In earlier months, the Australian government has promoted the Security Legislation Amendment Bill 2020. This legislation provides guidelines to protect the Critical Infrastructure assets of Australia. This is crucial, as the sectors that are defined as Critical Infrastructure (CI) include Electricity, Communications, Transport and Banking.
In the previous Security of Critical Infrastructure Act 2018, the legislation covered the areas of Electricity, Water, Gas and Ports. However, with this new reform the term Critical Infrastructure has been expanded to include Communication Services, Financial Markets, Data Storage or Processing, Defence, Higher Education and Research, Energy, Food and Grocery, Health Care and Medical, Water and Sewerage, Space Technology and Transport. There are three prominent features to this new amendment bill:
- Positive Security Obligations: providing Critical Infrastructure Asset Registers, Risk Management Plans and cyber incident reporting, which can only be activated for a sector following consultation with affected entities.
- Enhanced Cybersecurity Obligations: implementing the latest security measures.
- Government Assistance: to respond to cyber-attack on Critical Infrastructure assets.
Table 1: Applications of Reforms (via https://www.homeaffairs.gov.au/)
Implementation of Critical Infrastructure Protection
The benefits of having this new amendment bill is that the government will be able to work alongside the private sector and regulatory bodies, to provide the most balanced form of cyber risk management and incident response possible.
The implementation of this amendment will start in January 2021, and based on consultation from private entities along with filed experts, the below table showcases implementation details.
| IMPLEMENTATION PHASE | ||
| Element of legislation | Detailed outline of element | Further industry consultation through implementation phase |
| Critical Infrastructure Asset | Definitions of critical infrastructure assets are:
|
● Where definitions rely on further specifics being established through rules, those rules will be made following commencement of the legislation drawing on feedback from industry.
● Entities must be consulted before a private declaration of an asset is made.
|
| Positive Security Obligations |
|
● Sector to be consulted prior to any of the obligations being switched on.
● Co-design of sector-specific rules and guidance to support the Risk Management Program to occur progressively from early 2021. ● Four week consultation prior to rules being made. ● Guidance and advice to be provided on Register and cyber incident reporting obligations.
|
| Systems of National Significance | ● Critical infrastructure assets that are of national significance noting interdependencies across key sectors in the economy and consequences should the asset be impacted. | ● Privately declared by the Minister subject to legislative criteria being met and direct consultation with the entity.
● Guidance to be developed and provided to entities declared to be a system of national significance. ● Entity may seek review of a declaration should circumstances change. |
| Enhanced Cyber Security Obligations |
|
● Consultation required with the entity prior to issuing notices for any of these obligations.
|
| Government Assistance |
|
● Further guidance to be provided to industry on how and when these powers may be used.
● Consultation with affected entities to occur prior to authorisations being made. |
Contact us at Agilient for consultation regarding updating your cybersecurity strategies and plans in line with the latest industry standards.
Author: Saeed Baayoun, Agilient Consultant