The Australian Government's Critical Infrastructure Resilience Strategy defines critical infrastructure as: "those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security".
Most laws regulating the security of Australia's critical infrastructure are contained in the Security of Critical Infrastructure Act 2018(Cth), although other national infrastructure like telecommunications is subject to its own regulatory regime, such as the Telecommunications Act 1997(Cth).
The Security of Critical Infrastructure Act 2018 (Cth) applies to entities that operate or have interests in a critical infrastructure asset, and is intended to cover approximately 200 assets across the electricity, gas, water and ports sectors.
The Act's objectives are to improve the Commonwealth's ability to respond to national security risks that may affect Australia's critical infrastructure by increasing the transparency of ownership and operational control of such infrastructure, and promoting cooperation between various levels of government, regulators and critical infrastructure owners.
The core components of the Act are:
a non-public register of critical infrastructure assets to which 'reporting entities' for critical infrastructure assets must supply information about interests and ownership of those assets;
an information gathering power held by the Secretary of the Department of Home Affairs requiring an owner/operator of a critical infrastructure asset to provide particular information; and
a directions power held by the Minister for Home Affairs instructing an owner/operator of critical infrstructure to perform or not perform something that reduces a national security risk, with non-compliance attracting a penalty.
The Critical Infrastructure Program for Modelling and Analysis (CIPMA) utilises data models to work with the Critical Infrastructure Centre and the TISN to determine how critical infrastructure systems operate and interrelate, including their interdependencies, relationships between networks and assets, vulnerabilities and the potential impacts of cyber security incidents.
'Positive security obligations' to protect against all hazards for critical infrastructure and systems, implemented through sector-specific standards.
'Enhanced cyber security obligations' that include information gathering powers, owner/operator participation and risk preparation obligations, and development of a scenario-based 'playbook' detailing response arrangements.
'Government assistance' for entities that are targets or victims of cyber attacks.
These features will apply to entities to varying degrees depending on the entity's critical status and national signifiance.
The scope of 'critical infrastructure', which is currently limited to electricity, gas, water and maritime ports under the Security of Critical Infrastructure Act 2018 (Cth), will expand to include energy, data, the Cloud, space, defence industry, transport, water, innovation, energy, grocery, health, education, innovation, research, banking and finance.