Hi. My name is Lib Clark and I am the Assistant Secretary Industry Partnerships Branch in the Cyber and Infrastructure Security Centre at the Department of Home Affairs.
The Australian Government has been working hard with industry to protect critical infrastructure, making sure all Australians can continue to rely on the essential services they require like electricity, water and healthcare.
In 2018 the Australian Government introduced the Security of Critical Infrastructure Act – which at the time applied to certain electricity, gas, water and maritime port assets.
The 2018 Act sought to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure.
Two sets of amendments to the SOCI Act received Royal Assent in December 2021 and April 2022 respectively.
The Act was expanded, and now applies to 11 critical infrastructure sectors – capturing assets across many elements of the Australian economy – and contains significant measures to uplift the security and resilience of critical infrastructure, keeping it safe from physical, supply chain, cyber and personnel threats.
The SOCI Act has three key positive security obligations that can be “switched on” at different times for particular asset classes.
Certain entities are required to
- provide operational and ownership information to the Register of Critical Infrastructure Assets
- report cyber incidents to the Australian Cyber Security Centre, which impact the delivery of the essential services those assets provide.
These two obligations apply to certain asset classes now, but we recognise it may take time for industry to get used to these new requirements and have included a grace period for each element before any enforcement action could be taken for non-compliance.
The third key obligation, which will be in the near future, you may also be required to adopt, maintain and comply with a written risk management program. That program will need to identify and mitigate 'material risks' to your critical infrastructure asset.
This obligation may be ‘switched on’ after we consult with industry. As with our asset register and the cyber incident reporting obligations, we intend to advise Government to provide a grace period so you can get used to the changes before they commence. And we’ll encourage you to provide a submission during that consultation period on the risk management program. We want to work in partnership with you through the consultation process and on compliance with the reforms.
For a small number of our CI assets there is the possibility they will be declared a System of National Significance.
What does that mean? These are assets are the most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted.
In addition to the obligations I’ve already outlined, entities responsible for those assets designated as those SoNS may be subject to Enhanced Cyber Security Obligations.
Those obligations can be considered upon the circumstances for the sector and similar assets, which recognises that different sectors have different networks and systems, and could face different risks.
The Enhanced Cyber Security Obligations include:
- developing cyber security incident response plans to prepare for a cyber security incident
- undertaking cyber security exercises to build cyber preparedness
- undertaking vulnerability assessments to identify vulnerabilities for remediation
- providing system information to develop and maintain a near-real time threat picture.
Finally in addition to all these obligations, we have Government Assistant Measures. Now these measures enable the Government, as a last resort, to help industry respond to those cyber security incidents that seriously prejudice Australia’s prosperity, national security, or defence.
At the Cyber and Infrastructure Security Centre, we are committed to continued engagement with critical infrastructure owners and operators, especially through the Trusted Information Sharing Network. This network is the Government’s primary engagement mechanism with industry on critical infrastructure.
There is important work that you can do to keep your business safe from cyber threats, and these other threats I’ve outlined, and I encourage you to explore the resources on our website which you’ll find at www.cisc.gov.au, and that also includes our contact details in there if you want to have a chat.
Thanks very much for your time.