The reforms include expanded obligations to provide operational and ownership information about their assets to the Secretary of Home Affairs for inclusion on a non-public register of critical infrastructure and new obligations for organisations to:
The obligations are being implemented across two amending acts (the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (First Amending Act) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (Second Amending Act)). With both amending acts having now commenced, affected organisations will be required to comply with obligations in the coming months – starting with cyber security incident reporting obligations which organisations must be compliant with by 8 July 2022.
The First Amending Act expands the application of the SOCI Act to 11 "critical infrastructure sectors":
Those who own and control "critical infrastructure assets" within these broadly defined critical infrastructure sectors will become subject to both the new and existing obligations under the SOCI Act when they are "switched on" via Ministerial Rules.
The definition of “critical infrastructure assets” has been significantly broadened by the amendments. For example, the SOCI Act now applies to “critical data storage or processing assets” which include any data storage or processing asset used wholly or primarily to provide services to Government bodies or an entity that is responsible for other critical infrastructure assets (provided the operator of the data storage or processing asset is aware that the storage or processing service relates to business critical data).
Status of SOCI obligations
What are “critical infrastructure sectors” and “critical infrastructure assets”?
The broad definitions of “critical infrastructure sectors” and “critical infrastructure assets” are likely to encompass suppliers and assets which would not ordinarily be expected to fall within the scope of the SOCI Act. For example, the definition of a “critical data storage or processing asset” includes any data storage or processing asset used wholly or primarily to provide services to a Commonwealth, State or Territory Government entity. This may result in assets such as data centres used to process non-sensitive information on behalf of Government entities being considered a “critical infrastructure asset”. Further, the amendments refer to a data storage device as being “a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer” [emphasis added]. As such, it is possible that a particular server or instance of a data storage or processing facility may be considered a “critical infrastructure asset” (for example, in a situation where services are provided to a Government customer using a private cloud hosted on a dedicated server).
The SOCI Act defines the critical infrastructure assets for each of the critical infrastructure sectors and who is deemed the "reporting entity" for each such asset. Reporting entities are either the "responsible entity" for the asset or a "direct interest holder" in relation to the asset, both of which are defined in further detail in the SOCI Act.
Register of critical infrastructure assets
The Secretary must keep a non-public register of critical infrastructure assets under section 19 of the SOCI Act.
Reporting entities for a particular critical infrastructure asset must provide to the Secretary:
- if they are the responsible entity for the asset, “operational information” including information regarding the location of, and area serviced by, the asset, descriptions of the arrangements under which the operator operates the asset and under which certain data relating to the asset is maintained, together with details of the responsibility entity; and
- if they are a direct interest holder in relation to the asset, interest and control information in relation to the entity and the asset.
Reporting entities also have an ongoing obligation to notify the Secretary of any changes to the information on the Register.
These obligations were switched on by the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 on 8 April 2022 for the following assets:
- critical broadcasting assets
- critical hospitals
- critical liquid fuel assets
- critical domain name systems
- critical freight infrastructure assets
- critical energy market operator assets
- critical data storage or processing assets
- critical freight services assets
- critical electricity assets
- critical financial market infrastructure assets that are payment systems
- critical public transport assets
- critical gas assets
- critical food and grocery assets
However, the Application Rules allow for a grace period, so reporting entities for these assets have until 8 October 2022 to comply with their reporting obligations under the SOCI Act.
Notification of cyber security incidents
The First Amending Act introduces new obligations regarding the notification of "cyber security incidents" that have an impact on critical infrastructure assets. As with the existing obligations under the SOCI Act, these obligations apply when they are "switched on" via Ministerial Rules.
A cyber security incident involves any of the following:
- unauthorised access to, or modification of, computer data or a computer program;
- unauthorised impairment of electronic communication to or from a computer; or
- unauthorised impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program.
Responsible entities for critical infrastructure assets have an obligation to notify the relevant Commonwealth body if it becomes aware of a cyber security incident:
- within 12 hours, if the cyber security incident has had, or is having, a significant impact on the availability of the asset; or
- within 72 hours, if the cyber security incident has had, or is likely to have, a relevant impact on the asset.
A "significant impact" is defined by reference to circumstances where the cyber security incident materially disrupts the availability of essential goods or services. A "relevant impact" includes any other impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset.
As with the reporting obligations, the Application Rules have now switched on these obligations for the following assets:
- critical broadcasting assets
- critical food and grocery assets
- critical energy market operator assets
- critical domain name systems
- critical hospitals
- critical aviation assets
- critical data storage or processing assets
- critical education assets
- critical ports
- critical banking assets
- critical freight infrastructure assets
- critical electricity assets
- critical superannuation assets
- critical freight services assets
- critical gas assets
- critical insurance assets
- critical public transport assets
- critical water assets
- critical financial market infrastructure assets
- critical liquid fuel assets
The grace period for these assets will end on 8 July 2022. Responsible entities for each of these assets should ensure they are fully aware of their notification obligations before this date.
Responding to serious cyber security incidents
The First Amending Act also gives the Minister for Home Affairs various powers to respond to serious cyber security incidents.
Where a cyber security incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset, the Minister may authorise the Secretary to give:
- information-gathering directions to determine whether another power under the SOCI Act should be exercised;
- a direction to a responsible entity to do, or refrain from doing, a specified act or thing; or
- an intervention request that Australian Signals Directorate (ASD) do one or more specified acts (eg. provide support in responding to the incident).
To exercise this power, the Minister must be satisfied that there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice Australia's defence, national security, or social or economic stability.
Critical infrastructure risk management programs
The Second Amending Act, which commenced on 2 April 2022, introduces new obligations on responsible entities for critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (RMP).
The purpose of an RMP is to:
- identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; and
- so far as it is reasonably practicable to do so:
- minimise or eliminate any material risk of such a hazard occurring; and
- mitigate the relevant impact of such a hazard on the asset.
While these obligations are yet to be switched on by Ministerial Rules, a draft set of rules has been circulated since November 2021. Organisations should therefore act now to ensure they have an RMP that complies with the SOCI Act and draft rules.
Enhanced cyber security obligations
The Second Amending Act also introduces enhanced cyber security obligations for "systems of national significance". The Minister may declare that a particular critical infrastructure asset is a system of national significance. The Minister is required to consult with the responsible entity before making such a declaration.
Responsible entities for systems of national significance are subject to enhanced cyber security obligations, which include:
- to plan incident response ;
- to undertake cyber security exercises;
- to undertake vulnerability assessments; and
- if a computer is, or is needed to operate, a system of national significance:
- to give ASD periodic reports of system information;
- to give ASD even-based reports of system information; or
- to install software that transmits system information to ASD.