Understanding your supply chain has never been more important.
Under the recently enacted Security of Critical Infrastructure Act, entities that own, operate or have an interest in a critical infrastructure asset[1] have until 11 January 2019 to report relevant information to the Critical Infrastructure Centre, or risk non-compliance and civil penalties under the Act.
The Security of Critical Infrastructure Act: Background and recent developments
Concerns around cybersecurity and national security have led to a range of regulatory activity to protect critical assets. The Security of Critical Infrastructure Act was enacted to address foreign involvement in Australia's critical infrastructure assets (CIAs), and the potential risk of exposing these assets to espionage, sabotage, control or access by foreign actors.
It follows the enactment last year of the telecommunications sector security reforms. Among other things, carriers and carriage service providers now must do their best to protect their networks/facilities from unauthorised access and/or interference, and carriers and certain carriage service providers must notify the Attorney-General's Department of planned changes to systems/services that are likely to make these networks/facilities vulnerable to such unauthorised access and/or interference.
Under the Act, "reporting entities", categorised under the Act as either "responsible entities" or "direct interest holders", need to report certain information to the Critical Infrastructure Centre (CIC). This information is kept securely on a Register maintained by the CIC. The CIC conducts a security assessment of this information to identify possible vulnerabilities and risks to Australian national security, and if any are identified, work with the owners/operators of the CIA to find a solution. There are also ongoing obligations of disclosure where this information changes. Under the Act the Minister is also given "last resort" powers to issue directions to reporting entities to do/not do something where reasonably necessary to reduce/eliminate risks, in circumstances where other avenues to address these risks are not available. In addition to the critical assets captured by the Act, the Minister may declare an asset to be a CIA. Other assets can also be prescribed under the Security of Critical Infrastructure Rules, for instance the Tasmanian Gas Pipeline.
While the CIC does not displace the role of the Foreign Investment Review Board or change Australia's foreign investment laws, it does complement FIRB's role in assessing foreign investment in CIAs. This was clear in the CIC's recent scrutiny on national security grounds of the proposed takeover of Australian gas pipeline and infrastructure company, APA Group, by Hong Kong's CK Group. The $13 billion bid was blocked on 6 November, with Treasurer Josh Frydenberg stating that it would lead to an "undue concentration of foreign ownership by a single company group in our most significant gas transmission business".
However, the CIC's role is not limited to assessing incoming foreign investment/involvement in CIAs, but also applies to existing contractual and operational arrangements already in place.
As such, current owners, operators, and those exercising influence or control over CIA entities should take steps now before the reporting deadline to review their current contractual arrangements to determine whether any give rise to reporting obligations under the Act.
Outsourcing and offshoring - the importance of clear supply chain visibility
Supply chain visibility has become a key component of cyber security risk management. It is particularly important for critical infrastructure assets.
The explanatory memorandum for the Security of Critical Infrastructure Bill identified obtaining supply chain visibility and an understanding of current outsourcing arrangements involving CIAs as key:
"The national security risks to critical infrastructure are complex and have continued to evolve over recent years. Rapid technological change has resulted in critical infrastructure assets having increased cyber connectivity, and greater participation in, and reliance on, global supply chains with many services being outsourced and offshored."
Importantly the explanatory memorandum explicitly identifies the "outsourcing or offshoring of industrial control systems and security or corporate systems" as being of "particular interest", alongside obtaining visibility around outsourced data arrangements given the "critical importance" of data security in the national security context.
This focus on existing outsourcing/offshoring arrangements is reflected in the Act's treatment of "operational information". "Responsible entities", for instance a company that holds a licence to operate a critical electricity asset, need to report "operational information" to the CIC - and that covers a wide range of material, including a description of the operating arrangements of each "operator" involved with the asset. For assets other than critical ports, an operator is essentially any person that is authorised to exercise a level of operational control over all or part the asset on a daily basis, or is able to influence that control at various times. The overall goal is to give the Australian Government, and indeed the relevant entity, a clearer idea about who controls or influences the operation of CIAs.
Consider for example a company licensed to operate a critical water utility, WaterCo, within which a New Zealand company operates a water treatment facility WaterTreat. WaterCo is the responsible entity, because it holds the licence, and WaterTreat is an "operator", because it is authorised to operate a part of the critical asset. Under the Act, details such as WaterTreat's name, its ABN, address of its head office, country of incorporation, and description of the operational arrangements it works under must be provided to the CIC for entry on the Register.
In a data context, the Rules prescribe what is required for a description of arrangements under which data is maintained. This would include information such as the entity's name, head office and country of incorporation, and the address at which the data is held. For data held using a cloud service, the required information would be the name of the cloud service, and the type/kind of data that is maintained (for example, this may include personal information, where this relates to at least 20,000 people; sensitive information; and/or research and development information in relation to the asset).
While the definition of "operators" appears to be fairly broad, it seems it's actually limited to entities that have a clear link to the operational activities of the CIA. This would likely not include persons such as cleaners or pure maintenance companies.
In recognition of the commercially sensitive or confidential nature of the information reporting entities may be obliged to provide, the information in the Register is classified as "protected information", the unauthorised disclosure of which may result in penalties, including two years' imprisonment or 120 penalty units ($25,200), or both.
What you should do next to comply with the Security of Critical Infrastructure Act
If you are a responsible entity of a CIA, you should review your existing contractual arrangements and supply chains to determine if there is any information that you need to report to the CIC. Going forward, when entering into contracts with operators you should ensure that you have a clear vision of their organisational structure and supply chain, as well as the presence and/or nature of any foreign involvement or influence.
More broadly, affected entities should also consider any obligations they and/or their "associates" may have as "direct interest holder" to report "interest and control information".
The penalty for non-compliance with initial reporting obligations by the end of the grace period on 11 January 2019 is 50 penalty units, which currently is $10,500.
Now is a good time to double-check existing arrangements to make sure that when time runs out, you're not caught out.
[1] Section 9(1) of the Act provides that "an asset is a critical infrastructure asset if it is: (a) a critical electricity asset; or (b) a critical port; or (c) a critical water asset; or (d) a critical gas asset; or (e) an asset declared under section 51 to be a critical infrastructure asset; or (f) an asset prescribed by the rules for the purposes of this paragraph." Back to article