Security Legislation Amendment (Critical Infrastructure) Act 2021

Executive Summary

The recently released Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SOCI Act) has amended the Security of Critical Infrastructure Act 2018 (Cth) with a view to further managing the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure.

The amended SOCI legislation sees an increase in the critical infrastructure asset classes from 4 to 11 sectors, namely communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.

Importantly, the amendments have increased reporting obligations for critical assets. In the event of an attack on a critical asset, government notification is required. In addition, government assistance and intervention powers have been introduced to allow for an urgent response in situations that present a material risk to national security.

It is important that organisations consider whether they are captured by the expanded critical infrastructure asset classes and prepare for the updated reporting regime accordingly.

What are the changes to Australia’s Critical Infrastructure Laws?

In November 2020, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended two new legislation pieces be passed. However, since that time, the consultation process has seen extensive changes made to Parliament’s original proposal.

Following the PJCIS recommendations, the original SOCI Bill was split into two amendments, Bill One (the SOCI Bill as passed by Parliament) and Bill Two (there is no timeframe for passing).

Bill One

Bill One expands the coverage of the original Act, by extending the definition of ‘Critical Infrastructure Assets’ to include sectors not traditionally considered to be infrastructure, including financial services. In addition, Bill One introduces positive security obligations for relevant assets, enhanced cyber security obligations and government assistance powers.

Positive Security Obligations

Part 2 of the existing SOCI Act requires assets covered by the Act to provide ownership and operational information to the Secretary of Home Affairs for the Register of Critical Infrastructure Assets (the Register). Bill One will extend this requirement to the expanded class of critical infrastructure assets where appropriate to develop and maintain a comprehensive picture of national security risks, and apply mitigations where necessary.

The Part 2 definition has been expanded to the following Critical Infrastructure Assets:

• broadcasting
• domain name system
• data storage or processing
• a critical financial market infrastructure asset that is a payment system
• food and grocery
• hospital
• freight infrastructure
• freight services
• public transport
• liquid fuel
• energy market operator
• electricity (to the extent not already captured)
• gas (to the extent not already captured).

Bill One will also introduce an all-hazards positive security obligation for a range of critical infrastructure assets across critical sectors. The obligations to be included in the SOCI Act in relation to a critical infrastructure risk management program will be supported by specific requirements which will be prescribed in rules.

The positive security obligations involve three elements:

1. adopting and maintaining an all-hazards critical infrastructure risk management program (Part 2A);
2. mandatory reporting of serious cyber security incidents to the Australian Signals Directorate (ASD) (Part 2B); and
3. where required, providing ownership and operational information to the Register of Critical Infrastructure Assets (Part 2).

Only the second and third elements of the positive security obligations will be enacted in Bill One (Part 2B & 2).

Part 2B will require owners and operators of critical infrastructure assets to notify the ASD (or other Commonwealth Body notified in the rules) of any cyber security incident that significantly impacts assets. A cyber security incident is defined as one or more acts, events or circumstances involving unauthorised access, modification or impairment of computer data, a computer program or a computer.

The amendment introduces Sections 30BC & 30BD, s30BC is focused on incidents that have a ‘significant’ impact on the availability of the asset and must be reported within 12 hours, while section s30BD is focused on any relevant impact and must be reported within 72 hours, with non-compliance carrying civil penalties. Section 30BD also applies to incidents that have not yet occurred but will occur imminently.

The legislation is designed in such a way to give the Minister power to ‘switch on’ and ‘off’ these obligations. This provides some discretion if, for example, the Minister decided reporting obligations should not apply to one class of assets.

Government Assistance Powers

Bill One will also introduce Part 3A, which grants the Government additional powers enabling them to gather information, take action relating to an incident, and, as a last resort, intervene and take control of an asset when the owning entity is unwilling or unable to resolve a cyber security incident.

It is important to note these Ministerial powers can only be exercised if an incident of material risk has occurred, will occur or is occurring and that asset is a critical infrastructure asset.

Entities are primarily responsible for managing cyber security risks through calibrated risk management, preparatory activities and enhanced situational awareness. However, in exceptional circumstances, the enhanced framework will provide the Government with the power to take appropriate steps to prevent and address cyber security incidents that threaten serious prejudice to Australia’s interests, mitigate the impacts of such incidents on critical infrastructure, and restore the functioning of those assets. Under the Government Assistance measures, the Minister for Home Affairs to authorise the Secretary of Home Affairs to do one or more of the following:

• Information gathering direction – require the responsible entity for an asset within a critical infrastructure sector to provide information.
• Action direction – require the responsible entity for an asset within a critical infrastructure sector to prevent a cyber security incident, mitigate the impact of the incident, or restore the functionality of a critical infrastructure asset affected by the incident.
• Intervention request – if an entity is not responding to an information gathering direction or an action direction, the Secretary would be able to request assistance from the Australian Signals Directorate through the exercise of intervention request powers about a cyber incident. Essentially, this will be a last resort power and would also require the agreement of the Minister for Defence and the Prime Minister.

These powers will provide the Government with the power to act in exceptional circumstances to protect our nation’s critical infrastructure assets. This will be achieved by enabling the Minister for Home Affairs to authorise the Secretary of Home Affairs to issue an information gathering direction, an action direction or an intervention request.

Bill Two

Critical Infrastructure Management Program

Bill Two will introduce the first element of the positive security obligation, Part 2A, which will require critical infrastructure assets to develop and comply with a critical infrastructure risk management program – the first element of the positive security obligations. Responsible entities must comply with, review, and update the program and submit an annual report.

Enhanced Cyber Security Obligations

Bill Two will also introduce Part 2C, Enhanced Cyber Security Obligations that apply to a significantly smaller subset of critical infrastructure assets that are crucial to the nation, by virtue of their interdependencies across sectors and consequences of cascading disruption to other critical infrastructure assets and sectors.

The Enhanced Security Obligations will only apply to assets considered to be of the highest criticality (systems of national significance). These obligations are intended to build upon the existing strong Government-industry partnership and provide the Government with the information and understanding necessary to reduce the risk and potential impacts of significant cyber incidents. It will also assure the Government that assets of the highest criticality are actively safeguarding their assets from cyber vulnerabilities above and beyond their requirements under the Positive Security Obligations. There will be four distinct components of the Enhanced Cyber Security Obligations which will be activated only on request (meaning there is no standing obligation):

1. Develop and maintain incident response plans.
2. Undertake a scenario-based exercise.
3. Conduct a vulnerability assessment.
4. Provide access to system information relating to the functioning of a system.

What entities will be systems of national significance will be declared by the Minister under Part 6A that will be introduced in Bill Two.

Why are Australia’s Critical Infrastructure Laws being changed?

Australia is facing increasing cyber security threats to essential services, businesses and all levels of Government. For example, in recent years, we have seen cyber-attacks on federal Parliamentary networks, logistics, the medical sector and universities – to mention a few.

The consequences of a prolonged and widespread failure in the energy sector, for example, could be catastrophic to our economy, security and sovereignty, as well as the Australian way of life.

In January 2017, the Australian Government launched the Critical Infrastructure Centre (now within the Critical Infrastructure Security Division in the Department of Home Affairs) to enhance its ability to respond to the evolving threat environment, particularly from foreign interference in Australia’s critical infrastructure.

Following this, the Australian Government introduced two sets of legislation to address national security risks associated with Australia’s critical infrastructure, SOCI and the Telecommunications Sector Security (TSS) reforms, which operates alongside the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA). The Department of Home Affairs’ regulatory powers concerning the SOCI Act and TSS reforms arise from the Regulatory Powers (Standard Provisions) Act 2014 (Cth).

Accordingly, the Government is introducing an enhanced regulatory framework, building on existing requirements under the SOCI Act.

The previous SOCI Act placed regulatory obligations on specific entities in the electricity, gas, water and maritime ports sectors. However, as the security landscape evolves, so has the Government’s approach to managing risk across all critical infrastructure sectors.

When do the changes come into effect?

Bill One received royal assent on 2 December 2021 and came into effect on 3 December 2021.

The timeline for Bill Two is currently unknown.

How do the changes affect you?

As we have experienced from the recent introduction of the Mandatory Breach Reporting regime, it is more important than ever to have robust policies and procedures, including incident identification and reporting channels, to ensure that reporting requirements can be addressed promptly and efficiently.

Due to the scope of these changes affecting the entire financial services industry (with specific reference made to banking, superannuation, insurance, financial services and credit facility businesses), and the strict nature of the notification timelines, we consider that integrating these changes into your compliance infrastructure is critical to ensure continued compliance of your organisation.

According to s30BB, the application of Part 2 & 2B applies if the Minister makes a declaration to that asset, in which case the declaration must be provided to each reporting entity for the asset, in writing, within 30 days of making the declaration. Alternatively, Part 2 & 2B apply if the asset is specified in the rules. These rules can be found here.

The rules prescribe thresholds for entities that classify the asset as a Critical Infrastructure Asset if met. For example, insurers with total assets over $2 billion are deemed Critical Insurance Assets, deposit-taking institutions with total assets over $50 billion are Critical Banking Assets, and a gas transmission pipeline is a Critical Gas Asset if in the Eastern gas market its Nameplate Rating exceeds 200 terajoules per day. This means assets above those thresholds are subject to the Part 2 & 2B reporting obligations.

The consultation for the proposed Bill Two is currently underway. Click here for more information.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by: 

Susan Forrest, Partner
Daniel Maroske, Director
Yvonne O’Byrne, Special Counsel
Freddie Carlton-Smith, Paralegal