This article applies to organisations that operate or manage critical infrastructure.
Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth)
Please be advised that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Bill) passed on 22 November 2021 and has amended the Security of Critical Infrastructure Act 2018 (Cth) (the Act).
Under the Act, the Government has broad information-gathering powers so it can better manage high-risk critical infrastructure in certain high-risk industries. Entities who are responsible for the critical infrastructure in these industries have ongoing obligations to provide the Government with certain information relating to the infrastructure.
The Bill considerably expands the application of the Act into several new industries and inserts new reporting obligations on those impacted by the scheme. In addition, the Bill grants the Government additional powers to intervene if a cyber security incident impacts critical infrastructure.
We note that the types of organisations to be covered by the Act will be unclear until further regulations and industry-specific rules have been released.
Sectors covered by the scheme
Previously, the Act only applied to four sectors, those involving electricity, gas, water and ports. The Bill extends the application of the Act to the following eleven sectors; healthcare and medical, water and sewerage, financial services and markets, higher education and research, food and grocery, data storage and processing, communications, energy, defence industry, transport and space technology.
Each of these sectors are further defined in the Bill, for example:
- health care and medical sector means the sector of the Australian economy that involves the provision of health care or the production, distribution or supply of medical supplies;
- water and sewerage sector means the sector of the Australian economy that involves operating water or sewerage systems or networks or manufacturing or supplying goods, or providing services, for use in connection with the operation of water or sewerage systems or networks;
- higher education and research sector means the sector of the Australian economy that involves being a higher education provider or undertaking a program of research that is supported financially (in whole or in part) by the Commonwealth is relevant to a critical infrastructure sector (other than the higher education and research sector);
- food and grocery sector means the sector of the Australian economy that involves manufacturing, processing, packaging, distributing or supplying food or groceries on a commercial basis.
Organisations operating in these sectors will have new obligations they need to comply with if they are considered a responsible entity in relation to a critical infrastructure asset. The definition of a responsible entity is sector dependent and can be found in section 12L of the Bill, but generally, a responsible entity is an entity that owns or operates a critical infrastructure asset.
Critical infrastructure assets are also sector dependent but generally relate to infrastructure that is critical to the sector’s operation or that could significantly impact a large number of Australians. For example, in the health care and medical sector, a hospital that has a general intensive care unit is deemed a critical infrastructure asset.
We note that the precise meaning of critical infrastructure assets within various sectors is unclear. It is intended that sets of sector specific rules, which are to be developed with the relevant industry, will determine what is meant by a critical infrastructure asset and may add to or exempt from the critical infrastructure assets listed in the Bill.
The obligations that apply to responsible entities are summarised below.
Providing ownership and operator information
As was the case with existing responsible entities, a responsible entity for a critical infrastructure asset is required to report certain information in relation to the asset. This includes details of the critical infrastructure asset and information about the responsible entity.
Organisations will have 6 months from the day that an asset becomes a critical infrastructure asset to provide the above information.
Responsible entities also have an ongoing obligation to provide information and notify of certain events (e.g., if information previously given to, or obtained by, the Secretary becomes incomplete or incorrect).
Notification of Cyber Security Incidents
Responsible entities will be required to notify a relevant Commonwealth body (to be determined by the rules) if they become aware that a cyber security incident has occurred or is occurring that will have a significant impact on the availability of the critical infrastructure asset. This notification must be made within 12 hours after the entity becomes aware of the cyber security incident.
A cyber security incident is defined as one or more of the following:
- Unauthorised access to computer data or a computer program;
- Unauthorised modification of computer data or a computer program;
- Unauthorised impairment of electronic communication to or from a computer
- Unauthorised impairment of the availability, reliability, security or operation of a computer, computer data or a computer program.
A cyber security incident will have a significant impact upon the availability of an asset if, and only if, both the asset is used in connection with the provision of essential goods or services and the incident has materially disrupted the availability of essential goods or services.
Similarly, the Bill requires responsible entities to notify the Secretary within 72 hours if they become aware that a cyber security incident has occurred or is occurring that will have a relevant impact on a critical infrastructure asset.
A cyber security incident will have a relevant impact on an asset if it impacts the availability, integrity, reliability or confidentiality of the asset.
Failure to comply with the above reporting requirements carries a penalty of 50 penalty units (currently, $11,100)
Finally, organisations that are now considered relevant entities should be aware that they may also be subject to the Government’s information gathering, action direction and intervention powers in relation to cyber security incidents (briefly set out below). An entity will be a relevant entity if it:
- is a responsible entity for the asset,
- is a direct interest holder in relation to the asset; or
- is an operator of the asset; or
- is a managed service provider for the asset.
In addition to the existing information-gathering powers, the Bill gives the Government the following powers in relation to cyber security incidents:
- to require a relevant entity to disclose information that may assist it in responding to a cyber security incident;
- to require a relevant entity to take certain actions;
- to allow the Australian Signals Directorate to intervene when the organisation is unwilling or unable to act.
Please click here to access the full Bill.
For further information please contact the Law Compliance team:
Phone: 1300 862 667