The legal obligations you have if you own, operate, or have direct interests in critical infrastructure assets are outlined in the
Security of Critical Infrastructure Act 2018 (SOCI Act). It also outlines how the government can support you if an incident occurs that impacts your critical infrastructure asset.
In the energy sector, responsible entities for all asset classes must comply with the obligation to notify data service providers. They must notify their third-party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset.
Responsible entities and direct interest holders for critical infrastructure energy sector assets must also comply with the following
positive security obligations:
- Provide operational and ownership information to the Register of Critical Infrastructure Assets.
- Report cyber incidents.
- Adopt, maintain and comply with a written critical infrastructure risk management program.
If you own or operate a System of National Significance, you may be subject to
Enhanced Cyber Security Obligations (ECSO).
The SOCI Act also includes
Government Assistance measures. These measures outline how the Government can help industry respond to cyber security incidents. These measures only apply to incidents that will cause serious harm to Australia’s prosperity, national security, or defence.
The energy sector includes stakeholders who work on the:
- generation, transmission and distribution of electricity
- production and delivery of natural gas and liquid fuels.
Energy critical infrastructure assets
There are four types of critical infrastructure assets within the energy sector:
- critical electricity assets
- critical gas assets
- critical energy market operator assets
- critical liquid fuel assets.
