Security of Critical Infrastructure

Overview

• The Australian Government's Critical Infrastructure Resilience Strategy defines critical infrastructure as: "those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security".
• Most laws regulating the security of Australia's critical infrastructure are contained in the Security of Critical Infrastructure Act 2018 (Cth), although other national infrastructure like telecommunications is subject to its own regulatory regime, such as the Telecommunications Act 1997 (Cth).

Background

• There has been a substantial increase in foreign involvement in Australia's critical infrastructure in a broader context of increased cyber connectivity and dependency on global supply chains. Such global interrelationships have led Australia to be especially susceptible to malicious activity, including sabotage, espionage, and coercion.
• The Australian Government has announced plans for an enhanced critical infrastructure framework - see Protecting Critical Infrastructure and Systems of National Significance Consultation Paper (August 2020).

Legal Framework

Security of Critical Infrastructure Act 2018 (Cth)

• The Security of Critical Infrastructure Act 2018 (Cth) applies to entities that operate or have interests in a critical infrastructure asset, and is intended to cover approximately 200 assets across the electricity, gas, water and ports sectors.
• The Act's objectives are to improve the Commonwealth's ability to respond to national security risks that may affect Australia's critical infrastructure by increasing the transparency of ownership and operational control of such infrastructure, and promoting cooperation between various levels of government, regulators and critical infrastructure owners.
• The core components of the Act are:
  • a non-public register of critical infrastructure assets to which 'reporting entities' for critical infrastructure assets must supply information about interests and ownership of those assets;
  • an information gathering power held by the Secretary of the Department of Home Affairs requiring an owner/operator of a critical infrastructure asset to provide particular information; and
  • a directions power held by the Minister for Home Affairs instructing an owner/operator of critical infrstructure to perform or not perform something that reduces a national security risk, with non-compliance attracting a penalty.

Regulatory & Policy Framework

• Australia's 2020 Cyber Security Strategy
• National Guidelines for Protecting Critical Infrastructure from Terrorism (2015)
• Critical Infrastructure Resilience Strategy: Policy Statement (2015)
• The Critical Infrastructure Centre and Foreign Investment Fact Sheet
• Australian Prudential Regulation Authority's prudential standard CPS234 (2019), which focuses on improving resilience with respect to information security incidents.
• The Department of Agriculture, Water and the Environment Preparation for an Emergency Fact Sheet (agriculture-oriented)
• Australian Cyber Security Centre's Cyber Supply Chain Risk Management Practitioner Guide (2020)

Relevant Organisations

• Department of Home Affairs
  • Security of Critical Infrastructure Act 2018
  • Security of Critical Infrastructure Act 2018 - 2019-20 Annual Report
• Critical Infrastructure Centre
• The Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN) presently enables owners and operators of critical infrastructure to share information with government.
• The Critical Infrastructure Program for Modelling and Analysis (CIPMA) utilises data models to work with the Critical Infrastructure Centre and the TISN to determine how critical infrastructure systems operate and interrelate, including their interdependencies, relationships between networks and assets, vulnerabilities and the potential impacts of cyber security incidents.
• Department of the Prime Minister and Cabinet
  • Australian Data and Digital Council
  • Office of Best Practice Regulation

Inquiries & Consultations

• The Australian Government's Protecting Critical Infrastructure and Systems of National Significance Consultation Paper, Department of Home Affairs (August 2020), proposes an enhanced framework with the following features:
  • 'Positive security obligations' to protect against all hazards for critical infrastructure and systems, implemented through sector-specific standards.
  • 'Enhanced cyber security obligations' that include information gathering powers, owner/operator participation and risk preparation obligations, and development of a scenario-based 'playbook' detailing response arrangements.
  • 'Government assistance' for entities that are targets or victims of cyber attacks.
• These features will apply to entities to varying degrees depending on the entity's critical status and national signifiance.
• The scope of 'critical infrastructure', which is currently limited to electricity, gas, water and maritime ports under the Security of Critical Infrastructure Act 2018 (Cth), will expand to include energy, data, the Cloud, space, defence industry, transport, water, innovation, energy, grocery, health, education, innovation, research, banking and finance.
• The enhanced critical infrastructure framework forms part of the $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package as well as the new Cyber Security Strategy. The government plans to ensure that there is a direct communication line between the ASD and owners and operators of critical infrastructure.

Industry Materials

• Australian Strategic Policy Institute's Brief on Protecting Critical National Infrastructure in an Era of IT and OT Convergence (2019)
• Huawei on 5G and the Future of Security in ICT (2019)

Related Topics

• Counter-Terrorism
• Espionage, Sabotage and Foreign Interference
• Intelligence and Surveillance
• Telecommunications