Critical Infrastructure Protection Act 2022 explained

The Security of Critical Infrastructure Act 2018 (Cth) (the SOCI Act) provides a framework for managing risks relating to Australia's critical infrastructure, including national security risks of espionage, sabotage, and foreign interference. On 2 April 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) (the SLACIP Act) came into effect. The SLACIP Act amends the SOCI Act and builds on the amendments of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) that came into effect on 2 December 2022. Lisa Fitzgerald and Keely O'Dowd, from Lander & Rogers, provide a look into the SLACIP Act and its impact on Australia's critical infrastructure framework.

The SOCI Act Reforms

The SLACIP Act introduced two new features to Australia's critical infrastructure framework:

• a risk management program (new Part 2A of the SOCI Act); and
• a Ministerial power to declare systems of national significance (new Part 6A of the SOCI Act).

We explore these two new features below.

Overview of the SLACIP Act

Critical infrastructure risk management program

New Part 2A of the SOCI Act requires responsible entities of one or more critical infrastructure assets to adopt, comply with, and maintain a critical infrastructure risk management program.

The objective of this amendment is to uplift the core security practices of critical infrastructure assets by ensuring that responsible entities take a holistic and proactive approach towards identifying, preventing, and mitigating risks from all hazards.¹

The purpose of the risk management program requires responsible entities of specified critical infrastructure assets to:

• identify each hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on a critical infrastructure asset;
• minimise or eliminate any material risk of a hazard occurring, so far as it is reasonably practicable to do so; and
• mitigate the relevant impact of a hazard on a critical infrastructure asset (Section 30AH(1)(b) of the SOCI Act).

The risk management program must be in writing, regularly reviewed, and updated.

Application of the critical infrastructure risk management program

The obligation to establish, maintain, and comply with a critical infrastructure risk management program will only apply or be 'switched on' if the Minister specifies in rules that the obligation will apply to a critical infrastructure asset or class of critical infrastructure assets.

It is proposed that the risk management program will apply to the following critical infrastructure assets in the first instance:

• critical broadcasting assets;
• critical domain name system assets;
• critical data storage or processing assets;
• certain critical hospital assets;
• critical energy market operator assets;
• critical water assets;
• critical electricity assets;
• critical gas assets;
• critical liquid fuel assets;
• critical financial market infrastructure assets that are specified payment systems operator assets;
• critical food and grocery assets;
• critical freight infrastructure assets;
• critical freight services assets; and
• specified critical defence industry assets.

The Risk Management Program Rules will set out the detailed requirements of the risk management program. As at November 2022, draft Rules² have been released for public consultation.

For more information, refer to the Cyber and Infrastructure Security Centre Risk Management Program Fact Sheet³.

Annual reporting obligations

Responsible entities are subject to annual reporting obligations under Section 30AG or Section 30AQ of the SOCI Act. Within 90 days after the end of the financial year, a responsible entity must give an annual report to the 'relevant Commonwealth regulator' (to be specified in Ministerial rules). The annual report must be given to the Secretary for Home Affairs if no regulator is specified in Ministerial rules.

The annual report must be approved by the responsible entity's board, council, or other governing body.

If a responsible entity is covered by a critical infrastructure risk management program, the annual report must include a statement covering the following information:

• whether or not the entity's risk management program was up to date at the end of the financial year;
• identification of any hazards that have had a significant relevant impact on the entity's asset;
• an evaluation of the effectiveness of the risk management program in mitigating the significant relevant impact of identified hazards on the asset concerned; and
• if the program was varied during the financial year as a result of the occurrence of the hazard, an outline of the variation.

If a responsible entity is not covered by a critical infrastructure risk management program, the annual report must set out:

• the reasons why the responsible entity's assets are exempt from the critical infrastructure risk management program; and
• a statement identifying any hazards that have had a significant relevant impact on the entity's asset and an evaluation of the effectiveness of the action (if any) taken by the entity for the purposes of mitigating the significant relevant impact of the hazard on the asset concerned.

Civil penalty provisions

Failure to comply with the risk management program or annual reporting obligations under the SOCI Act may attract civil penalties.

Declaration of systems of national significance

New Part 6A of the SOCI Act grants the Minister for Home Affairs the power to privately declare a critical infrastructure asset that is of national significance to be a system of national significance. In determining whether an asset is of national significance, the Minister must have regard to the consequences that would arise for:

• the social or economic stability of Australia or its people;
• the defence of Australia; or
• national security.

In addition, if the Minister is aware of one or more interdependencies between the asset and one or more other critical infrastructure assets, the Minister must have regard to the nature and extent of those interdependencies.

According to the Explanatory Memorandum to the SLACIP Act, national significance does not require the asset to operate nationally or provide a service which impacts the entirety of Australia. Rather the asset, and its functioning, must be significant from a national perspective.

The Minister must, within 30 days after making the declaration, notify the following of the declaration:

• each reporting entity of the asset;
• the Parliamentary Joint Committee on Intelligence and Security; and
• the first Minister of a State or Territory, if the asset is a tangible asset located (wholly or partly) in their State or Territory.

A system of national significance is subject to enhanced cybersecurity obligations under new Part 2C of the SOCI Act. These obligations are:

• statutory incident response planning;
• undertaking cybersecurity exercises;
• undertaking vulnerability assessments; and
• complying with reporting obligations to the Australian Signals Directorate.

Incident response planning

A responsible entity of a system of national significance must comply with the incident response planning obligations if the Secretary of Home Affairs gives a written notice to the entity that the incident response planning obligations apply to the entity in relation to the system and cybersecurity incidents (Section 30CB of the SOCI Act).

The notified entity must adopt and maintain an incident response plan. This plan must be reviewed and updated on a regular basis. Failure to do so may attract a civil penalty.

Incident response plans are intended to ensure an entity has established processes and tools to prepare for, and respond to, cybersecurity incidents. The plan must be in writing and a copy of the plan must be given to the Secretary of Home Affairs (Section 30CH of the SOCI Act).

Cybersecurity exercises

A responsible entity of a system of national significance must undertake a cybersecurity exercise in relation to the system and one or more types of cybersecurity incidents if the Secretary of Home Affairs gives a written notice to the entity requiring it to do so (Section 30CM of the SOCI Act).

Cybersecurity exercises must test the preparedness, mitigation, and response capabilities of the entity. There is no prescribed form for the cybersecurity exercises.

An entity will have at least 30 days to complete the exercise. Once the exercise is completed, the responsible entity must prepare an evaluation report relating to the exercise and give a copy of the report to the Secretary within 30 days after completion of the exercise (Section 30CQ of the SOCI Act). If the Secretary has reasonable grounds to believe the report was not prepared appropriately, the Secretary may appoint an external auditor to prepare the evaluation report (Section 30CR of the SOCI Act).

The evaluation report must include certain prescribed matters set out in Section 30CS (and the rules if any), including an evaluation of the entity's:

• ability to respond appropriately to cybersecurity incidents that could have a relevant impact on the system;
• preparedness to respond appropriately to cybersecurity incidents that could have a relevant impact on the system; and
• ability to mitigate the relevant impacts that cybersecurity incidents could have on the system (Section 30CS of the SOCI Act).

Vulnerability assessments

A responsible entity of a system of national significance must undertake a vulnerability assessment in relation to the system and one or more types of cybersecurity incidents if the Secretary of Home Affairs gives a written notice to the entity requiring it to do so (Section 30CU of the SOCI Act).

Vulnerability assessments must identify 'gaps' in systems that may expose entities to cyber incidents and test the vulnerability of those systems. There is no prescribed form for a vulnerability assessment.

If an entity is unable or unwilling to undertake a vulnerability assessment the Secretary may give a designated officer a written request to undertake the vulnerability assessment (Section 30CW(2) of the SOCI Act). Otherwise, the entity must perform the vulnerability assessment within the timeframe specified in the Secretary's notice.

Once the vulnerability assessment is completed, the responsible entity must prepare a vulnerability assessment report relating to the assessment and give a copy of the report to the Secretary within 30 days after the completion of the assessment (Section 30CZ of the SOCI Act). The purpose of the report is to assess the vulnerability of the systems to cybersecurity incidents (Section 30DA of the SOCI Act).

The vulnerability assessment reports will provide the Australian Government with visibility of potential weaknesses in assets that are the most critical to Australia's national interest and where cybersecurity capability needs an uplift. The Explanatory Memorandum to the SLACIP Act states the Government will use the reports to work with the relevant responsible entity to identify and implement proportionate measures to address any weaknesses identified in the report.

Access to system information

The 'relevant entity' that is technically capable of preparing reports in relation to computers that are needed to operate a system of national significance or are a system of national significance may be subject to access to system information obligations.

A 'relevant entity' is an entity that:

• is the responsible entity for the asset;
• is a direct interest holder in relation to the asset;
• is the operator of the asset; or
• is a managed service provider for the asset.

System information is data generated about a system for the purposes of security, diagnostic monitoring, or audit, such as network logs, system telemetry and event logs, alerts, netflows, and other aggregate or metadata that provide visibility of malicious activity occurring within the normal functioning of a computer network. It does not include personal information as defined in the Privacy Act 1988 (Cth).

The Secretary of Home Affairs may issue three types of system information notices to entities:

• a system information periodic reporting notice: requiring the entity to prepare periodic reports consisting of information that relates to the operation of the computer (Section 30DB of the SOCI Act);
• a system information event-based reporting notice: requiring the entity to prepare a report each time a certain event occurs (Section 30DC of the SOCI Act); and
• a system information software notice: requiring the entity to install a specified computer program on the applicable computer to share information with the Australian Signals Directorate if the entity is not technically capable of preparing reports under Section 30DB or 30DC (Section 30DJ of the SOCI Act).

The Secretary must not issue a notice unless they believe on reasonable grounds the information in the reports may assist with determining whether a power under the SOCI Act should be exercised in relation to the system of national significance.

For more information about the enhanced cybersecurity obligations, refer to the Cyber and Infrastructure Security Centre The Enhanced Cyber Security Obligations Framework Fact Sheet⁴.

Civil penalty provisions

Failure to comply with the enhanced cybersecurity obligations under the SOCI Act may attract civil penalties.

Takeaways

The recent amendments to the SOCI Act send a clear message to responsible entities of critical infrastructure assets that risk management (including cybersecurity risk management) must be prioritised and form part of the entity's core business activity.

Breaches of the risk management program obligations and enhanced cybersecurity obligations will be subject to civil penalties up to 200 penalty units - currently AUD 44,400 (approx. €28,410). Therefore, to mitigate the risk of a fine, responsible entities that are unsure of their obligations under the SOCI Act should start to learn more about the new positive security obligations, the recent amendments to the SOCI Act, and how those amendments affect their business.

It is evident that the former Australian Government sought to uplift risk management practices and the cybersecurity capability of entities responsible for infrastructure assets that are vital to Australia's national interest, economy, security, and society.

Given recent high profile cyber attacks in Australia, the current Australian Government will likely continue the former Government's strategy to uplift the cybersecurity practices of Australian businesses. Ms Clare O'Neill MP has been appointed as Australia's first Minister for Cyber Security. This is the first time a cybersecurity portfolio has featured in the Australian cabinet, thus elevating the importance of, and the Australian Government's commitment to, cybersecurity.

There is no better time for responsible entities to understand their rights and obligations under the SOCI Act, including the risk management program obligations. This will enable responsible entities to be SOCI Act compliant and ready for any future cybersecurity reforms that may be implemented by the new Australian Government and a heightened threat environment.

*This article was first published on the website of OneTrust DataGuidance in December 2022.

¹ See the Explanatory Memorandum, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, paragraph 125, p 29.

² See: https://www.homeaffairs.gov.au/reports-and-pubs/files/soci-rmp-rules-legislative-instrument-lin-22-018.PDF

³ See: https://www.cisc.gov.au/resources-subsite/Documents/cisc-factsheet-risk-management-program.pdf

⁴ See: https://www.cisc.gov.au/resources-subsite/Documents/cisc-factsheet-systems-of-national-significance-enhanced-cyber-security-obligations.pdf