Recently, the Security of Critical Infrastructure Act 2018 was amended in the House of Representatives. This article will discuss and explain the Security Legislation Amendment (Critical Infrastructure) Bill 2021 which was passed and came into effect on the 2nd December 2021.
The Purpose Of The Amendment
The main goal of the amendment was to strengthen the existing structure and strategies for managing risks (mainly cyber-related), which may target critical infrastructure. For this express purpose, The Bill added new definitions and obligations for critical infrastructure assets.
Main Points of Interest In Bill 2021
Firstly, The Bill has added a new definition for critical infrastructure sectors. The previous Act (Security of Critical Infrastructure Act 2018) covered only certain assets in four main sectors, which were the gas, electricity, water, and maritime ports sectors. Now the amendments have extended these sectors to cover eleven sectors which are regarded as critical. The eleven new sectors are:
- Data storage or processing
- Communications
- Defense industry
- Energy
- Financial services and markets
- Food and grocery
- Health care and medical
- Higher education and research
- Space technology
- Transport
- Water and sewerage
Furthermore, the cyber incident reporting that was mentioned in part 3A of The Act has been amended, and now introduces new obligations for reporting any cyber incidents that target or affect the critical infrastructure asset. These obligations force a responsible entity to report any kind of cybersecurity incident within:
- 12 hours, if the impact of the incident is considered to be significant; or
- 72 hours, if the impact of the incident isn’t considered to be significant.
The term ‘significant’ is defined by the ability of an incident to materially impact the availability of vital products or services.
Any failure to comply with these obligations will result in a fine of 50 penalty points (AU$11,000), and in some cases might even be 250 penalty points (AU$55,000) if it is a corporation.
The third and final point of interest gives the government more power and authority, something they call “government assistance”. This gives the Australian government power to intervene in the matters and decisions of any private company that is operating a critical infrastructure asset and might be under attack by a cybersecurity incident. These powers are only to be used as a last resort, and only when the entity responsible for the asset is unwilling or unable to take the appropriate actions to defend against the incident.
These powers are represented by three main directives:
- Information-gathering requests – where the government will ask the entity to provide any necessary information to respond to the incident.
- Action requests – where the government can order the entity to do a specific act, or to refrain from doing it.
- Intervention requests – where the Australian Signals Directorate may intervene take whatever action is required, such as accessing or modifying any type of hardware that has been targeted by the incident and, in some cases, may even require them to take over the entire operation of the asset.
Next Steps
Since there are now several new sectors involved in the classification of a critical infrastructure, you should check if your organisation is an entity covered by The Act. If so, changes may need to be made to regulations within your organisation.
If your organisation is already an entity handling a critical infrastructure, then you need to modify and revise your response procedures for cyber-attacks and incidents, and ensure they meet the new criteria of mandatory reporting obligations, which is something we offer in our services.
If you are not sure whether your organisation is considered a critical infrastructure, contact us to for assistance.
Author: Mahdi Kobeissi, Cyber Security Consultant