Amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) have strengthened the security and resilience of critical infrastructure assets by introducing two Positive Security Obligations (PSOs) requiring entities to manage the security and resilience of their critical infrastructure assets.
The ‘on-switches’
The Rules will determine which elements of the PSO are ‘switched on’ for particular types of critical infrastructure assets. Elements can be switched on in isolation to allow for tailored requirements that recognise (not duplicate) existing arrangements.
What does the PSO include?
Register of Critical Infrastructure Assets
The rules may ‘switch on’ a requirement for responsible entities for critical assets to provide ownership and operational information to the Register of Critical Infrastructure Assets (the Register), which is managed by the Cyber and Infrastructure Security Centre. The Register enables the Government to identify who owns and controls critical infrastructure assets, board structures, ownership rights of interest holders, and operational, outsourcing and offshoring information. See
more information about the Register of Critical Infrastructure Assets.
Notification of cyber security incidents
The Rules may ‘switch on’ a requirement for responsible entities for critical assets to report cyber security incidents to the Australian Cyber Security Centre (ACSC). Once an entity is aware of a cyber incident, it must be reported within:
-
12 hours if having a significant impact on the availability of the asset, and if the report is made verbally, in writing within 84 hours of verbally notifying the ACSC or,
-
72 hours if having a relevant impact on the availability, integrity, reliability or confidentiality of the asset, and if the report is made verbally, in writing within 48 hours of verbally notifying the ACSC.
These reports will help Government develop an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry. This will better inform both proactive and reactive cyber incident response options, ranging from providing voluntary assistance to industry, to building a culture of cyber security.
See
more information about mandatory cyber security incident reporting.
Next steps
The Minister is currently consulting on the proposal to ‘switch on’ the PSO for certain critical infrastructure assets, including expanding the requirement to provide and keep up-to-date owner and operator information on the Register of Critical Infrastructure Assets and mandatory cyber security incident reporting.
Feedback is welcome by 1 February 2022. See our website for information about which assets the PSO may be ‘switched on’ for and how to provide feedback.
