Enhanced Cyber Security Obligations

​​​​​​​​​​​​Systems of National Significance (SoNS)

Some critical infrastructure assets will be declared a System of National Significance (SoNS) (172KB PDF). These assets are the most crucial to the nation, due to the cascading consequences that may occur if disrupted.

Entities responsible for SoNS may need to meet Enhanced Cyber Security Obligations (ECSO). These are in addition to the obligations listed above.

Which ECSO apply to a SoNS asset can depend on the circumstances for the sector and similar assets. We recognise that different sectors have different networks and systems, and could face different risks.

The Secretary of the Department of Home Affairs (the Secretary) must consider a number of factors when deciding which ECSO to apply to each responsible entity, including:

  • the likely cost to the affected entity of complying with the obligations
  • the reasonableness and proportionality of the decision
  • any other matter the Secretary considers relevant.

ECSOs can only be applied to SoNS, not critical infrastructure more broadly.

 

I often get the question what is a System of National Significance or a SONS?

The Security of Critical Infrastructure Act 2018 outlines the 11 critical infrastructure sectors and then the 22 different type of critical infrastructure assets that make up those sectors.

SONS are a very, very small subset of these critical infrastructure assets that the Minister for Home Affairs has determined are of particular national significance.

In other words SONS are the really critical infrastructure assets that have a level of interdependence and would have disproportionate impacts on our society, economy, stability or security if an incident were to successful disrupt their operations.

Declaration of SONS is a way of calling out those critical infrastructure assets that are at the core the functioning of how we live.

SONS are a focal point also for our engagement and big focus of effort for us.  This includes through the application of Enhanced Cyber Security Obligations which can be asked of SONS.

Our approach is to have in place for each SONS the incident response plans to ensure that we are able to respond to an incident that relates to the operation of the system or a critical infrastructure incident. 

Equally, there will be emergent vulnerabilities or helpful exercises that can usefully be undertaken to understand and identify vulnerabilities or test response mechanisms.

Finally, the provision of systems information to the Australian Cyber Security Centre may also help for provision of better advisories and advice to mitigate against cyber attacks.

We view SONS and the associated Enhanced Cyber Security Obligations as a legal framework for collaboration, a focal point for our engagement and an operational necessity given the global threat environment that we face.

SONS are so critical to our nation not only for operating the essential service that they provide but underpin the essential fabric of our society, our economy or our security.

If you’d like to know more about SONS, please reach out to enquiries@cisc.gov.au.

Enhanced Cyber Security Obligations (ECSO)

There are four ECSO which can be applied to SoNS.

For more detailed information about the ECSO, read the Enhanced Cyber Security Obligations Framework Factsheet (172KB PDF).

For more information on critical infrastructure assets and your industry, go to Information for your Industry.

If you have any questions about your regulatory obligations, email enquiries@cisc.gov.au.​​

Develop incident response plans to prepare for a cyber security incident

The responsible entity for a SoNS should have an incident response plan detailing how they will respond to cyber security incidents that affect its systems.

This obligation will help entities identify what to do and who to call in the event of a cyber incident. It is not intended to address hazards more generally.

The Secretary must give written notice to a responsible entity of a SoNS before applying this obligation. The entity must then adopt, maintain and comply with their incident response plan. The entity must also review the plan on a regular basis.

Before giving a notice, the Secretary must:

  • consider the cost, reasonableness and proportionality and any other matter the Secretary considers relevant
  • consult the entity and any relevant Commonwealth regulator that has functions relating to the security of that system.

If the Secretary does decide to issue a notice, the notice will say when the obligation comes into effect. You will have a minimum 30 day notice period to make arrangements to meet this obligation.

You must provide the Secretary with a copy of the incident response plan as soon as practicable after you adopt it. You must also provide a new copy when any material changes are made to the plan.

There is no mandated template for an incident response plan. Responsible entities are best placed to construct a plan that is suitable for their business, and in many cases will already have plans in place. You should take into account a variety of factors, including:

  • the services provided by the asset
  • the extent and nature of interdependencies
  • the threat environment.

To assist you in meeting the incident response planning obligation, our Incident Response Planning Guidance (1238KB PDF) includes 'what good looks like' and can be used when developing and reviewing your incident response plan.

You must comply with and regularly review your plan. You must take all reasonable steps to ensure the plan is kept up to date.


Undertake cyber security exercises to build cyber preparedness

The Secretary may require the responsible entity of a SoNS to undertake cyber security exercises. These will help understand and identify vulnerabilities or test response mechanisms. The exercises reveal whether the existing resources, processes and capabilities of a responsible entity sufficiently safeguard the system from cyber security incidents.

The Secretary must give written notice to a responsible entity of a SoNS before applying this obligation. Before giving a notice, the Secretary must:

  • consider the cost, reasonableness and proportionality and any other matter the Secretary considers relevant
  • consult the entity and any relevant Commonwealth regulator that has functions relating to the security of that system.

You will have at least 30 days from when the notice is given to complete the exercises. The Secretary will include an exact period of time in the notice.

Cyber security exercises test the responsible entity’s ability to prepare, respond and reduce the potential harm of either:

  • cyber security incidents in general
  • particular threat scenarios.

There is no one form of cyber security exercise. They can be discussion or tabletop-based, operational or functional. The exercise can test different capabilities, such as:

  • internal response capability
  • responsibilities for key staff
  • coordination mechanisms.

To assist you in meeting this obligation, read the Enhanced cyber Security Obligation Guidance - Cyber Security Exercise (1034KB PDF).

We will work with you to determine what exercise will be most useful. This will depend on the threat environment and the individual characteristics of the asset.

You may also be required to do any or all of the following things:

  • allow one or more specified designated officers to observe the cyber security exercise
  • provide those designated officers with access to premises to observe the cyber security exercise
  • provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise
  • allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice
  • give those designated officers reasonable notice of the time when the cyber security exercise will begin.

A designated officer is an employee of the Department of Home Affairs or a staff member of the Australian Signals Directorate appointed by the Secretary.

Once you have completed an exercise, you must prepare an evaluation report. You must give a copy of this report to the Secretary within 30 days after the completion of the exercise, unless directed otherwise.

In some circumstances, the Secretary may require you to arrange for an evaluation report to be prepared by an external auditor.

You can find the requirements of this report in section 30CS of the SOCI Act.


Undertake vulnerability assessments to identify vulnerabilities for remediation

Vulnerability assessments identify gaps in systems that expose entities to particular types of cyber incidents. These assessments help identify where further resources and capabilities could improve how prepared for and resilient to a cyber incident an entity is.

There is no set form for a vulnerability assessment. Examples include:

  • a documentation-based review of a system’s design
  • a hands-on assessment
  • automated scanning with software tools.

The Secretary may give notice requiring you to undertake a vulnerability assessment of:

  • the system and all types of cyber security incidents
  • the system and one or more specified types of cyber security incidents.

The Secretary will specify how long you have to complete the assessment in the notice.

Before giving a notice, the Secretary must:

  • consider the cost, reasonableness and proportionality and any other matter the Secretary considers relevant
  • consult the entity and any relevant Commonwealth regulator that has functions relating to the security of that system.

The Secretary may give a designated officer a written request to undertake a vulnerability assessment for you. They will only do this if you are unable or unwilling to do the assessment. A designated officer is an employee of the Department of Home Affairs or a staff member of the Australian Signals Directorate appointed by the Secretary.

In this case, the Secretary will give you written notice requiring you to provide the designated officer with:

  • access to the premises for the purposes of undertaking the vulnerability assessment
  • access to computers for the purposes of undertaking the vulnerability assessment
  • reasonable assistance and facilities that are reasonably necessary to allow the designated officer to undertake the vulnerability assessment.

Once the assessment is completed, the responsible entity (or designated officer) must prepare a vulnerability assessment report. They must give a copy of this report to the Secretary within 30 days after the assessment has been completed. The Secretary may choose to allow a longer period for the report to be provided.

The government may use this report to work with you to identify and implement measures to address any weaknesses.

To assist you in meeting this obligation, read Enhanced Cyber Security Obligation Guidance - Vulnerability Assessment (1255KB PDF).


Provide system information to develop and maintain a near real-time threat picture

System information helps to build a near real-time threat picture. This obligation means the government will be able to develop and share actionable and anonymised information to the entity and industry more broadly. This information will help all entities to improve their cyber resilience.

System information is data generated about a system for the purposes of security, diagnostic monitoring or audit. It can include information such as:

  • network logs
  • system telemetry and event logs
  • alerts
  • netflow
  • other aggregate or metadata.

It does not include personal information.

There are three types of system information notices that the Secretary may give to a relevant entity for a SoNS. Before giving any notice, the Secretary must:

  • consider the cost, reasonableness and proportionality and any other matter the Secretary considers relevant
  • consult the relevant entity and the responsible entity for the SoNS (if the relevant entity is not the responsible entity).

A relevant entity could refer to a responsible entity, a direct interest holder, the operator of the asset or a managed service provider for the asset.

System information notices

The Secretary may give a notice requiring a relevant entity of a SoNS to provide systems information.

The systems information notice can be:

  • periodic reporting of system information (known as a ‘system information periodic reporting notice’)
  • in response to a specific event (known as a ‘system information event-based reporting notice’).

A system information notice can only be given if:

  • a computer is needed to operate the SoNS or is a SoNS itself
  • the Secretary believes on reasonable grounds that a relevant entity of the SoNS is technically capable of preparing periodic reports consisting of information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS
    • is not personal information (within the meaning of the Privacy Act 1988).

A system information periodic reporting notice can require a relevant entity to prepare periodic reports. The entity would need to give each of those reports to the Australian Signals Directorate. The entity must provide the reports within a period outlined in the notice, at particular intervals or times.

A system information event-based reporting notice can require a relevant entity to prepare a report each time a certain event occurs. The report must be given to the Australian Signals Directorate as soon as practicable after the event occurs.

These types of notices can specify:

  • the information required
  • the manner and form of the report
  • that the report be prepared in accordance with specific information technology requirements.

A system information notice comes into force when it is given unless a later time is specified in the notice. The notice remains in force for the period specified in the notice, which cannot exceed 12 months.

System information software notices

A system information software notice is used as an option of last resort. The government provides the relevant or responsible entity with a computer program to enable the sharing of system information. This must be installed on the computer needed to operate the SoNS, or which is a SoNS itself.

A system information software notice can only be given if:

  • a computer is needed to operate the SoNS or is a SoNS itself, and
  • the Secretary believes on reasonable grounds that a relevant entity for the SoNS would not be technically capable of preparing system information periodic reports or system information event-based reports consisting of information that:
    • relates to the operation of the computer
    • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS
    • is not personal information (within the meaning of the Privacy Act 1988).

The Secretary may give notice requiring you to:

  • install a specified computer program on the computer within a specific period
  • maintain the computer program once installed
  • take all reasonable steps to ensure the computer program is continuously supplied with an internet carriage service that enables the computer program to function.

The software must only collect and record particular kinds of information, and provide this to the Australia Signals Directorate electronically. It cannot perform any other function. It can collect and record information that:

  • relates to the operation of the computer
  • may assist with determining whether a power under the SOCI Act should be exercised in relation to the SoNS
  • is not personal information (within the meaning of the Privacy Act 1988).

A system information software notice comes into force when it is given, unless a later time is specified in the notice. The notice remains in force for the period specified in the notice, which cannot exceed 12 months.