Security of Critical Infrastructure

Overview

  • The Australian Government’s Critical Infrastructure Resilience Strategy defines critical infrastructure as: “those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security".

Background

Commonwealth Legislation

Security of Critical Infrastructure Act 2018 (Cth)

  • The Security of Critical Infrastructure Act 2018 (Cth) applies to entities that operate or have interests in a critical infrastructure asset, and is intended to cover 22 asset classes across 11 sectors including: communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage.
  • The critical infrastructure sectors and asset classes that are captured by the expanded legislation are listed here.
  • The Act's objectives are to improve the Commonwealth's ability to respond to national security risks that may affect Australia’s critical infrastructure by increasing the transparency of ownership and operational control of such infrastructure, and promoting cooperation between various levels of government, regulators and critical infrastructure owners.
  • The core components of the Act are:
    • a register of critical infrastructure assets to which owners, operators or direct interest holders of critical infrastructure assets, must supply information about interests, operation, control and ownership of those assets;
    • mandatory cyber incident reporting for an owner/operator of a critical infrastructure asset to report cyber security incidents to the Australian Cyber Security Centre. See also Directors' Duties.
    • government assistance to certain critical infrastructure entities in response to significant cyber-attacks on Australian systems;
    • an information gathering power held by the Secretary of the Department of Home Affairs requiring an owner/operator of a critical infrastructure asset to provide particular information; and
    • a directions power held by the Minister for Home Affairs instructing an owner/operator of critical infrastructure to perform or not perform something that reduces a national security risk, with non-compliance attracting a penalty.

Competition and Consumer Act 2010 (Cth) (CCA)

  • The Consumer Data Right is now active in the banking sector. Under Part IVD of the Competition and Consumer Act 2010 (Cth)(CCA), the Consumer Data Right (CDR) regime enables consumers to require data holders to share their data with ‘accredited persons’.
  • The Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) sets out how the CDR is to operate including accreditation criteria. An accredited person of CDR data will have an ongoing obligation to satisfy the ‘information security obligation’ under CDR Rules R5.12(1)(a). This requires an accredited person to take the detailed governance and control steps outlined in Schedule 2 of the CDR Rules ‘which relate to protecting CDR data from: (i) misuse, interference and loss; and (ii) unauthorised access, modification or disclosure.’ The ACCC released supplementary CDR accreditation guidelines on information security on 31 January 2022.
  • Further discussion regarding data availability and transparency can be found in the Data section.

Corporations Act 2001 (Cth)

See related discussion of the Corporations Act 2001 (Cth) and also Duty to Report Cyber Security Incidents in the Directors' Duties section.

Privacy Act 1988 (Cth)

  • Under the Privacy Act 1988 (Cth) (Privacy Act), personal information’ must be kept secure from misuse, interference and loss, as well as from unauthorised access, modification or disclosure. Additionally, the Privacy Act mandates public reporting of serious data breaches. The Privacy Act regulator, the Office of the Australian Information Commissioner (OAIC), may order compensation awards, accept enforceable undertakings, and apply to the Federal Court for civil penalty orders, injunctions and other remedial actions, for breaches of these obligations.
  • Australian companies processing or controlling the data of individuals in the European Union (EU) are subject to a ‘security of processing’ obligation and data breach notification requirements under the General Data Protection Regulation (GDPR).
  • State and territory government agencies are excluded from the Privacy Act but tend to be subject to separate Acts. For example, NSW public sector agencies, statutory bodies, universities, and local councils are subject to the Privacy and Personal Information Protection Act 1998 (NSW).
  • For a broader discussion of this Act, see Privacy Law.

Foreign Investment Reform (Protecting Australia’s National Security) Act 2020 (Cth)

  • This act amended the Foreign Acquisitions and Takeovers Act 1975 (Cth) (FATA) so that definitions associated with critical infrastructure in SOCI are now included in the FATA. This change may have implications for cloud service providers, including Software as a Service (SaaS), with foreign ownership, or who are subject to an acquisition or takeover by a foreign entity. Foreign investment in a responsible entity or a direct interest in a critical infrastructure asset is now subject to notification to the Foreign Investment Review Board (FIRB). FIRB can undertake ‘own motion’ review of transactions if it has national security concerns. Changes in ownership and control, including changes in personnel, may impact eg a cloud services provider’s authority to operate in an assessment and authorisation context.

State Government Legislation

The examples below are intended to be illustrative, not exhaustive, demonstrating the complexity of this regime.

NSW Government

NSW Sector Specific - Energy

  • Electricity Supply Act 1995
    • Part 7A of the Act contains the requirements for the management of electricity supply during an emergency, including a cyber security incident that affects a distribution system, a distributor, an electricity generator, a transmission operator, a transmission system, or a cyber security incident described in the regulations.
  • Electricity and Utilities Administration Act 1987
    • Part 6 contains the emergency provisions for the declaration of an energy supply emergency, directions, information requirements, disclosure of information about the incident.
  • Gas Supply Act 1996
    • Section 72A sets out the cyber security requirements for network operators that are set out in regulations. Section 76A contains cyber security directions.
  • Pipelines Act 1967
    • Section 16 sets out the cyber security requirements. Section 16A covers the cyber security directions the Minister can make. Section 16B provides that compliance with the cyber security provisions is a licence condition

Qld Sector Specific - Water

  • Water Supply (Safety and Reliability) Act 2008 (WASR)
    • The Department of Resources administers the WSAR. Companies regulated under the WASR must remove cyber security information from documentation if the information could interfere, damage, disrupt or destroy an electronic system. The Department of Resources requires drinking water providers to report on cyber security, which is one of their six KPIs.

Sector Specific Legislation and Frameworks

Financial services and markets

Energy

Transport

Water

Cross-Sector Laws

Obligations under Foreign Laws

  • Multinational financial institutions will be affected by cyber security obligations in other jurisdictions, such as under the New York State Department of Financial Services 23 NYCRR 500 Regulation Concerning Cybersecurity Requirements for Financial Services Companies, and China’s Cybersecurity Law, which imposes special security procedures on ‘critical information infrastructure’, including financial services entities.

Regulatory & Policy Framework

  • Engagement with cyber security and critical infrastructure happens across multiple agencies and regulators at the federal level, state and territory level, including sector specific regulators. The network of regulators and agencies with responsibility for operationalising cyber security and critical infrastructure policy is complex and contains multiple interdependencies. Regulators and agencies have their own cyber security requirements and obligations that they must meet. They collaborate and cooperate through a range of mechanisms, including inter-governmental committees, industry advisory committees, formal processes outlined in legislation, and memoranda of understanding between agencies.

Core Framework

Of the numerous documents that constitute the regulatory and policy framework, the following should be particularly noted due to their overall importance, frequency of citation and/or presence of mandatory requirements.
  • Prudential Standard CPS 234 – Information Security (CPS 234) and
  • Prudential Practice Guide CPG 234 – Information Security (CPG 234)
    • The Prudential Standard and associated Guide are produced by the Australian Prudential Regulation Authority. They set out the mandatory information security requirements that all APRA-regulated entities must comply with. This includes taking steps to protect against cyber attacks. These two documents comprise the main relevant framework for the financial services and markets sector.
    • Under CPS 234, the Board of an APRA-regulated entity is responsible for ensuring the entity maintains information security (and an information security capability) in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity the information security of the entity.
    • However, CPG 234 notes that it is increasingly common for third parties to rely on other service providers to deliver an end-to-end service. APRA’s expectation is that an APRA-regulated entity would take reasonable steps to satisfy the third party (eg a cloud services provider) with sufficient information security capability to manage the additional threats and vulnerabilities resulting from such arrangements.
    • There is also a requirement to notify APRA of material information security incidents.
  • Australian Government Information Security Manual (ISM)
    • The ISM is a risk management, authorisation and assessment framework produced by the Australian Cyber Security Centre. The purpose of the ISM is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals and information technology managers. Compliance with ISM standards is mandatory for businesses wishing to obtain access to government clients.
  • Essential 8 Strategies to Mitigate Cyber Security Incidents
    • This is a voluntary best practice guideline prepared by the Australian Cyber Security Centre. It outlines a framework that organisations can use to assess their cyber security maturity.
  • Protective Security Policy Framework (PSPF) (2018)
    • This framework, managed by the Attorney-General’s Department (AGD), consists of a series of policies providing security guidelines and requirements for contracted and service providers across Australian government. It is designed to support entities in effectively implementing the framework. The policies cover security governance, information security, personnel security and physical security. Non-corporate Commonwealth entities that are subject to the Public Governance, Performance and Accountability Act 2013 must apply the PSPF (to the extent consistent with legislation).

Overall Framework

Relevant Organisations

Core Organizations

The following organisations should be particularly noted due to their critical role in cyber security relating to critical infrastructure.
  • Australian Cyber Security Centre (ACSC)
    • The cyber security and critical infrastructure reforms of the last five years have elevated the role of the Australian Signals Directorate, which operates and supports the ACSC. The ACSC is Australia’s lead cyber security agency, issuing guidance, threat reports, policy and information to individuals, families, and businesses. It does not have a regulatory role. The ACSC also provides high-level guidance on how to approach the issue of supply chain management in a cyber security context.
    • The ACSC is the Chair of the National Cyber Security Committee (NCSC), which coordinates the inter-jurisdictional technical response of Australian governments to cyber incidents.
    • CERT Australia is the national computer emergency response team, sitting within the ACSC, and provides advice and support on cyber threats and vulnerabilities to the owners and operators of Australia's critical infrastructure and other systems of national interest.
    • The ACSC also operates Joint Cyber Security Centres (JCSC) in Sydney, Melbourne, Brisbane, Perth and Adelaide.These coordinate the complex dependencies between the Australian, state and territory levels of government on cyber security, from incident response to cross-jurisdictional coordination in the event of a national cyber incident.
  • Cyber and Infrastructure Security Centre

List of Organizations

Inquiries & Consultations

Industry Materials

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine