Loading
pop-up content starts
pop-up content ends

Engagement on critical infrastructure reforms

​​

​​​​​​​​​​​​​​​​​​​​​​A strong and effective government-industry partnership is central to achieving the Australian Government’s vision for critical infrastructure security and resilience. Building on industry engagement during the development of amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), we have consulted widely with government and industry partners in developing asset definitions and risk management program rules​. We aim to ensure that vital services to Australia’s security, economic prosperity and way of life are included. We also seek to reduce the regulatory burden on industry.

New obligations – Register of Critical Infrastructure Assets​ and mandatory cyber incident reporting

On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules (more on the Asset Definition Rules below). Government assistance measures now apply to all critical infrastructure assets (Part 3A of the SOCI Act).

Additionally, the Minister is proposing to apply two positive security obligations:

  1. the provision of operational and ownership information to the Register of Critical Infrastructure Assets​ (Part 2 of the SOCI Act) for certain n​ew assets (as below); and
  2. mandatory cyber incident reporting (Part 2B of the SOCI Act) for certain assets (as below).

Register of Critical Infrastructure Assets​ – operational and ownership information

The Minister for Home Affairs proposes to apply Register of Critical Infrastructure Assets​ obligations under Part 2 of the SOCI Act to the following critical asset classes:

  • broadcasting
  • domain name system
  • data storage or processing
  • a critical financial market infrastructure asset that is a payment system
  • food and grocery
  • hospital
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • electricity (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments); and
  • gas (that were not within the scope of a critical infrastructure asset prior to the SLACI Act amendments).

The Minister for Home Affairs proposes to exempt:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

See the copy of the proposed legislative instrument and the draft explanatory statement.

A factsheet on the Register of Critical Infrastructure Assets​ is also available.

The Minister for Home Affairs invites persons to make a submission on this proposal. Should you wish to make a submission, the Minister invites you to do so by emailing ci.reforms@homeaffairs.gov.au no later than 1 February 2022. Note that your submission will remain confidential unless you specifically request it to be published.

Mandatory cyber incident reporting

The Minister for Home Affairs proposes to apply obligations under Part 2B of the SOCI Act to the following critical asset classes:

  • ​broadcasting
  • domain name system
  • data storage or processing
  • banking
  • superannuation
  • insurance
  • financial market infrastructure
  • food and grocery
  • hospital
  • education
  • freight infrastructure
  • freight services
  • public transport
  • liquid fuel
  • energy market operator
  • aviation, that is any of the following:
    • a designated airport
    • an Australian prescribed air service operating screened air services that depart from a designated airport, or
    • a regulated air cargo agent that is also a cargo terminal operator at a designated airport;
  • port
  • electricity
  • gas; and
  • water.

The Minister for Home Affairs proposes to exempt:

  • Invicta Sugar Mill, Giru, Queensland
  • Pioneer Sugar Mill, Brandon, Queensland
  • Racecourse Sugar Mill, Racecourse, Mackay, Queensland; and
  • South Johnstone Sugar Mill, South Johnstone, Queensland.

See the copy of the proposed legislative instrument​ and the draft explanatory statement.​​​

A factsheet on the mandatory cyber incident reporting obligations is also available.

The Minister for Home Affairs invites persons to make a submission on this proposal. Should you wish to make a submission, the Minister for Home Affairs invites you to do so by emailing ci.reforms@homeaffairs.gov.au no later than 1 February 2022.​ Note that your submission will remain confidential unless you specifically request it to be published.​

​​​Critical infrastruct​​​ure asset defini​tion rules

On 23 April 2021, we released a policy paper​, initiating extensive consultation with industry, commonwealth, state and territory government partners, to draft definitions for the following 12 asset classes:

  • critical banking assets
  • critical broadcasting assets
  • critical domain name systems
  • critical electricity assets
  • critical financial market infrastructure assets
  • critical food and grocery assets
  • critical freight infrastructure assets
  • critical freight services assets
  • critical gas assets
  • critical insurance assets
  • critical liquid fuel assets
  • critical superannuation assets.

In response to feedback, we revised the proposed asset definitions and on 8 December 2021, following amendments to the SOCI Act, the Minister for Home Affairs made the Critical Infrastructure Asset Definition Rules. See the legislative instrument.

Risk management program rules

In March 2021, we conducted four town hall forums and seven workshops to develop risk management program rules. These sessions provided industry stakeholders, peak bodies, regulators, and state and territory government partners, and industry stakeholders with an opportunity to shape the risk management program rules for the risk management program across all sectors. During this consultation period, we spoke to over 1,350 people.

The risk management program rules will work alongside the risk management program rules. This ensures that entities have robust risk minimisation, mitigation or elimination practices.

For a summary of the consultation process, see Co-design of Governance Rules – Critical Infrastructure Risk Management Program: Summary of consultation.

A new approach to the reforms

On 29 September 2021, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) released its report and supporting recommendations on the Security Legislation Amendment (Critical Infrastructure) Bill 2021​.

The Committee recommended that the reforms be implemented in a two-step approach, with the first bill to be legislated in the shortest time possible.

The first bill focuses on cyber incident responses, either through reporting or in incident response.

The first bill:

  • extends the definition of critical infrastructure from 4 to 11 sectors
  • enables the extension of the existing reporting requirements in relation to the Register of Critical Infrastructure Assets to the new classes of critical infrastructure assets
  • enables the mandatory cyber incident reporting obligations for specified critical infrastructure entities to Commonwealth entities, including the Australian Signals Directorate’s Australian Cyber Security Centre
  • legislates government assistance measures by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security or defence.

The Security Legislation Amendment (Critical Infrastructure) 2021 Act amended the SOCI Act on 2 December 2021. Following this, the Minister for Home Affairs may introduce rules to define thresholds which can determine which additional entities are captured by the amended legislation.

The remaining elements of the reforms will be deferred for a second, separate bill. The second bill will focus on additional protective measures being introduced in the reforms to uplift the security and resilience of Australia’s critical infrastructure assets.

The second bill will:

  • introduce an additional Positive Security Obligation, the Risk Management Program, which will be applied to entities responsible for critical infrastructure.
  • introduce Enhanced Cyber Security Obligations, including vulnerability reporting, cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

We note industry has previously raised concerns regarding the need for clarity on what will be expected of them in a risk management program. Based on this feedback, we have revised our approach to the risk management program and adopted a set of principle-based rules for all sectors.

We believe this new approach will reduce regulatory burden and provide industry with certainty and more flexibility to align their risk management program with existing standards and obligations.

Critical Infrastructure Town Hall (All Sectors)

The Cyber and Infrastructure Security Centre is holding several town halls to discuss exposure drafts of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 and the Transport Security Amendment (Critical Infrastructure) Bill 2022.

Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 town halls will be held on:

​Transport Security Amendment (Critical Infrastructure) Bill 2022​ town halls will be held on:

  • Town Hall 1: 2:00pm– 3:00pm AEDT, Tuesday 18 January 2022.
  • Town Hall 2: 2:30pm – 3:30pm (AEDT) Thursday 20 January 2022.
  • Town Hall 3: 1:30pm – 2:30pm (AEDT) Tuesday 25 January 2022.

Resources and Useful Links

For fact sheets and further information about these changes, copies of relevant legislation, and other useful links and resources, visit the Cyber and Infrastructure Security Centre Resources and Help.

​​For further queries, contact CI.reforms@homeaffairs.gov.au.

​​