings in mid-2021.
On 29 September 2021, PJCIS handed down its report on the Bill, making 14 recommendations, including splitting the Bill into two. The first Bill – Security Legislation Amendment (Critical Infrastructure) 2021 covers the expansion of critical infrastructure sectors to 11 and introduces government assistance, expanding the requirement to provide and keep up-to-date owner and operator information on the Register of Critical Infrastructure Assets to the new asset classes and mandatory cyber incident reporting obligations.
The 2021 Bill passed the Senate in November 2021 and received Royal Assent on 2 December 2021.
Consultation so far has revealed broad support for the uplift to the security and resilience of critical infrastructure and the need to enhance Government’s relationship with industry.
To ensure the successful implementation of the reforms, the Department of Home Affairs will work with industry, peak bodies, existing regulators, state and territory governments, and critical infrastructure entities to bring the reforms to life.