Legislative information and reforms

​​​​​​​​​​​​​​​​​​​​Critical Infrastructure

​​​​​​​​​​​​​​​​​​​​Changes to curr​​ent regulation

Hi. My name is Lib Clark and I am the Assistant Secretary Industry Partnerships Branch in the Cyber and Infrastructure Security Centre at the Department of Home Affairs.


The Australian Government has been working hard with industry to protect critical infrastructure, making sure all Australians can continue to rely on the essential services they require like electricity, water and healthcare.


In 2018 the Australian Government introduced the Security of Critical Infrastructure Act – which at the time applied to certain electricity, gas, water and maritime port assets.


The 2018 Act sought to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure.


Two sets of amendments to the SOCI Act received Royal Assent in December 2021 and April 2022 respectively.


The Act was expanded, and now applies to 11 critical infrastructure sectors – capturing assets across many elements of the Australian economy – and contains significant measures to uplift the security and resilience of critical infrastructure, keeping it safe from physical, supply chain, cyber and personnel threats.


The SOCI Act has three key positive security obligations that can be “switched on” at different times for particular asset classes.


Certain entities are required to

  1. provide operational and ownership information to the Register of Critical Infrastructure Assets
  2. report cyber incidents to the Australian Cyber Security Centre, which impact the delivery of the essential services those assets provide.


These two obligations apply to certain asset classes now, but we recognise it may take time for industry to get used to these new requirements and have included a grace period for each element before any enforcement action could be taken for non-compliance.


The third key obligation, which will be in the near future, you may also be required to adopt, maintain and comply with a written risk management program. That program will need to identify and mitigate 'material risks' to your critical infrastructure asset.


This obligation may be ‘switched on’ after we consult with industry. As with our asset register and the cyber incident reporting obligations, we intend to advise Government to provide a grace period so you can get used to the changes before they commence. And we’ll encourage you to provide a submission during that consultation period on the risk management program. We want to work in partnership with you through the consultation process and on compliance with the reforms.


For a small number of our CI assets there is the possibility they will be declared a System of National Significance.


What does that mean? These are assets are the most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted.


In addition to the obligations I’ve already outlined, entities responsible for those assets designated as those SoNS may be subject to Enhanced Cyber Security Obligations.


Those obligations can be considered upon the circumstances for the sector and similar assets, which recognises that different sectors have different networks and systems, and could face different risks.


The Enhanced Cyber Security Obligations include:

  1. developing cyber security incident response plans to prepare for a cyber security incident
  2. undertaking cyber security exercises to build cyber preparedness
  3. undertaking vulnerability assessments to identify vulnerabilities for remediation
  4. providing system information to develop and maintain a near-real time threat picture.


Finally in addition to all these obligations, we have Government Assistant Measures. Now these measures enable the Government, as a last resort, to help industry respond to those cyber security incidents that seriously prejudice Australia’s prosperity, national security, or defence.


At the Cyber and Infrastructure Security Centre, we are committed to continued engagement with critical infrastructure owners and operators, especially through the Trusted Information Sharing Network. This network is the Government’s primary engagement mechanism with industry on critical infrastructure.


There is important work that you can do to keep your business safe from cyber threats, and these other threats I’ve outlined, and I encourage you to explore the resources on our website which you’ll find at www.cisc.gov.au, and that also includes our contact details in there if you want to have a chat.


Thanks very much for your time.

The regulation of critical infrastructure under the Security of Critical Infrastructure Act 2018 (the SOCI Act) now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry.​

T​he SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the SOCI Act applies to, and to introduce new obligations. Click on the fact sheets to learn more about your obligations.


In the SOCI Act we have developed, in conjunction with industry, definitions that outline each of the 11 critical infrastructure sectors. We have also worked with industry to develop definitions to clearly articulate what would constitute a critical infrastructure asset within each of these sectors.

The new requirements may apply to owners and operators of critical infrastructure assets and those businesses who have a direct interest in the critical infrastructure asset. If you are not sure whether you are an owner or operator, or are a direct interest holder of a critical infrastructure asset, refer to CI assets captured under the Act​.

Although your business may be captured by SOCI Act, not all of the obligations in the SOCI Act may be applicable to your business. However, it is important for you to know if you are captured by the SOCI Act and that additional responsibilities ​may apply to your business in future.

In March 2022, additional amendments to the SOCI Act introduced the following key measures:

  • a new obligation for responsible entities to create and maintain a critical infrastructure risk management program (the Minister for Home Affairs will consult with industry before the rules are made setting out the requirements for a risk management program), and
  • ​a new framework for enhanced cyber security obligations required for operators of systems of national significance (SoNS), Australia’s most important critical infrastructure assets (the Minister for Home Affairs will consult with impacted entities before any declarations are made).

These reforms seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats.


Systems of National Significance

I often get the question what is a System of National Significance or a SONS?


The Security of Critical Infrastructure Act 2018 outlines the 11 critical infrastructure sectors and then the 22 different type of critical infrastructure assets that make up those sectors.


SONS are a very, very small subset of these critical infrastructure assets that the Minister for Home Affairs has determined are of particular national significance.


In other words SONS are the really critical infrastructure assets that have a level of interdependence and would have disproportionate impacts on our society, economy, stability or security if an incident were to successful disrupt their operations.


Declaration of SONS is a way of calling out those critical infrastructure assets that are at the core the functioning of how we live.


SONS are a focal point also for our engagement and big focus of effort for us.  This includes through the application of Enhanced Cyber Security Obligations which can be asked of SONS.


Our approach is to have in place for each SONS the incident response plans to ensure that we are able to respond to an incident that relates to the operation of the system or a critical infrastructure incident. 


Equally, there will be emergent vulnerabilities or helpful exercises that can usefully be undertaken to understand and identify vulnerabilities or test response mechanisms.


Finally, the provision of systems information to the Australian Cyber Security Centre may also help for provision of better advisories and advice to mitigate against cyber attacks.


We view SONS and the associated Enhanced Cyber Security Obligations as a legal framework for collaboration, a focal point for our engagement and an operational necessity given the global threat environment that we face.


SONS are so critical to our nation not only for operating the essential service that they provide but underpin the essential fabric of our society, our economy or our security.

If you’d like to know more about SONS, please reach out to enquiries@cisc.gov.au.

The following factsheets provide further information about these amendments to the SOCI Act:

We will work in partnership with owners and operators of critical infrastructure assets to make sure the new requirements build on and do not duplicate existing obligations.