Last year saw a huge upheaval for businesses as they were forced to rapidly reimagine their operating systems and workforce engagement in response to Covid-19.

And while vaccination rollouts provide some prospect of a return to “normality”, businesses must now prepare for the next big change – complying with the federal government’s new Security Legislation Amendment (Critical Infrastructure) Bill 2020.

Where previously only the electricity, gas, water and ports sectors were subject to the Security of Critical Infrastructure Act 2018 (SOCI Act), the new amendment Bill significantly expands the scope to entities operating in 11 sectors now deemed “critical”:

• Communications
• Data storage and processing
• Defence
• Financial services and markets
• Food and grocery
• Higher education and research
• Health care and medical
• Transport
• Energy
• Space technology
• Water and sewerage

Central to the Bill, set to take effect at the end of 2021, is the expansion of security obligations, with critical infrastructure operators now subject to:

• Positive Security Obligations (PSO) for critical infrastructure entities;
• enhanced cyber security obligations for entities deemed of national significance; and
• government assistance to entities in response to significant cyber-attacks on Australian systems.

Positive Security Obligations – what does it mean for you?

The PSO builds on existing obligations in the SOCI Act to embed preparation, prevention and mitigation activities into business operating systems to provide better situational awareness of threats to industrial operating systems and strengthen resilience.

As such, businesses will now be required to:

• adopt and maintain an all-hazards critical infrastructure risk management program;
• mandatorily report serious cyber security incidents to the Australian Signals Directorate (ACSC); and
• provide ownership and operational information to the Register of Critical Infrastructure Assets, where applicable.

Each PSO aspect will apply once a “rule” is made and “switched on” in relation to a specific critical infrastructure asset or a class of critical infrastructure assets.
Critical Infrastructure Risk Management Program – What is it and do I need one?

The answer is yes, if the obligation is “switched on” for a particular type of infrastructure asset under your control.

A Critical Infrastructure Risk Management Program requires entities to take an “all hazards approach” to identifying and mitigating risks to the “availability, integrity, reliability or confidentiality of the asset or information associated with the asset”.

The risk management program will be governed by overarching obligations and detailed sector-specific requirements contained in “rules” co-designed with stakeholders, focusing on four domains: physical, personnel, cyber and supply chain security.

Mandatory reporting of cyber incidents

The new Act makes reporting cyber incidents to the Australian Signals Directorate mandatory, with the aim of building a comprehensive aggregated threat picture.

Register of Critical Infrastructure Assets

Where business ownership and operational detail previously extended to sectors covered by the SOCI Act, the government will now require this level of detail from the expanded class of critical infrastructure assets.

Enhanced Cyber Security Obligations – what’s the significance?

This applies to assets declared as systems of national significance by “virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors”.

Under the Bill, the Secretary of Home Affairs can direct this asset class to:

◦ develop cyber security incident response plans;

◦ complete cyber security exercises;

◦ undertake vulnerability assessments; and

◦ provide access to system information.

Ignoring cyber security comes at a cost, with fines imposed for breach of the Act’s enhanced security obligations, but also the potentially bigger cost of businesses continuing to leave their operations vulnerable to attack.

Which brings us to the final new security obligation – Government Assistance.

While termed “assistance”, this aspect of the Bill has proved the most controversial given it allows the government to directly intervene where the entity is “unwilling or unable to take responsible steps to resolve the cyber security incident”.

Subject to certain circumstances, it will also allow the Australian Signals Directorate to step in to respond to an incident by accessing, modifying or analysing computer systems or data.

New legislation is always difficult to navigate, and with less than five months before the Act comes into force, businesses need to be on the front foot to ensure they fully comprehend and comply with all the new requirements.

Secolve can assist in reviewing your cyber security needs, hardening your defences in line with PSO requirements, testing your existing strategies, reviewing your Operational Technology (OT) compliance in light of new obligations, and advising you on your next steps.