Reforms to Security of Critical Infrastructure legislation to significantly impact management of cyber risk

John Dieckmann, Margaret Gigliotti, Tom Middleton and Ignatius Quin
09 Jun 2022
Time to read: 7 minutes

Reforms to the Security of Infrastructure Act have introduced new obligations and expanded its application to 11 critical infrastructure sectors.

Significant changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) will require organisations that control "critical infrastructure assets" to comply with broad, new, cyber risk management obligations. These changes will impact the way cyber security risks and incidents must be managed from an operational perspective. A diverse range of sectors and organisations will be required to comply with the new obligations, starting in July 2022.

The new SOCI obligations at a glance

The reforms include expanded obligations to provide operational and ownership information about their assets to the Secretary of Home Affairs for inclusion on a non-public register of critical infrastructure and new obligations for organisations to:

  • report cyber security incidents affecting critical infrastructure to the Australian Signals Directorate (unless specified otherwise by the rules) within as little as 12 hours – importantly, these obligations apply to a broader set of incidents than currently within the scope of the mandatory data breach reporting regime under the Privacy Act 1988 (Cth);
  • comply with directions from the Minister for Home Affairs in managing cyber security incidents and allow intervention by the Australian Signals Directorate;
  • adopt, maintain, review, update and comply with a critical infrastructure risk management program;
  • submit an annual report within 90 days after the end of the financial year to a relevant Commonwealth regulator or the Secretary; and
  • comply with additional cyber security obligations if they are responsible for a “system of national significance”, including adopting, maintaining, reviewing, updating and complying with a cyber security incident response plan and undertaking cyber security exercises.

When do the obligations commence?

The obligations are being implemented across two amending acts (the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (First Amending Act) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (Second Amending Act)). With both amending acts having now commenced, affected organisations will be required to comply with obligations in the coming months – starting with cyber security incident reporting obligations which organisations must be compliant with by 8 July 2022.

Who do the SOCI reforms apply to?

The First Amending Act expands the application of the SOCI Act to 11 "critical infrastructure sectors":

  • communications
  • data storage or processing
  • financial services and markets
  • water and sewerage
  • energy
  • healthcare and medical
  • higher education and research
  • food and grocery
  • transport
  • space technology
  • defence industry

Those who own and control "critical infrastructure assets" within these broadly defined critical infrastructure sectors will become subject to both the new and existing obligations under the SOCI Act when they are "switched on" via Ministerial Rules.

The definition of “critical infrastructure assets” has been significantly broadened by the amendments. For example, the SOCI Act now applies to “critical data storage or processing assets” which include any data storage or processing asset used wholly or primarily to provide services to Government bodies or an entity that is responsible for other critical infrastructure assets (provided the operator of the data storage or processing asset is aware that the storage or processing service relates to business critical data).

Status of SOCI obligations

Critical infrastructure table 

What are “critical infrastructure sectors” and “critical infrastructure assets”?

The broad definitions of “critical infrastructure sectors” and “critical infrastructure assets” are likely to encompass suppliers and assets which would not ordinarily be expected to fall within the scope of the SOCI Act. For example, the definition of a “critical data storage or processing asset” includes any data storage or processing asset used wholly or primarily to provide services to a Commonwealth, State or Territory Government entity. This may result in assets such as data centres used to process non-sensitive information on behalf of Government entities being considered a “critical infrastructure asset”. Further, the amendments refer to a data storage device as being “a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer” [emphasis added]. As such, it is possible that a particular server or instance of a data storage or processing facility may be considered a “critical infrastructure asset” (for example, in a situation where services are provided to a Government customer using a private cloud hosted on a dedicated server).

The SOCI Act defines the critical infrastructure assets for each of the critical infrastructure sectors and who is deemed the "reporting entity" for each such asset. Reporting entities are either the "responsible entity" for the asset or a "direct interest holder" in relation to the asset, both of which are defined in further detail in the SOCI Act.

Register of critical infrastructure assets

The Secretary must keep a non-public register of critical infrastructure assets under section 19 of the SOCI Act.

Reporting entities for a particular critical infrastructure asset must provide to the Secretary:

  • if they are the responsible entity for the asset, “operational information” including information regarding the location of, and area serviced by, the asset, descriptions of the arrangements under which the operator operates the asset and under which certain data relating to the asset is maintained, together with details of the responsibility entity; and
  • if they are a direct interest holder in relation to the asset, interest and control information in relation to the entity and the asset.

Reporting entities also have an ongoing obligation to notify the Secretary of any changes to the information on the Register.

These obligations were switched on by the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 on 8 April 2022 for the following assets:

  • critical broadcasting assets
  • critical hospitals
  • critical liquid fuel assets
  • critical domain name systems
  • critical freight infrastructure assets
  • critical energy market operator assets
  • critical data storage or processing assets
  • critical freight services assets
  • critical electricity assets
  • critical financial market infrastructure assets that are payment systems
  • critical public transport assets
  • critical gas assets
  • critical food and grocery assets

However, the Application Rules allow for a grace period, so reporting entities for these assets have until 8 October 2022 to comply with their reporting obligations under the SOCI Act.

Notification of cyber security incidents

The First Amending Act introduces new obligations regarding the notification of "cyber security incidents" that have an impact on critical infrastructure assets. As with the existing obligations under the SOCI Act, these obligations apply when they are "switched on" via Ministerial Rules.

A cyber security incident involves any of the following:

  • unauthorised access to, or modification of, computer data or a computer program;
  • unauthorised impairment of electronic communication to or from a computer; or
  • unauthorised impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program.

Responsible entities for critical infrastructure assets have an obligation to notify the relevant Commonwealth body if it becomes aware of a cyber security incident:

  • within 12 hours, if the cyber security incident has had, or is having, a significant impact on the availability of the asset; or
  • within 72 hours, if the cyber security incident has had, or is likely to have, a relevant impact on the asset.

A "significant impact" is defined by reference to circumstances where the cyber security incident materially disrupts the availability of essential goods or services. A "relevant impact" includes any other impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset.

As with the reporting obligations, the Application Rules have now switched on these obligations for the following assets:

  • critical broadcasting assets
  • critical food and grocery assets
  • critical energy market operator assets
  • critical domain name systems
  • critical hospitals
  • critical aviation assets
  • critical data storage or processing assets
  • critical education assets
  • critical ports
  • critical banking assets
  • critical freight infrastructure assets
  • critical electricity assets
  • critical superannuation assets
  • critical freight services assets
  • critical gas assets
  • critical insurance assets
  • critical public transport assets
  • critical water assets
  • critical financial market infrastructure assets
  • critical liquid fuel assets

The grace period for these assets will end on 8 July 2022. Responsible entities for each of these assets should ensure they are fully aware of their notification obligations before this date.

Responding to serious cyber security incidents

The First Amending Act also gives the Minister for Home Affairs various powers to respond to serious cyber security incidents.

Where a cyber security incident has had, is having, or is likely to have, a relevant impact on a critical infrastructure asset, the Minister may authorise the Secretary to give:

  • information-gathering directions to determine whether another power under the SOCI Act should be exercised;
  • a direction to a responsible entity to do, or refrain from doing, a specified act or thing; or
  • an intervention request that Australian Signals Directorate (ASD) do one or more specified acts (eg. provide support in responding to the incident).

To exercise this power, the Minister must be satisfied that there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice Australia's defence, national security, or social or economic stability.

Critical infrastructure risk management programs

The Second Amending Act, which commenced on 2 April 2022, introduces new obligations on responsible entities for critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (RMP).

The purpose of an RMP is to:

  • identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset; and
  • so far as it is reasonably practicable to do so:
    • minimise or eliminate any material risk of such a hazard occurring; and
    • mitigate the relevant impact of such a hazard on the asset.

While these obligations are yet to be switched on by Ministerial Rules, a draft set of rules has been circulated since November 2021. Organisations should therefore act now to ensure they have an RMP that complies with the SOCI Act and draft rules.

Enhanced cyber security obligations

The Second Amending Act also introduces enhanced cyber security obligations for "systems of national significance". The Minister may declare that a particular critical infrastructure asset is a system of national significance. The Minister is required to consult with the responsible entity before making such a declaration.

Responsible entities for systems of national significance are subject to enhanced cyber security obligations, which include:

  • to plan incident response ;
  • to undertake cyber security exercises;
  • to undertake vulnerability assessments; and
  • if a computer is, or is needed to operate, a system of national significance:
    • to give ASD periodic reports of system information;
    • to give ASD even-based reports of system information; or
    • to install software that transmits system information to ASD.

Getting ready for the changes to the SOCI regime

Organisations should act quickly to confirm whether they are impacted by the reforms and, if affected ensure that they:

  • identify any assets they may need to report on;
  • implement appropriate policies and procedures to ensure compliance with the new cyber security incident notification obligations by no later than 8 July 2022; and
  • are prepared for further changes, especially once the obligations introduced by the Second Amending Act are "switched on".

Use our interactive flowchart to determine first whether it is likely you have obligations under the new Act.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.