Risky business – latest update on new critical infrastructure risk regime

Australia’s critical infrastructure safety regime is again the subject of parliamentary consideration with the second tranche of proposed amendments to the Security of Critical Infrastructure Act 2018 (Act) introduced earlier this month.

As canvassed in our previous articles here and here, Australia has been subject to several cyber attacks targeting the federal parliamentary network and key supply chain businesses since the Act’s introduction. In addition, the COVID-19 pandemic broke during this time, causing widespread disruption to major industries such as health, transport and manufacturing.

These disruptions led to the introduction of the Security Legislation Amendment (Critical Infrastructure Protection) Bill in 2020. Following consultation, this bill was split in two so that critical aspects of the bill could be progressed whilst other aspects of the bill could be the subject of further workshopping between government and industry.

The 2021 Bill, which widened the scope of application of the Act, introduced further reporting requirements and provided additional powers to the Commonwealth, was passed and became law on 2 December 2021.

On 10 February 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (2022 Bill) was introduced to Federal Parliament.

The 2022 Bill proposes to:

1. introduce obligations on entities to establish a critical infrastructure risk management plan (CIRMP) for critical infrastructure assets
2. increase cyber security obligations for “systems of national significance”.

Critical infrastructure risk management plan

The proposed legislation offers the Home Affairs Minister a ‘switch’ mechanism to catch (and release) entities required to prepare a CIRMP from this requirement as the regime settles into place.

It can be expected that entities operating critical electricity assets, critical energy market operator assets, critical gas assets, critical liquid fuels assets, certain critical financial market infrastructure assets, critical data storage or processing assets, critical hospital assets, critical domain name system assets and critical broadcasting assets will be the entities made subject to this obligation shortly after the 2022 Bill becomes law.

The requirement is then expected to apply to critical freight services assets, critical freight infrastructure assets and critical food and grocery assets from or sometime after 1 January 2023.

The CIRMP obligations will require entities to:

1. identify hazards for which there is a “material risk” that the hazard will impact their business operations
2. minimise the material risks of those hazards occurring
3. mitigate the impacts of hazards on the operation of their critical infrastructure assets.

The identification of hazards that are a “material risk” will include all hazards – from natural disasters to cyber threats.

Systems of national significance

The enhanced cyber security obligations in the 2022 Bill will apply to “systems of national significance” (SNSs). Entities may be informed that their system is an SNS by written notice from the Secretary of the Home Affairs Department. If an entity receives this notice, four additional obligations will apply to that entity:

1. the entity responsible for the SNS will be required to adopt and maintain an incidence response plan for cyber security incidents. The plan must be reviewed on a regular basis and the entity must take all reasonable steps to ensure that the plan is kept up to date
2. the entity responsible for the SNS will be required to, if notified to do so by the Secretary of the Department, undertake a “cyber security exercise”, which is aimed at testing a particular entity’s readiness to respond to a specific cyber threat, or cyber threats generally. The Department may require that these exercises be observed by designated departmental officers. An evaluation report must then be prepared and provided to the Secretary
3. the Secretary may notify an entity that it must conduct a vulnerability assessment and prepare a report for the Secretary. The purpose of a vulnerability assessment is to test the system’s vulnerability to a specific cyber security risk, or cyber security risk generally. If the Secretary has reasonable grounds to believe that the entity would not be capable of complying with the notice, the Secretary may require a designated officer to undertake the vulnerability assessment and to provide the report in the entity’s place
4. if an SNS relies upon a computer or is a computer, the Secretary may by notice require periodic technical reports to be provided about that computer if the Secretary considers the entity is capable of doing so.

What happens now?

The 2022 Bill has progressed through the House of Representatives and is with the Senate for consideration.

Following successful passage of the 2022 Bill, we can expect to see rules proposed under section 30AB of the Act which will determine which entities will be required to comply with the critical infrastructure risk management program obligations.

We also expect that a further set of rules under the Act will establish when certain requirements introduced by the 2021 amendments will apply and to whom.

How can we help?

If your entity is, as a consequence of the 2021 amendments to the Act, newly caught by the application of the relevant provisions of the Act, you will have until 2 June 2022 to make your first report to the Department.

If you have any questions about this article or how the new amendments to this Act may impact you, we are able to assist and advise on the obligations you may have under the Act. If you would like to learn more about the new risk management regime for critical infrastructure, please register for our upcoming webinar on the latest tranche of amendments to the Act here.

Authors: Jean Lukin

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Share this