On 22 November 2021, almost a year after the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (SOCI Bill) was first put to the House of Representatives, Parliament passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (the Act) which implements a number of amendments to the existing Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). The Act is awaiting Royal Assent, which is expected to occur imminently.
The Act represents one element of the Government’s response to the ever increasing cyber threats faced by Australian businesses. These threats were made evident by the findings published in mid-September by the Australian Cyber Security Centre (ACSC) in the ACSC Annual Cyber Threat Report, which found that cyber-attacks are escalating in severity and frequency at a rate of one reported attack every 8 minutes. Troublingly, that report revealed that approximately a quarter of cyber incidents reported to the ACSC in the 2020-21 financial year were associated with Australia’s critical infrastructure or essential services.
The Act has been one of the most contentious pieces of legislation this year, with many leading organisations lodging detailed submissions to Government in an effort to temper some of the more onerous requirements proposed under the original draft of the SOCI Bill. This industry consultation process led to a splitting of the obligations in the original draft of the SOCI Bill, with those contained in the Act coming into force now and the remainder deferred for future consideration.
Almost all the obligations under the Act commence on the day following the date the Act receives Royal Assent. The primary exception to this is the obligation to provide information to the Government’s Register of Critical Infrastructure Assets - entities not already subject to the SOCI Act will have a 6 month grace period to comply with that obligation.
In passing the Act, Australia joins other leading global economies in implementing a regulatory regime to protect its core critical infrastructure assets from cyber-attacks. For more information, please see our previous articles “ US Cyber Incident Notification Act 2021: a late arrival to a growing party ” and “ Chinese Critical Information Infrastructure Regulations: a small hammer to crack a large nut ”.
This article examines the key features of the Act, considers the steps businesses will need to take to ensure compliance, and summarises the aspects of the original draft of the SOCI Bill that have been deferred for further consideration.
Key features of the Security Legislation Amendment (Critical Infrastructure) Act 2021
Expanded sector coverage
The Act introduces a revised definition of “Critical Infrastructure Sector” which brings a number of new sectors within the scope of the legislative framework.
Whereas previously the SOCI Act covered specific assets in the electricity, gas, water and maritime ports sectors only, the Act now expands the coverage to encompass 11 sectors deemed ‘critical’. These are:
New definition of Critical Infrastructure Sector Assets
Critical infrastructure assets under the SOCI Act are defined by reference to specific infrastructure that is core to the relevant sector. For example, a critical water asset (an example of a critical infrastructure asset) is defined as one or more water or sewerage systems or networks that are managed by a single water utility and deliver services to at least 100,000 connections. Most of the obligations under the Act apply to the owners and operators of these critical infrastructure assets.
However, the Act recognises that a cyber security incident may impact a “critical infrastructure asset ” even if the incident does not involve direct compromise of that asset (e.g. a cyber incident that impacts the functioning of an asset in a supply chain may render the primary “critical infrastructure asset” inoperable). To address this, the Act also introduces a new definition of “critical infrastructure sector assets”, being “an asset that relates to a critical infrastructure sector”. An example of a “critical infrastructure sector asset” would be an IT system used by a coal supplier who supplies coal to an electricity generator. The concept of a “critical infrastructure sector asset” is a very broad concept that is much broader than the existing definition of “critical infrastructure assets” under the SOCI Act.
Importantly, however, whilst these new definitions are incredibly broad, not all of the obligations under the existing SOCI Act or under the Act will apply to entities having an interest in “critical infrastructure sector assets”. The majority of obligations only apply to owners or operators of the primary “critical infrastructure assets” themselves.
Mandatory reporting of cyber incidents
The Act introduces new obligations on entities responsible for “critical infrastructure assets” to report cyber security incidents affecting those assets to the Australian Signals Directorate (ASD), with the aim of facilitating the development of an aggregated threat picture and comprehensive understanding of cyber security risks to critical infrastructure, and to enable proactive and reactive cyber response options. This obligation does not apply to entities who only own / operate “critical infrastructure sector assets”.
There are two levels of reporting:
Critical cyber security incidents : A responsible entity must report (orally or in writing) that a “critical cyber security incident” has occurred or is occurring within 12 hours of the entity becoming aware that the incident has had, or is having, a “significant impact” (whether direct or indirect) on the availability of the asset. Where the report is given orally, the entity must provide a written report of the incident within a further 84 hours after the oral report was given. An incident will be considered to have a “significant impact” if the incident has materially disrupted the availability of essential goods or services provided using the asset. In assessing whether an incident is a “critical cyber security incident”, a responsible entity should consider the services being provided by the asset, the impact of a disruption to essential services, and the nature and extent of the cyber security incident.
Other cyber security incidents : A responsible entity must also report (orally or in writing) any other cyber incidents that have occurred, are occurring or are imminent within 72 hours of the entity becoming aware that the incident has had, is having, or is likely to have, a “relevant impact on the asset”. In this case, where the report is given orally, the entity must provide a written report of the incident within a further 48 hours after the oral report was given. What will constitute a “relevant impact” is defined broadly, but generally it covers all circumstances where the incident would impact the availability, reliability, confidentiality or integrity of the asset.
Failing to comply with the reporting obligations may result in a penalty of $11,100 (50 penalty units) per breach., or $55,500 (250 penalty units) if the entity is a corporation.
More entities providing information to the Register of Critical Infrastructure Assets
Under the SOCI Act, “reporting entities” for “critical infrastructure assets” are required to provide information to the Government to be recorded on its Register of Critical Infrastructure Assets (which is designed to assist Government in understanding who owns, controls or has access to “critical infrastructure assets”). This in turn will allow Government to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary.
A “reporting entity” for an asset is either the “responsible entity” for the asset or the “direct interest holder” in the asset (an entity can be both).
“Responsible entities” are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service). The responsible entity for an asset is required to provide “operational information” (e.g. the asset’s location, a description of the area the asset services, basic information about entities responsible for the operation of the asset and the arrangements in place with each operator) in relation to the asset.
An entity is a “direct interest holder” in relation to an asset if the entity (together with associates) holds an interest of at least 10% in the asset or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. The direct interest holders are required to provide “interest and control information” relating to the asset (i.e. details of any entity which has an ownership interest or the ability to control the asset).
As a result of the Act, the number of entities required to report to the Register has significantly increased by virtue of the expansion of the definitions of “critical infrastructure sectors” and “critical infrastructure assets”. Note, however, that this obligation does not apply to entities that are owners or operators of “critical infrastructure sector assets” only.
Where a reporting entity fails to comply with the information provision obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention., or $55,500 (250 penalty units) if the entity is a corporation.
Government assistance and intervention
Interestingly, one of the most controversial aspects of the SOCI Bill has made its way into the final version of the Act. This is the establishment of a “Government assistance and intervention” regime to respond to serious cyber security incidents that impact the ability of Australia’s critical infrastructure assets to deliver essential services.
Government intervention may occur where:
a cyber security incident has occurred, is occurring or is imminent;
the incident has had, is having or is likely to have a “relevant impact” on a “critical infrastructure asset” - a “relevant impact” is defined broadly, but generally covers circumstances where the incident would impact the availability, reliability, confidentiality or integrity of the asset;
there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice: (i) the social or economic stability of Australia or its people; (ii) the defence of Australia; or (iii) national security; and
no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
If an incident meets these conditions, the Minister for Home Affairs may authorise the Secretary of Home Affairs to do one or more of the following for a certain period of time:
give directions to a specified entity for the purposes of gathering information in relation to the incident and the impact on a relevant “critical infrastructure asset” or a specified “critical infrastructure sector asset”;
give directions to a specified entity requiring the entity to take a specific action in response to the incident and the relevant “critical infrastructure asset” or a specified “critical infrastructure sector asset”; or
give an intervention request, authorising the ASD to provide specified assistance and cooperation in response to the incident and the relevant “critical infrastructure asset” or a specified “critical infrastructure sector asset”.
Note that these powers extend not only to “critical infrastructure assets” but also to “critical infrastructure sector assets”, in recognition of the fact that a cyber incident impacting a “critical infrastructure sector asset” may have a flow on impact on a “critical infrastructure asset”. For example, if a supplier of services to a critical electricity asset is subject to a cyber incident which results in the critical electricity asset being unable to distribute electricity and the Government requires information which the electricity provider is unwilling or unable to provide, the Minister may authorise directions being given directly to the supplier to obtain the relevant information. The information would then be used to enable a response to mitigate the impact on the critical electricity asset.
To give an information gathering direction, the Minister must be satisfied that it is likely to facilitate a practical and effective response to the incident. An entity must comply with an information gathering direction to the extent that the entity is capable of doing so. Failing to do so can result in a penalty of $33,300 (150 penalty units).), or $166,500 (750 penalty units) if the entity is a corporation.
To give an action direction, the Minister must be satisfied that all of the following criteria are met:
the specified entity is unwilling or unable to take all reasonable steps to resolve the incident;
the direction is reasonably necessary for the purposes of responding to the incident;
the direction is a proportionate response to the incident; and
compliance with the direction is technically feasible.
Failing to comply with an action direction can result in a penalty of 2 years imprisonment and/or a fine of $26,640 (120 penalty units).), or $133,200 (600 penalty units) if the entity is a corporation.
To give an intervention request, the Minister must be satisfied that an action direction would not constitute a practical and effective response to the incident, and be satisfied that the same criteria required for an action direction are met. In these limited circumstances, the ASD may be authorised to step in to respond to an incident, including by: (i) accessing, modifying or analysing computer systems or data; (ii) installing computer programs; and (iii) removing, disconnecting, connecting or adding computers or computer devices. An entity may additionally be required to provide approved ASD staff members with access to their premises. Failure to comply with an intervention request can result in a penalty of 2 years imprisonment and/or a fine of $33,300 (150 penalty units).), or $166,500 (750 penalty units) if the entity is a corporation.
What businesses need to do to ensure compliance
The activities that entities will need to undertake to ensure compliance with the new obligations under the Act differ depending on the obligation in question, and the nature of the impacted entity (in particular, whether it is an owner / operator of a “critical infrastructure asset” or of a “critical infrastructure sector asset” only).
Mandatory Reporting and Register of Critical Infrastructure Assets
Entities that own or operate “critical infrastructure assets” will need to adapt their cyber-attack response and recovery playbooks to ensure that they are able to comply with the mandatory reporting obligations in the Act if a cyber incident occurs. Many entities may already have put in place measures to enable compliance with the Mandatory Data Breach Notification Scheme under the Privacy Act 1988 (Cth), which may require notification of incidents in the same or similar circumstances as under the Act (albeit within different timeframes).
Any entities captured under the existing SOCI Act should already have processes to comply with the information provision requirements in respect of the Register of Critical Infrastructure Assets. However, other entities will need to implement processes to ensure compliance.
For those entities that are already subject to existing legislative or regulatory cyber-security regimes (e.g. the requirements in the Australian Energy Sector Cyber Security Framework or under APRA’s CPS 234 prudential standard), the steps required to uplift compliance in line with the requirements of the Act may be minimal.
Owners and operators of critical infrastructure sector assets only are not directly subject to the mandatory reporting or information provision obligations under the Act.
However, such entities may have customers who are themselves owners or operators of primary critical infrastructure assets. Those customers may be reviewing their supply chain arrangements to ensure that their own suppliers are required to provide them with prompt notice and information in respect of cyber incidents, which in turn will allow them to meet the reporting and information gathering requirements under the Act. If so, those customers may look to flow down some of these information gathering and reporting requirements to the owner / operator of the critical infrastructure sector asset. In those circumstances, the latter party may also need to adapt its processes to ensure that it is able to meet those requirements if a cyber incident occurs.
Government Assistance and Intervention
Impacted entities do not need to take any proactive action to comply with this obligation. The obligation will only crystalise in the event that a cyber security incident has occurred, is occurring or is imminent, and then only where directions are issued by the Secretary of Home Affairs. However, entities may wish to review their policies and processes to ensure that they address these obligations, and could consider implementing a training program to ensure relevant staff are aware of their obligations should they arise and are able to respond promptly.
Deferred aspects of the SOCI Bill
The desire to push the Act through Parliament this year has meant that a number of aspects of the original draft of the SOCI Bill have been deferred pending further industry consultation. This aligns with the recommendations in the PJCIS Report, where the PJCIS noted that the split enables the less urgent measures of the SOCI Bill to proceed at a “more manageable” pace for Government and industry and ensure broad stakeholder consensus is obtained.
These deferred measures include:
Sector-specific rules
Under the Act, the Minister reserves the right to make “rules” in the future that will supplement the existing provisions of the Act - for example, to define more specifically the assets that will fall within the relevant sector definitions.
Before making or amending such rules, the Minister must first publish a notice and invite further industry submissions for a period of at least 28 days. Whilst it is currently unclear what, if anything, most of the rules will contain, draft rules for the expanded definitions of “critical infrastructure assets” under the Act were published in April 2021, and we expect that these draft rules will be implemented shortly.
Adoption of a Critical Infrastructure Risk Management Program
The original SOCI Bill required responsible entities for critical infrastructure assets to adopt and maintain an all-hazards critical infrastructure risk management program, designed to require responsible entities for critical infrastructure assets to manage and mitigate risks. Risk management plans were to be reported annually to the Secretary of Home Affairs.
The co-design consultation process with industry for the proposed introduction of the risk management program is currently underway. Government has completed its first-phase consultation for the electricity and water and sewerage sectors, and consultation with the remaining sectors is expected to be completed by August 2022.
Declarations of systems of national significance and enhanced cyber security obligations
The original SOCI Bill gave the Minister power to designate a critical infrastructure asset as a ‘system of national significance’, rendering it subject to enhanced cyber security obligations under which the Secretary of Home Affairs was able to require the responsible entity to undertake prescribed cyber security activities. These include the development of cyber security incident response plans, undertaking of cyber security exercises to build cyber preparedness, vulnerability assessments to identify remediation actions, and provision of access to system information to build Australia’s situational awareness.