Starting gun fired in race to uplift Australia’s infrastructure security

The second tranche of anticipated amendments to the Security of Critical Infrastructure Act (2018) was passed by the Parliament in a flurry of recent legislative activity.

Following on from substantial amendments to the Act in December 2021 (see our December 2021 update), these further changes introduce significant new obligations and powers, including:

• Risk Management Programs requiring critical infrastructure owners and operators to manage the risk of hazards that affect the delivery of essential services – the program content has been designed with industry and builds on existing regulatory frameworks, where possible;
• Ability for Government to declare Systems of National Significance – identifying the most important critical infrastructure assets for Australia;
• Enhanced Cyber Security Obligations for owners and operators of Systems of National Significance) – centred around a strengthened relationship with government; and
• Improved information sharing provisions to make it easier for regulated entities and governments to share information as needed to comply with their obligations.

The passage of this bill signals the beginning of the journey to uplift risk management across a vast swathe of the Australian economy, including cybersecurity, supply chain and personnel risks in addition to the physical and natural hazard risks that have impacted a variety of services across Australia in recent years.

Most notably, these amendments create a framework to achieve the government’s objective of improving Australian industry’s cybersecurity risk management in support of its Cyber Security Strategy 2020 and the aim to make Australia a leading digital economy by 2030.

The amended Act will require affected entities to create and comply with a critical infrastructure risk management program (RMP). The law further allows the Minister for Home Affairs to mandate certain risk domains that affected entities must consider as part of the RMP, and draft rules included in the explanatory memorandum to the bill demonstrate the breadth of those mandatory considerations, including cybersecurity, supply chain and personnel risks.

Not all critical infrastructure sectors are intended (at least initially) to be subject to the RMP requirements. However, the Government has clearly signalled that those sectors not initially affected could be pulled into the RMP net if their regulatory standards do not match the Government’s risk management expectations.

When will the obligations commence?

It remains to be seen whether the Government will issue the new rules required to switch on the various obligations prior to the election being called and the Government entering caretaker mode. Even in that mode, there are avenues for these rules to be issued by a caretaker government. With the heightened risk environment Australia operates in today, especially with mounting reports highlighting the risk of a cyber-attack spill-over from the Russia-Ukraine conflict, the government could well use those alternate routes to protect Australia’s national security interests and the assets vital to our daily lives.

In assessing when the obligations come into force, it is possible that the cyber-incident reporting obligations will commence in the near term (3 months or less), with some of the RMP obligations taking effect within six months of the Act coming into force. These obligations are significant and a six month lead time (to both determine which assets are caught and how to comply within complex organisations) is short.

What should organisations do now?

Organisations should start by understanding whether they are within the expanded definitions, inventory those assets that are mission critical and map the obligations the expanded laws create for them. Organisations should also keep a watching brief on the commencement of the obligations.

Contact us if you have queries about these obligations.

This article was co-authored with Madeleine Barr.