In February 2022, the Australian Government observed that “The critical infrastructure threat environment is worsening, in part, due to an ever-increasing reliance on technology, and increasing interoperability and interdependency between Australia’s most critical assets.”[1] The regulatory landscape for critical infrastructure is shifting significantly to meet this threat. Evident risks range from natural hazards to foreign interference, cyber threats, espionage and rogue insiders. Amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) are underway, designed to uplift the security and resilience of crucial assets and to protect national security, sovereignty and economic interests. But it is not only owners and operators of critical infrastructure who must keep abreast of the changing requirements — businesses within the supply chain for these assets may also be affected.
The Australian Government is applying its focus both horizontally, reaching into a wider range of industries, and vertically, throughout supply chains and networks that impact upon essential goods and services. This expanded legislative reach recognises that the compromise of one platform or function can have a domino effect, disrupting critical infrastructure elsewhere.[2] We can expect to see more and more governmental powers and business obligations rolled out and ‘switched on’ in 2022, as changes come into effect. But with many businesses struggling for clarity amongst the waves of reform, who, exactly, do these changes apply to?
Key amendments to the SOCI Act (as at 18 March 2022)
No.
|
Power / Obligation
|
SOCI Act
|
Assets
|
Sectors
|
Commencement Date
|
1.
|
Secrecy obligations and offence
|
Part 4, Div 3
|
Critical infrastructure assets (see SOCI Act definitions and Definition Rules)
+
Critical infrastructure sector assets (‘supply chain’ assets)
|
Each of the 11 critical infrastructure sectors (Energy, communications, data storage/processing, financial services/ markets, water/ sewerage, health care/medical, higher education/research, food/grocery, transport, space technology and defence industry)
+ supply chains
|
3 Dec 2021
|
2.
|
Government intervention powers
|
Part 3A
|
Critical infrastructure assets
+
Critical infrastructure sector assets
|
Each of the 11 critical infrastructure sectors
+ supply chains
|
3 Dec 2021
|
3.
|
Government powers to issue directions
|
Part 3
|
Critical infrastructure assets
|
Each of the 11 critical infrastructure sectors
|
3 Dec 2021
|
4.
|
Government powers to obtain information
|
Part 4, Div 2
|
Critical infrastructure assets
|
Each of the 11 critical infrastructure sectors
|
3 Dec 2021
|
5.
|
Register requirements
|
Part 2
|
Critical infrastructure assets that pre-date the SOCI Act reforms
|
Specific assets in the electricity, gas, water and maritime ports sectors
|
Ongoing
|
Other critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
13 asset classes specified in the Application Rules in the communications, data storage/ processing, energy, financial services/markets, food/grocery, health care/medical, freight and public transport sectors
|
‘Switch on’ date (via commencement of the Application Rules: to be announced)
+ 6 month grace period
|
|||
6.
|
Mandatory notification of cyber security incidents
|
Part 2B
|
Critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
20 asset classes specified in the Application Rules in the communications, data storage/ processing, energy, financial services/markets, food/grocery, health care/medical, higher education/research, transport and water/sewerage sectors
|
‘Switch on’ date (via commencement of the Application Rules: to be announced)
+ 3 month grace period
|
7.
|
Risk management program obligations
|
Part 2A
|
Critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
10 asset classes proposed in the communications, data storage/processing, energy, financial services/markets, health care/medical and water/sewerage sectors
3 further specified asset classes in the food/grocery and freight sectors (on or after 1 January 2023)
|
SLACIP Bill currently before Parliament
|
8.
|
Enhanced cybersecurity obligations
|
Part 2C
|
Critical infrastructure assets, to the extent declared by the Minister to be a system of national significance
|
SLACIP Bill currently before Parliament
|
Which sectors are affected?
The SOCI Act previously only applied to specific entities in Australia’s electricity, gas, water and maritime port sectors. On 3 December 2021, a first major round of amendments to the SOCI Act took effect, implementing a new regulatory and reporting regime.
The scope of the SOCI Act was expanded to the following 11 sectors (subsuming the prior categories), denoting their significance to Australia’s social and economic well-being:
Which assets are affected?
Importantly, not all businesses or assets within the 11 critical sectors will be subject to the expanded SOCI Act regime. The regime, or parts of it, will apply if an asset is either a “critical infrastructure asset” or a “critical infrastructure sector asset”.
Which powers and obligations apply?
The application of the amended SOCI Act depends upon the asset, the obligation and the power in question. Not all provisions have yet been ‘switched on’ for all critical infrastructure assets, and some are still subject to refinement by rules. A second round of intended reforms to the SOCI Act was also introduced to Parliament on 10 February 2022. We canvass below the eight key features of the expanded and evolving regime, and who is (or will be) caught.[6]
Item 1. Secrecy obligations and offence
Strict non-disclosure obligations apply to any entities subject to the operation of the SOCI Act. This extends to owners and operators of primary critical infrastructure assets, as well as wider, or upstream, critical infrastructure sector assets. The rationale is to protect information that may reveal security vulnerabilities or intelligence operations, or which may be commercially sensitive. Restrictions apply on the use and disclosure of “protected information”, such as the existence of Government directions or information obtained or generated under the SOCI Act. Entities are permitted to use and disclose protected information to comply with the SOCI Act, or as otherwise authorised. Unauthorised use or disclosure is an offence under s.45 (punishable by 2 years imprisonment, 120 civil penalty points, or both). Exceptions to this ‘secrecy offence’ are set out in s.46, including use or disclosure with the express or implied consent of the entity to whom the protected information relates.
Item 2. Government intervention powers
Government intervention powers apply to both critical infrastructure assets and critical infrastructure sector assets. If an actual or imminent cyber security incident affects or is likely to affect a critical infrastructure asset’s availability, integrity, reliability or confidentiality, the Government may take action to respond to that cyberattack (SOCI Act, Part 3A). The Department for Home Affairs can:
These powers can be exercised not only in relation to the primary critical infrastructure asset in question, but in relation to any asset that “relates to” the relevant sector. Accordingly, entities in supply chains or wider networks for any of Australia’s 11 critical infrastructure sectors may be required to provide information, take or cease action, or face compulsory take-over of their internal data and IT systems.
While extraordinary in nature, these powers are designed to be used as a last resort measure. The powers are only triggered where there is material risk of serious prejudice to national social or economic stability, defence or security, or where the cyber incident relates to a declared national emergency. Various preconditions must be met, such as proportionality, technical feasibility, the absence of an existing regulatory system that could be used instead, and prior consultation (except where delay would frustrate the effectiveness of the action).
Item 3. Government powers to issue directions
These Governmental powers apply to critical infrastructure assets only. If the Minister for Home Affairs is satisfied that there is a risk prejudicial to security in connection with any such asset, the Minister may direct the reporting entity or operator to do or refrain from doing something within a specified period (SOCI Act, Part 3). This power is subject to a test of reasonable necessity, as well as requirements for prior negotiation and consultation, an adverse security assessment, and the absence of an existing regulatory system for the asset that could be used instead.
Item 4. Government powers to obtain information
These Governmental powers also only apply to critical infrastructure assets. A reporting entity or operator of a critical infrastructure asset may be compelled to produce information or documents relevant to functions, duties, powers or purposes under the SOCI Act (Part 4, Division 2). Information requested may include, for example, contracts, tenders, procurement plans and the names and citizenship of board members or interest holders.
Item 5. Register requirements
Reporting entities for specified critical infrastructure assets will have initial and ongoing obligations to provide operational, interest and control information, to be held on the Register of Critical Infrastructure Assets (SOCI Act, Part 2). The Register will not be made public. Currently, these obligations only apply to critical infrastructure assets from the electricity, gas, water and maritime port sectors that pre-dated the December 2021 reforms to the SOCI Act. They will be extended to (a) additional assets specified by rules, and (b) any assets subject to a Ministerial declaration to that effect. Draft Application Rules propose to apply the Register requirements to 13 particular asset classes within the communications, data storage/processing, energy, financial services/markets, food/grocery, health care/medical, freight and public transport sectors.[7]
Public consultation on the Application Rules recently closed, and their commencement date is yet to be announced. However, on 4 February 2022, the Cyber and Infrastructure Security Centre (CISC) indicated that the Minister is currently considering industry concerns regarding the ‘switch-on’ date of obligations through the commencement of these rules, particularly for sectors significantly affected by COVID-19.[8] A 6-month grace period for compliance is also set to apply once the rules are in force.[9] Additional rules may be made in the future, switching on the obligations for more asset classes.
Item 6. Mandatory notification of cyber security incidents
Responsible entities for specified critical infrastructure assets will be, in due course, subject to mandatory reporting of actual or imminent cyber security incidents to the ASD (SOCI Act, Part 2B). These obligations are additional to entities’ existing obligations under the Privacy Act 1988 (Cth) for mandatory data breach notification. Cyber security incidents having or likely to have a “significant impact” on the availability of the asset must be reported within 12 hours of a responsible entity becoming aware. A “significant impact” occurs where the incident materially disrupts the availability of an asset used in connection with essential goods or services. Cyber security incidents having or likely to have a “relevant impact” on the asset (i.e., an impact on its availability, integrity, reliability or confidentiality) must be reported within 72 hours.
These mandatory notification obligations will only apply to those critical infrastructure assets that are (a) specified by rules, or (b) subject to a Ministerial declaration to that effect. The Application Rules set out 20 specific asset classes proposed to date, spanning nine of Australia’s 11 critical sectors (excluding space technology and defence).[10] A 3-month grace period for compliance is set to apply.[11] Further rules extending the obligations to more asset classes may be made in the future.
Item 7. Risk management programs
On 10 February 2022, a second major round of reforms to the SOCI Act was introduced to Parliament as the SLACIP Bill.[12] If passed, the SLACIP Bill will impose considerable regulatory obligations on responsible entities for specified critical infrastructure assets.
If the obligations are ‘switched on’ for a critical infrastructure asset via rules or Ministerial declaration, the responsible entity would be required to adopt, maintain, comply with, review, update and report on a written risk management program. Currently, these obligations are proposed to apply to 10 specific asset classes within the communications, data storage/processing, energy, financial services/markets, health care/medical and water/sewerage sectors. A further three asset classes in the food/grocery and freight sectors are proposed to be granted a de facto grace period until 2023, in recognition of current supply chain impacts from COVID-19.[13]
Item 8. Enhanced cyber security obligations
Under the SLACIP Bill, enhanced cyber security obligations would be introduced for assets declared by the Minister to be “systems of national significance”. Obligations include incident response plans, cyber security exercises, vulnerability assessments and computer reporting obligations.
Other proposed amendments before Parliament
The SLACIP Bill seeks to amend definitions for various types of critical infrastructure assets in response to stakeholder feedback on the changes introduced in 2021. For example, while the current definition of a “critical education asset” in the SOCI Act covers the whole of a university, this term would be narrowed so that university assets bearing no relationship to sensitive or critical infrastructure research sectors are no longer covered.
The aviation and maritime transport sectors should also be aware of parallel reforms introduced to Parliament on 17 February 2022 to enhance cyber security and resilience, including the introduction of a mandatory cyber incident reporting regime.[14]
Observations
Although the possible penalties for non-compliance with the SOCI Act are serious, involving civil and even criminal sanctions, CISC’s focus for 2022 is on education and industry collaboration, as opposed to enforcement.[15]
Immunities are important in enabling compliance where the regulatory obligations may conflict with fiduciary, contractual or other duties. Entities and their officers, employees and agents are provided with civil immunities where they purport to comply in good faith with various provisions of the SOCI Act. The SLACIP Bill proposes to extend those immunities to related group companies and contracted service providers, and their respective officers, employees and agents.
The privilege against self-incrimination does not apply to Government information requests, but the SOCI Act places limits on the admissibility of supplied information in civil or criminal proceedings.
Entities should, as a matter of priority, determine whether and how the SOCI Act applies to their business, including careful consideration of sector and asset definitions and rules, and take steps in readiness to comply with the new and evolving regulatory regime. Suppliers and service providers to critical infrastructure should be alert to the potential impacts upon their business — including the possible exercise of Government powers in the event of a cyber security incident. Entities and individuals should tread carefully when disclosing or using information, given strict secrecy obligations. Some critical infrastructure customers may require increased reporting, assistance and information flow from their supply chains to facilitate compliance with their own obligations.
[1]Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (SLACIP Bill), Attachment A [599].
[2]Revised Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Cth), p.2.
[3]SOCI Act s.9(1). See also s.5 and s.9(2) – s.12KA.
[4]Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Definition Rules).
[5]SOCI Act s.8E(1).
[6]An overview of items 1 – 8 is shown in the above table.
[7]Exposure Draft, Security of Critical Infrastructure (Application) Rules 2021 (Cth) (Application Rules), r.4(1). Four sugar mill assets specified in r.3 are excluded.
[8]Cyber and Infrastructure Security Centre, Industry Town Hall: Protecting Critical Infrastructure and Systems of National Significance (4 February 2022) (CISC Town Hall).
[9]SOCI Act, s.18A(3) and Application Rules, r.4(2).
[10]Application Rules, r.5(1) and 2 (excluding four sugar mill assets specified in r.3).
[11]SOCI Act, s.30BB(3) and Application Rules, r.5(3).
[12]Exposure Draft Rules have also been released: Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2022 (Cth) (Attachment C to the Explanatory Memorandum to the SLACIP Bill).
[13]Explanatory Memorandum, SLACIP Bill, Attachment A [131] – [132].
[14]Transport Security Amendment (Critical Infrastructure) Bill 2022 (Cth), which proposes amendments to the Aviation Transport Security Act 2004 (Cth) and the Maritime Transport and Offshore Facilities Security Act 2003 (Cth).
[15]CISC Town Hall, per Lib Clarke (Assistant Secretary, Industry Partnerships).