The Australian Government has introduced another set of reforms to strengthen Australia’s critical infrastructure. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) complements the reforms made in 2021 to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).[1]

The amendments proposed in the SLACIP Bill originate from the Parliamentary Joint Committee on Intelligence and Security’s advisory report on the SOCI Act. This Report had 14 recommendations, the most important being that a range of amendments need to be made to the SOCI Act. The SLACIP Act is the second iteration of reforms to the SOCI Act, guided by consultation with industry.

Cybersecurity authorities in the United States, Australia, and the United Kingdom have recently reported an increase in sophisticated, high impact ransomware incidents against critical infrastructure organisations globally. The SLACIP Bill aims to safeguard critical infrastructure from malicious actors to protect and secure essential services that Australians rely on. The risk is that given the interconnected structure of Australia’s critical infrastructure, an attack could cause significant loss for our economy, security, government, and sovereignty.

National security has a considerable impact on Australia’s economy. Foreign investment in critical infrastructure carries a unique risk as it gives access and control to foreign investors over organisations and assets. This is amplified by the increasingly challenging cyber security environment. So, this legislation is being introduced at an integral time to protect national security.

Who is covered by the Critical Infrastructure Sector?

Critical Infrastructure originally only covered the electricity, gas, water and ports sectors. This has been expanded by the SOCI Act to include:

  • the Communications sector;
  • the Financial Services and Markets sector;
  • the Data Storage or Processing sector;
  • the Defence Industry sector;
  • the Higher Education and Research sector;
  • the Energy Sector;
  • the Food and Grocery sector;
  • the Health Care and Medical sector;
  • the Space Technology sector;
  • the Transport sector; and
  • the Water and Sewerage sector.

Proposed amendments

The SLACIP Bill proposes to legislate the following preventative measures:

  • create an additional positive security obligation, the Risk Management Program, for entities responsible for critical infrastructure; and
  • Cyber and Information security obligations, for entities responsible for assets most critical to the nation (known as systems of national significance).

These measures are discussed below.

Risk Management Program

The SLACIP Bill introduces the Risk Management Program which places continuous positive obligations on critical infrastructure entities. These obligations include identifying material risks that could have an impact on the critical infrastructure assets. This is in addition to the other risk management practices the critical infrastructure entity engages in. They are also required to go as far as ‘reasonably practicable’ to minimise, eliminate, or mitigate the risk from occurring.

While each sector would have their own material risk contexts, an example would be the communications sector identifying ransomware as a material risk. A way to minimise this risk would be to implement cyber and information security safeguards to prevent ransomware attacks.

Cyber Incident Response Planning

The Bill also requires certain critical national assets to adopt cyber incident response planning and vulnerability reporting.

The Secretary of the Department of Home Affairs has the power to issue a written notice that an entity is required to adopt an incident response plan. The response plan once implemented, must be maintained, reviewed, and updated applying to the infrastructure system and cyber incidents.

What do the cybersecurity trends mean for your business?

If you are involved in running a critical infrastructure entity, it is time to start assessing the material risks faced by that entity. We also recommend creating and updating appropriate cyber security protection practices.

While the Bill mandates these are changes for critical infrastructure, it is best practice to update and maintain a high level of cyber security in all businesses. Increasingly sophisticated attacks are occurring at every level of business and government. The Australian Cyber Security Centre reported  that for more than 2 million Australian small businesses, malicious actors can be harmful and detrimental with some unable to recover. Implementing good cyber security practices and increasing cyber literacy across your whole organisation has never been more important.

For more information on the immediate actions that an organisation can take now to protect against ransomware see the material from the Australian Cyber Security Centre here.

The next stage in the legislative process

The consultation period on the exposure draft of the SLACIP Bill closed on 1 February 2022. Organisations can continue to engage in the consultation process through town hall meetings and lodging submissions. The Bill is expected to pass in the current parliamentary sitting.

For more information on the exposure draft consultation process, check out the Australian Cyber and Infrastructure Security Centre website here.

[1] Amended by the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act).