What are systems of national significance?
Systems of national significance are a significantly smaller subset of critical infrastructure assets that are most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted. Accordingly, Government has a strong interest and responsibility to understand the ability of entities responsible for systems of national significance to respond appropriately to, or mitigate the impact of, a cyber security incident.
How will systems of national significance be identified and declared?
Under the Security Legislation Amendment (Critical Infrastructure) Bill 2020, after first consulting with the entity, the Minister for Home Affairs may privately declare an asset to be a system of national significance. In doing so, the Minister must consider the asset’s interdependencies with other critical infrastructure assets and the consequences that would arise for Australia’s social or economic stability, defence, or national security if a hazard were to impact the asset. Within 30 days of the declaration, the Minister must notify the asset’s reporting entities. An entity will be able to seek a review of the declaration should there be material changes to the circumstances which led to its declaration.
What are the Enhanced Cyber Security Obligations?
Entities responsible for assets designated as systems of national significance may be subject to Enhanced Cyber Security Obligations. Entities will only be required to comply with one or more of the following obligations if they receive a written notice from the Secretary of Home Affairs.
Incident response plans
Incident response plans are designed to ensure an entity has established processes and tools to prepare for, and respond to cyber security incidents. Incident response plans will provide assurance that entities are sufficiently prepared and know ‘what to do’ and ‘who to call’ in the event of a cyber security incident.
Cyber security exercises
Cyber security exercises test preparedness, mitigation and response capabilities. Exercises may be discussion or tabletop-based, operational or functional. They may test internal response capability, responsibilities for key staff, and coordination mechanisms. Following an exercise, entities will be required to prepare an evaluation report, which will provide the entity and Government with a greater understanding of the effectiveness of response plans and build its capability to respond to a real-life event.
Vulnerability assessments identify ‘gaps’ in systems that expose entities to particular types of cyber incidents. These assessments will help entities identify where further resources and capabilities are required to improve an entity’s preparedness for, and resilience to, cyber incidents. The assessment could include: a documentation-based review of a system’s design, a hands-on assessment, or automated scanning with software tools. Through this, entities can uncover vulnerabilities, supporting better preparedness for industry and Government.
Access to system information
The Secretary of Home Affairs may request system information in the form of a periodic report or in response to a specific event. System information is data generated about a system for the purposes of security, diagnostic monitoring or audit, such as network logs, system telemetry and event logs, alerts, netflow and other aggregate or metadata that provide visibility of malicious activity occurring within the normal functioning of a computer network. This does not include personal information. Providing systems information will support the Government’s ability to build a near-real time threat picture, allowing it to share actionable, anonymised information back out to not just the entity itself, but to industry more broadly. As a result, this anonymised information will assist entities to improve their cyber resilience.