As a regulator, we strive to enhance confidence in the reliability, continuity and security of Australia’s critical infrastructure. This enables businesses to address threats and challenges and to benefit from an uplift in security and resilience across all sectors.
We continue to drive an all-hazards critical infrastructure resilience regime. To accomplish this, we bring together knowledge and capabilities across government, industry and the broader community to understand risks and implement mitigations.
Critical infrastructure owners and operators best understand their sectors and assets. Our ongoing and expanding engagement is critical to our security and prosperity.
Threats to critical infrastructure
Threats to the secure and effective performance of Australia’s critical infrastructure are varied and ever present. The impact of an incident can have cascading consequences for multiple assets and services.
Threats can come from inside or outside an organisation and may include:
- hostile or criminal activity
- foreign interference
- terrorism
- natural disasters
- poor physical, personnel and cyber security practices.
Preventative obligations
Under the amended Security of Critical Infrastructure Act 2018, owners and operators of critical infrastructure assets can be asked to implement preventative obligations including:
- provide ownership and operational information to Australia’s Register of Critical Infrastructure Assets
- report cyber security incidents to the Australian Signals Directorate’s Australian Cyber Security Centre
- establish, maintain and comply with a Risk Management Program to identify and mitigate ‘material risks’ to a critical infrastructure asset’s availability, reliability and integrity.
Cyber incidents
In the event of a cyber incident, ‘Government Assistance measures’ can be invoked as a measure of last resort. These allow for gathering information about the incident, directions to respond to it or an intervention by the Government to respond.
In addition, the Minister for Home Affairs is empowered to declare a smaller group of critical infrastructure assets as Systems of National Significance. This is due to their interdependencies across sectors and potential for consequences if disrupted. These can also be subject to Enhanced Cyber Security Obligations, including the development of an incident response plan.
