An Overview of Australia’s Critical Infrastructure Reforms

On 2 April 2022, the Australian Government’s final tranche of amendments to the Security of Critical Infrastructure Act 2018 (herein referred to as “the Act”) achieved royal assent. These amendments completed the Government’s series of reforms aimed at enhancing Australia’s critical infrastructure resilience.

Around the world we have seen a growing range of cyber security threats levelled against critical infrastructure, including the recent high-profile SolarWinds, Exchange and Colonial Pipeline attacks. Australia is not immune from this trend. During 2020-21, approximately one quarter of cyber incidents reported to the Australian Cyber Security Centre (ACSC) were associated with Australia’s critical infrastructure or essential services.

Cyber security threats are only set to increase, particularly as technology and connectivity become more pervasive and underpins our critical infrastructure services.

An Overview: Australia’s Critical Infrastructure Reforms

The Australian Government’s reforms seek to improve the cyber security posture and resilience of Australia’s “critical infrastructure assets” and “systems of national significance” (more on this below), through the following measures:

  1. Increasing the Number of Australia’s Regulated Critical Infrastructure Sectors

The Australian Government has now increased the number of regulated critical infrastructure sectors from the previous four sectors (electricity, gas, water and ports) to the following 11 sectors:

  • Financial Services and Markets
  • Communications
  • Data Processing and Storage
  • Defence Industry
  • Higher Education and Research
  • Energy
  • Food and Grocery
  • Health Care and Medical Sector
  • Space Technology
  • Transport
  • Water and Sewage

This expanded scope recognises and reflects the range of sectors critical to Australia’s national security, as well as economic and social prosperity.

2. Establishing “Positive Security Obligations” for “Critical Infrastructure Assets”

“Critical infrastructure assets” must be drawn from the above 11 “critical infrastructure sectors.” Under the Act, the Minister may “turn on” any or all of the following obligations for an asset:

A. Provide Government with the information necessary to be placed on its register of critical infrastructure assets. This may include a comprehensive picture of ownership and operational arrangements.

B. Adopt a critical infrastructure Risk Management Program (RMP) which should include an all-hazards approach across cyber, physical, natural hazard, personnel and supply chain risks. Organisations are required to report to the Government annually on their RMPs, with board-level sign off that the RMP is up to date at the end of the financial year. Organisations also must report to the Government if a hazard had a “significant relevant impact” during the period and required an RMP update.

C. Adhere to mandatory cyber incident reporting requirements. Under the Act, critical infrastructure assets have an obligation to report cyber incidents to the ACSC, as per two defined categories:

a. “Critical Cybersecurity Incidents” need to be reported within 12 hours of the responsible entity becoming aware of the event. If the first report is given orally, then a written report must be provided within 84 hours of that first report.

b. “Other Cybersecurity Incidents” which need to be reported within 72 hours of the responsible entity becoming aware of the event, and if done so orally, a further written report within 48 hours of the first report is required.

Per the Act, this reporting obligation is intended to help the Australian Government gain better insights into the cyber threat landscape and, as appropriate, support incident response.

3. Introducing “Enhanced Cyber Security Obligations” for “Systems of National Significance”

The Minister for Home Affairs has the ability to designate entities as “systems of national significance” (SoNs) – a smaller subset of critical infrastructure assets, most crucial to the nation by virtue of their interdependencies across sectors and potential for cascading consequences if disrupted. SoNs entities may be subject to enhanced cyber security obligations, which means in addition to meeting the positive security obligations listed in #2, they may need to take further steps:

A. Adopt and maintain incident response (IR) plans, and take reasonable measures to regularly review and update those IR plans. Entities may also be required to provide a copy of their IR plans to the Government, as soon as practicable, after the plan’s adoption or update.

B. Undertake cyber security exercises within a specified period, prepare a report evaluating the exercise, and provide a copy to the Government. The entity may also be required to allow one or more government officers to observe the cyber security exercise.

C. Undertake vulnerability assessments within a specified period and provide a report to the Government. In certain circumstances, a SoNS entity may be directed to have a Government officer undertake the vulnerability assessment on its behalf.

D. Provide system information on a periodic or event basis to the Government. In certain circumstances, a SoNS entity can be directed to install software to send system information directly to the Government.

4. Establishing Government Assistance Powers

Finally, the Act provides the Australian Government with information gathering, action direction and intervention powers to be exercised as a “last resort” in circumstances where a cyber security incident has, is or is likely to impact a critical infrastructure sector.

Getting Ready for Australia’s Critical Infrastructure Reforms

To help ensure your organisation is ready for these reforms, you may want to consider the following measures:

  1. Review the Act and seek legal advice as to the nature and extent of your obligations.
  2. Connect with the Australian Government to learn more about these reforms. The Cyber and Infrastructure Security Centre has a range of helpful factsheets.
  3. Consider an organisational review of key practices and procedures. In particular, consider updating your IR plans. Responding to an incident is stressful enough, but well-prepared entities are more likely to be ready to meet their incident reporting requirements. You may also want to do a self-assessment against key international risk management standards, such as ISO27001.
  4. Seek buy-in from your corporate board. Given boards will have a role under the Act, organisations may want to brief their board and other executive stakeholders highlighting areas where further investment and focus may be required.
  5. Consider organisational roles and responsibilities. Ensure your organisation has clear internal accountability and responsibilities for cybersecurity.

Conclusion

The loss of a critical infrastructure service could have devastating impacts across Australia. In recognition of this, the Australian Government passed these reforms to set the strategic vision for uplifting cyber security across those services most integral to our national security and economic prosperity.

Palo Alto Networks is committed to assisting our customers on their road towards compliance with Australia's new critical infrastructure reforms. Organisations who are unsure of the Act’s applicability to them, should seek independent legal advice.