Despite a complex legislative history, amendments to the Critical Infrastructure Security Act 2018 (Cth) (SOCI Act) are now finalized (subject to the continued development of a number of “rules”, which play an important role in determining the application and also in determining certain operational details of SOCI law).
The extended operation of the SOCI law imposes, among other things, three essential obligations on entities in charge of critical infrastructure assets. Our previous article provides an overview of the legislative history of these reforms and some of the key provisions.
These changes have broad implications for many sectors, and organizations subject to the SOCI Act have a number of immediate steps to take to ensure they are ready to comply with the “Positive Security Obligations” (described below). below) as compliance becomes mandatory in the coming months.
Expanded sector and asset coverage
The sectors and asset classes covered by the SOCI law have been considerably expanded. Australia’s critical infrastructure regime now encompasses 11 broadly defined sectors and 22 critical infrastructure asset classes. The sectors are:
- data storage or processing
- financial services and markets
- water and sewer
- healthcare and medical
- higher education and research
- food and groceries
- space technology
- defense industry
Generally, the definition of “critical infrastructure assets” is determined by reference to specific infrastructure that is at the heart of each sector. Most of the obligations apply to the “responsible entity” that owns or operates the critical infrastructure asset. “Direct interest holders” (entities that hold at least a 10% interest in a critical infrastructure asset or influence or control the asset) may also have obligations under the SOCI Act.
Source: Department of Interior and Cyber and Infrastructure Security Centre.
Positive Security Bonds
Following the Critical infrastructure security rules (application) (Application rules) taking effect on April 8, 2022, two of the three positive safety requirements now apply to some of the newly included asset classes. Not all sectors or asset classes have “activated” these bonds. Home Affairs has been in contact with asset class entities regarding the application rules and their applicability to those entities, and we anticipate that they will continue to do so with relevant industry entities.
The third requirement to establish and adhere to a risk management program will apply once the rules of the risk management program are registered. The Home Office has released a policy document setting out the proposed rules for the risk management program. However, the final version of these rules has not been published. Once published, the draft rules for the risk management program will be subject to a mandatory 28-day comment period.
1. Report the information to Registry of Critical Infrastructure Assets. Reporting Entities (whether Accountable Entity or Direct Interest Holder) must provide interest, control, and operations information to the Center for Cyber and Infrastructure Security. This register will not be accessible to the public. Following the entry into force of the implementing rules, this obligation applies to a defined list of critical asset classes, but a six-month “grace period” means that compliance is not mandatory until October 8, 2022. Failure to comply may result in a maximum penalty of 50 units (currently $11,100).
2. Mandatory cybersecurity incident notification requirements. The implementing rules also “activated” mandatory cyber incident reporting obligations for certain critical asset classes, subject to a three-month “grace period”. From July 8, 2022, this obligation requires that:
- if an entity becomes aware of a cybersecurity incident that had, or has, a important impact on the availability of the property, he must report this event within 12 hours; and
- if an entity learns that a cybersecurity incident has had or is having a relevant impact on the availability of the property, he must report this event within 72 hours.
A “significant impact” is an impact that has materially disrupted the availability of essential goods or services provided by the asset (or otherwise specified in industry rules, which have yet to be developed). A “relevant impact” is any other impact on the availability, integrity, reliability or confidentiality of the asset. Failure to comply may result in a maximum penalty of 50 penalty units (currently $11,100).
3. Risk management program. The risk management program rules will “enable” the obligation for responsible entities to establish, maintain and comply with a risk management program that manages and mitigates the prescribed risks associated with its critical infrastructure. It is expected that the rules of the risk management program will not apply to all asset classes (for example, if the government is of the view that there would be regulatory overlap with other regimes applicable to the sector that already impose obligations on the management of relevant risks) . Once these rules are enacted, there will be a six-month grace period to comply with them. A risk management program should:
- identify all hazards that pose a significant risk to the availability, integrity, reliability and confidentiality of its critical infrastructure asset;
- mitigate risks to prevent incidents;
- minimize the impact of the incidents carried out; and
- implement effective security governance and control procedures.
Failure to adopt, maintain or comply with a critical infrastructure risk management program may result in a maximum penalty of 200 penalty units (currently $44,400).
The SOCI Act also now includes additional government powers which are considered by the Australian Government to be essential to maintaining the security of Australia’s critical infrastructure. In particular, from December 2021, the government can exercise the following powers to respond to a cybersecurity incident that affects a critical infrastructure asset:
- an information collection department – require a responsible entity to provide information relating to a cybersecurity incident;
- a direction of action – where the Minister of the Interior can order an entity to take, or refrain from taking, any action deemed reasonably necessary, proportionate and technically feasible to respond to a cybersecurity incident if the entity is unwilling or unwilling cannot solve the incident; and
- a request for intervention – which gives the Australian Signals Directorate “last resort” power to take control of an asset when an entity is unwilling or unable to resolve a cybersecurity incident.
The government may also privately declare that a critical infrastructure asset (which may potentially include all or a large portion of an entity’s operations) is a system of national importance (Son). Once declared as part of a SoNS, the government may then provide written notice requiring the relevant responsible entity for the SoNS to comply with the following enhanced cybersecurity obligations:
- Develop and maintain cybersecurity incident response plans.
- Undertake cyber security exercises.
- Undertake vulnerability assessments.
- Provides access to system information.
Accountable Entities will be specifically notified and consulted by the government if these additional powers are exercised with respect to their critical infrastructure assets.
Key points to remember
There are a number of immediate actions for organizations that may be impacted by the SOCI Act to take, including:
- Gather asset information to determine whether they are captured as an owner, operator, or direct interest holder in critical infrastructure assets. This assessment is sector-specific and will be a more complex assessment for organizations in some sectors than others. An asset audit should be undertaken to ensure that critical infrastructure assets are correctly identified and, where applicable, to ensure that reporting and other obligations are met with respect to those assets.
- Ensure existing cyber incident response plans include processes for early identification of cyber incidents and their impact on critical infrastructure assets. This step is particularly important for entities responsible for asset classes that have been “enabled” so that they can comply with the requirement to report relevant incidents to the Australian Cyber Center within 12 hours and 72 hours (according to the case) no later than July 8, 2022 and take the appropriate measures to remedy the incident.
- Considering the internal processes and procedures to follow if the organization were to receive a request for information or a directive from the government in response to a cybersecurity incident. For example, how will the request or instruction be handled and to whom within the organization will it be passed on?
- Consider existing risk management processes related to critical infrastructure assets. It should be noted that the risks to be managed are those arising from everything risks (including supply chain, people, and natural and physical risks), not just cyber risks and whether they are likely to require improvement once the rules for the risk management program are finalized and will come into force.
- For Responsible Entities that engage third parties to assist in the operation of their critical infrastructure assets, review these provisions. If necessary, an accountable entity should work to enhance these contracts to include contractual obligations for third parties to ensure that they will support the organization’s compliance with its obligations under the SOCI Act ( including through the provision of information and cooperation with security requirements).