As we have previously commented, the reform of the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) over the past year has been a complicated process for critical infrastructure owners, operators, suppliers and other stakeholders. The changes introduced at the end of 2021 expanded the scope of the legislation both horizontally, to include 11 sectors such as food/grocery, higher education, communications and data storage/processing, and vertically, up into supply chains and supporting networks to address potential security vulnerabilities. Yet, even as Australia reformed the SOCI Act, the threat ecosystem has only worsened with heightened geopolitical tensions.[1] Australian businesses have been urged to adopt an enhanced cyber security posture as a matter of priority.[2] While evident risks to Australia’s critical infrastructure are broader than cyber threats alone, cyber resilience has been a key focus of the reforms to the SOCI Act to date. As observed by Prime Minister Albanese, cyber security is integral to “[b]uilding and maintaining a strong economy, resilient supply chains and the skills, technology, infrastructure and industries” or, in other words, to Australia’s national security and critical infrastructure.[3]
Separate to both the SOCI Act regime, and discrete legislative measures foreshadowed by the Federal Government in the wake of last week’s cyber-attack of Optus, the Shadow Minister for Home Affairs has today introduced to Parliament a bill intended to modernise criminal offences and combat the increasing trends of data theft, cyber extortion and ransomware.[4] This would include an aggravated offence for persons who target critical infrastructure assets, carrying a maximum penalty of 25 years’ imprisonment.
Mandatory notification of cyber security incidents now in effect
As of 8 July 2022, responsible entities for 21 defined asset classes, across each of Australia’s 11 critical sectors (other than space and defence) are subject to mandatory reporting of cyber security incidents. ‘Responsible entities’ are defined to include entities such as owners, operators, licence-holders or other prescribed entities with responsibility for the asset class in question. Notifications must be made within 12 or 72 hours, depending on the type of incident. Both actual and imminent incidents must be reported to the Australian Signals Directorate, where they have a “significant” or “relevant” impact on the availability of the critical infrastructure asset in question. Although many such incidents were already the subject of voluntarily reporting, the mandatory reporting regime is focussed on ensuring Government visibility over the extent and impact of cyber activity on the nation’s critical infrastructure: “The information collected will enhance the Australian Government’s ability to develop strategies to identify and respond to security risks for assets which, if disrupted, would significantly impact Australia”.[5]
Reports must be made within 12 hours of a responsible entity becoming aware of a cyber security incident that has, or is likely to have, a “significant impact” on the availability of the critical infrastructure asset. The asset need not be totally impaired in order for this reporting obligation to be triggered. A “significant impact” occurs where the incident materially disrupts the availability of an asset used in connection with essential goods or services – for example, incidents that:
Reports must be made within 72 hours of a responsible entity becoming aware of a cyber security incident that has a “relevant impact”, which is defined as a direct or indirect impact of the hazard on the asset’s availability, integrity or reliability, or on the confidentiality of information about or stored in the asset, or computer data. For example, where an incident:
Reports may be made via the Australian Cyber Security Centre (ACSC) at www.cyber.gov.au. Urgent verbal reports may be made by calling 1300Cyber1 (1300 292 371), but must be followed by written reports via the ACSC’s website shortly thereafter (within 84 hours of verbal notification for an incident with a “significant impact” and within 48 hours of verbal notification for an incident with a “relevant impact”).[6]
Importantly, incidents such as scam calls/emails, telephone denial of service attacks and physical hazards do not fall within the scope of this mandatory reporting regime. The Cyber and Infrastructure Security Centre (CISC) has provided sector-specific guidance, including examples of cyber incidents that will trigger the 12 hour and 72 hour reporting windows.[7]
In addition to any mandatory reporting requirements under the SOCI Act, entities must also consider any other applicable mandatory notification regimes, or requirements to liaise with sector-specific regulators. For example:
Compliance with Register requirements by 8 October 2022
By 8 October 2022, information relating to 13 defined classes of critical infrastructure assets must be provided to the Secretary of the Department of Home Affairs. The prescribed asset classes are critical broadcasting, domain name, data storage/processing, financial market infrastructure (payment systems), food/grocery, hospital, freight infrastructure and services, public transport, liquid fuel, energy market operator, electricity and gas assets (as defined).[8]
This information will be maintained on the Register of Critical Infrastructure Assets, which is not made public. Responsible entities for such assets must provide operational information (including, for example, the asset’s location, details regarding the responsible entity and its CEO, and how data is maintained). Direct interest holders for such assets must provide interest and control information (including, for example, information about their residence and country of incorporation or citizenship, the influence and control held by them and by any higher entity, and the ability of persons appointed by them to directly access networks or systems to operate or control the asset).
These reporting entities will be subject to an ongoing obligation to ensure that the information as maintained on the Register is correct and current. If the Register reporting obligations are ‘switched on’ for further asset classes, reporting entities for those assets will have a grace period of 6 months to comply.[9] The purpose of the Register is to assist the Government to understand ownership and operational arrangements as well as interdependencies between critical infrastructure assets, and to identify and manage risks which could cause significant harm to Australia.[10]
Risk management program still to be ‘switched on’
While the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (SLACIP Act), which came into effect on 2 April 2022, introduced into the SOCI Act the legislative framework for risk management program obligations, those obligations are yet to be ‘switched on’ for any classes of assets. That will occur through the commencement of rules.
The Minister for Home Affairs is considering the draft Risk Management Program Rules as released by the previous Government on 26 November 2021. Public consultation for at least 28 days is required on the rules as formally proposed, before risk management program obligations are then ‘switched on’ by such rules for prescribed classes of critical infrastructure assets.[11] Currently, these obligations are proposed to initially apply to 11 classes of assets: critical broadcasting, domain name system, data storage/processing, hospital, energy market operator, water, electricity, gas, liquid fuel and financial market (payment system operator) assets and specified critical defence industry assets.[12]
This aspect of the SOCI Act regime is intended to “uplift core security practices” by requiring responsible entities to adopt, maintain, review, update, report on and comply with a written risk management program.[13] The focus of the program is on identification, minimisation and/or elimination of hazards that pose a material risk to critical infrastructure assets – ranging from physical risks such as pandemics and natural disasters, to key personnel risks, supply chain hazards, sabotage, terrorism, infiltration and cyber attacks. In mitigating cyber and information security threats, the draft Rules suggest that affected businesses may be required to have in place a risk management program that complies with a standard or framework equivalent to:
Enhanced cyber security obligations for systems of national significance
The SLACIP Act also introduced enhanced cyber security obligations for assets declared by the Minister for Home Affairs to be “systems of national significance” (SoNS).[14] SoNS are a small subset of key critical infrastructure assets recognised by the Minister as being integral to Australia’s economy, society, defence or national security “by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted”.[15] Before declaring any critical infrastructure assets to be SoNS, the Minister must first notify the responsible entity of the proposed declaration and undertake a mandatory consultation period.
If an asset is declared a SoNS, its responsible entity may be subject to enhanced obligations, such as incident response plans, cyber security exercises, vulnerability assessments or provision of system information to the Australian Signals Directorate. The Secretary of the Department of Home Affairs will consider which of these obligations are appropriate for each SoNS, depending on its specific role and function.
Government intervention powers and stakeholders’ secrecy obligations
As summarised in our previous article on the first round of reforms to the SOCI Act, responsible entities, direct interest holders and operators of critical infrastructure assets[16] and upstream supply chain assets (critical infrastructure sector assets)[17] are now subject to enhanced Government intervention powers and secrecy obligations.
Entities and individuals (including those who own or operate either critical infrastructure assets or sector assets) should take particular care before using or disclosing any documents or information obtained or generated under the SOCI Act, as it may well be “protected information” and subject to strict secrecy obligations. Criminal offence and penalty provisions apply in the event of unauthorised use or disclosure.
Observations
The resilience and security of Australia’s critical infrastructure will continue to be a focus of the Albanese Government, as signalled by the establishment of Australia’s first Cyber Security Portfolio in May 2022. The Minister for Cyber Security (who is also Minister for Home Affairs) has instructed her department to create a new national cyber security strategy, announcing that it would be “grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber SMEs”.[18]
CISC has foreshadowed that it will work with industry to ensure that entities understand their new obligations for cyber incident reporting and updating the Register. The Centre has indicated that for the first twelve months it intends to focus on education, rather than enforcement, where there is a genuine attempt at compliance. For example, during this initial education phase, CISC does not intend to take enforcement action where an entity erroneously identifies a cyber incident as having a “relevant impact” and reports it within 72 hours, where in fact it was a critical incident which was reportable within 12 hours.[19]
Affected entities should, as a priority, ensure that they are aware of their enlivened cyber incident reporting obligations and are in a position to provide required Register information by 8 October 2022.
Stakeholders should also consider the draft Risk Management Program Rules, any revisions that are released and the risk management program fact sheet circulated by CISC. Although it is likely that a grace period for compliance will apply, entities would be well-served to consider, in advance, what steps and timeframes would be required to uplift their risk-based plans, by reference to the criteria and standards cited in the draft Rules.
Key amendments to the SOCI Act (as at 26 September 2022)
No.
|
Power / Obligation
|
SOCI Act
|
Assets
|
Sectors
|
Commencement Date
|
1.
|
Secrecy obligations and offence
|
Part 4, Div 3
|
Critical infrastructure assets (see SOCI Act definitions and Definition Rules)
+
Critical infrastructure sector assets (‘supply chain’ assets)
|
Each of the 11 critical infrastructure sectors (Energy, communications, data storage/processing, financial services/ markets, water/sewerage, health care/medical, higher education/research, food/grocery, transport, space technology and defence industry)
+ supply chains
|
3 Dec 2021
|
2.
|
Government powers to intervene
|
Part 3A
|
Critical infrastructure assets
+
Critical infrastructure sector assets
|
Each of the 11 critical infrastructure sectors
+ supply chains
|
3 Dec 2021
|
3.
|
Government powers to issue directions and to obtain information
|
Part 3; Part 4, Div 2
|
Critical infrastructure assets
|
Each of the 11 critical infrastructure sectors
|
3 Dec 2021
|
4.
|
Mandatory notification of cyber security incidents
|
Part 2B
|
Critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
21 asset classes specified in the Application Rules in the communications, data storage/processing, energy, financial services/markets, food/grocery, health care/medical, higher education/research, transport and water/sewerage sectors |
8 Jul 2022
|
5.
|
Register requirements
|
Part 2
|
Critical infrastructure assets that pre-date the SOCI Act reforms
|
Specific assets in the electricity, gas, water and maritime ports sectors
|
Ongoing
|
Other critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
13 asset classes specified in the Application Rules in the communications, data storage/processing, energy, financial services/markets, food/grocery, health care/medical, freight and public transport sectors
|
Commenced 8 Apr 2022 with grace period for compliance ending 8 Oct 2022 | |||
6.
|
Risk management program obligations
|
Part 2A
|
Critical infrastructure assets, to the extent specified in rules or a Ministerial declaration
|
11 asset classes proposed in the communications, data storage/processing, energy, financial services/markets, health care/medical, water/sewerage and defence industry sectors in the first instance |
‘Switch on’ date to be announced (via commencement of the Risk Management Program Rules or Ministerial Declaration)
+ likely grace period of 6-18 months
|
7.
|
Enhanced cybersecurity obligations |
Parts 2C and 6A
|
Critical infrastructure assets, to the extent declared by the Minister to be a system of national significance
|
‘Switch on’ date for each affected asset to be confirmed by Ministerial declaration, preceded by mandatory consultation
period
|
[1] Australian Cyber Security Centre (ACSC), ‘Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure’ (Joint Advisory AA22-110A, 17 May 2022); ACSC, ‘Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations’ (Joint Advisory AA22-257A, 14 September 2022).
[2] ACSC, ‘Australian organisations should urgently adopt an enhanced cyber security posture’ (Advisory 2022-02, Version 11 as updated on 28 April 2022).
[3] The Hon. Anthony Albanese, ‘An address by Opposition Leader Anthony Albanese’ (Speech delivered at the Lowy Institute, Sydney, on 10 March 2022).
[4] Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (Cth), introduced as a private member’s bill on 26 September 2022.
[5] Cyber and Infrastructure Security Centre (CISC), Industry Awareness Session: Protecting Critical Infrastructure and Systems of National Significance (7 July 2022).
[6] Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), ss 30BC(3) and 30BD(3); Cyber and Infrastructure Security Centre (CISC), Fact Sheet – Cyber Security Incident Reporting (July 2022).
[7] CISC, Guide – Mandatory Cyber Incident Reporting: Initial guidance for Critical Infrastructure Sectors.
[8] SOCI Act, s 18A(1)(a) and Security of Critical Infrastructure (Application) Rules 2022 (Application Rules), r 4(1).
[9] SOCI Act, s 18A(3); Application Rules, r 4(3).
[10] CISC, Fact Sheet – Register of Critical Infrastructure Assets Guidance (September 2022).
[11] SOCI Act, s 30ABA(3).
[12] CISC, Fact Sheet – Risk Management Program (August 2022).
[13] Ibid.
[14] The SLACIP Act also (among other things) amended the definitions of certain classes of critical infrastructure assets and extended civil immunities to related group companies and contracted service providers.
[15] CISC, Fact Sheet – The Enhanced Cyber Security Obligations Framework (May 2022).
[16] An asset is a “critical infrastructure asset” if it (a) falls within one of 22 asset classes specified in the SOCI Act; (b) is subject to a Ministerial declaration; or (c) is prescribed by the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Definition Rules).
[17] An asset is a “critical infrastructure sector asset” if it “relates to” one or more of Australia’s 11 critical infrastructure sectors. This broad concept is intended to capture supply chains for critical infrastructure or other interdependent parts of the ecosystem.
[18] Geoff Chambers, ‘Labor wipes slate clean in overhaul of Scott Morrison’s cyber security strategy’, The Australian (18 August 2022).
[19] CISC, Guide – Mandatory Cyber Incident Reporting: Initial guidance for Critical Infrastructure Sectors; CISC, Industry Awareness Session: Protecting Critical Infrastructure and Systems of National Significance (7 July 2022).