Author:
Australia | Publication | May 2021
This article was co-authored with Francis Meehan.
On March 28 this year, Nine Entertainment (NEC), the broadcaster and publisher, was the victim of a sophisticated cyber-attack that impacted its operations. NEC was well prepared and acted effectively, including by reaching out to the Australian Signals Directorate (ASD) for assistance. Under proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act), NEC’s voluntary decision to contact the ASD for assistance could become mandatory.
The NEC example demonstrates the potential breadth of critical infrastructure assets (CIAs) under the proposed amendments to the SOCI Act. Currently, the SOCI Act regulates four classes of CIAs in the electricity, gas, water and ports sectors. If passed, the amended SOCI Act (Amended Act) would introduce a new concept of “Critical Infrastructure Sectors” (Sectors) and expand the number of CIA classifications from four to 22. In addition, a new category of CIAs called “Systems of National Significance” (SONS) will be introduced. This layered approach, from Sectors to CIAs and then to SONS, allows the Government to manage the risks to critical infrastructure commensurate with the perceived threats over time.
The amendments to the SOCI Act are intended to ensure that critical infrastructure is resilient and responsive to material risks as they arise, including by implementing risk management plans and other security-related obligations. Boards of responsible entities will be required to sign-off on the plans and may be held accountable if the plans fall short. Organisations operating in the expanded Sectoral definitions (see Table 2 below) should review the potential impact of the amended regime on their operations and assets and, where appropriate, engage in the consultation process being managed by the Department and the Australian Cyber Security Centre (ACSC). The Department is seeking engagement via their web page, here.
Along with expanding the scope of “critical infrastructure”, the amended scheme will introduce additional Government powers and obligations on companies responsible for critical infrastructure. Most relevantly, where an incident is taking place, the Amended Act will enable the Department of Home Affairs to direct entities operating any asset within a Sector to provide specific information, to do or refrain from doing certain things, and also direct the Australian Signals Directorate to intervene directly including taking control of computers, devices and data of an affected entity.
In addition, new “Positive Security Obligations” for CIAs are contemplated, including a requirement to prepare and implement a risk management plan, as well as mandatory reporting and information sharing. These Positive Security Obligations will come into effect only after they have been “switched on” by the Department making enforceable rules for a particular Sector following a period of consultation. Consultation on these rules is an opportunity for affected companies to influence the implementation of this new regulatory regime
Finally, the Amended Act will introduce “Enhanced Cyber Security Obligations” for SONS, which will require affected entities to develop an incident response plan, participate in cyber security exercises, undertake vulnerability assessments and provide access to system information.
| Entities within Critical Infrastructure Sectors |
CIAs | Systems of National Significance | |
| Government Assistance | Yes | Yes | Yes |
| Positive Security Obligations | No | Yes | Yes |
| Enhanced Cyber Security Obligations | No | No | Yes |
Source: Department of Home Affairs
Now is the time to take the opportunity to seek to influence the design and implementation of the new regulatory regime. The Department’s stakeholder engagement process is currently underway, with a staged approach targeted to finalising rules that will govern important details of the Critical Infrastructure regime. The first priorities are high level cross-Sectoral Governance Rules for the implementation of the new regime, definitions of what constitutes a CIA, the identity of the relevant Commonwealth regulatory body for a Sector and how the new Positive Security Obligations will be implemented.
Consultation is currently underway in relation to the Positive Security Obligations for critical electricity and gas assets in the energy sector, which will be followed with consultation in relation to the water and sewerage and data storage and processing sectors. The Department’s engagement plans include a four week consultation period for each Sector prior to rules being implemented.
Importantly, the proposed amendments are not without concerns. Examples include:
In April this year, the Department published a draft paper setting out initial proposals for rule changes in each Sector. We note that a number of the proposed rules would significantly reduce the thresholds for participation for those Sectors already covered under the existing SOCI Act. However, until the rules are finalised, the extent of the regulatory impact of the Critical Infrastructure regime across different Sectors with different security, risk and cyber maturity profiles remains subject to change.
For owners or operators of CIAs, and especially those with board-level responsibility who are likely to be required to sign-off on plans and compliance, now is the time to consider the new regulatory obligations and responsibilities, and in particular the Positive Security Obligations and requirements for risk management plans.
Over the coming weeks, we will publish further updates. If you have any queries in respect of how the proposed legislation may impact your operations, or how we may be able to assist with your engagement with any consultation processes, please get in touch.
| Critical Infrastructure Sector | Critical Infrastructure Asset |
| Communications | Critical telecommunications assets |
| Critical broadcasting assets | |
| Critical domain name system | |
| Data Storage and Processing | Critical data storage or processing assets |
| Financial services and markets | Critical banking assets |
| Critical superannuation assets | |
| Critical insurance assets | |
| Critical financial market infrastructure assets | |
| Water and sewerage | Critical water assets |
| Energy | Critical electricity assets |
| Critical gas assets | |
| Critical liquid fuel assets | |
| Critical energy market operator assets | |
| Healthcare and medical | Critical hospitals |
| Higher education | Critical education assets |
| Food and grocery | Critical food and grocery assets |
| Transport | Critical port assets |
| Critical freight infrastructure assets | |
| Critical freight services assets | |
| Critical public transport assets | |
| Critical aviation assets | |
| Defence industry | Critical defence industry assets |
| Space technology | None specified |
Publication
EU Member States may allow companies from countries that have not concluded an agreement guaranteeing equal and reciprocal access to public procurement (public procurement agreement) with the EU to participate in public tenders, provided there is no EU act excluding the relevant country.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
