Lib Clark, assistant secretary industry partnerships, Department of Homeland Security.

Security of Critical Infrastructure Act Expands

♦ Security of Critical Infrastructure Act Expands – Australia’s Security of Critical Infrastructure (SOCI) Act has been expanded to cover physical security and risk management across 11 key infrastructure sectors and 22 asset classes, with responsibility potentially resting on security consultants, security integrators, security managers, senior managers, directors and more.

The SOCI Act 2018 placed obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry to defend themselves against cyber attack.

Now 2 further sets of amendments to the SOCI Act have received Royal Assent – in December 2021 and April 2022 respectively. The Act was expanded to cover 11 critical infrastructure sectors, capturing assets across many elements of the Australian economy. It now contains significant measures to uplift the security and resilience of critical infrastructure, keeping it safe from physical, supply chain, cyber and personnel threats.

According to Lib Clark, assistant secretary industry partnerships, Department of Homeland Security, the 2018 Act sought to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure.

“The SOCI Act has 3 key positive security obligations that can be “switched on” at different times for particular asset classes,” Clark said.

“Certain entities are required to provide operational and ownership information to the Register of Critical Infrastructure Assets and to report cyber incidents to the Australian Cyber Security Centre, which impact the delivery of the essential services those assets provide.

“These two obligations apply to certain asset classes now, but we recognise it may take time for industry to get used to these new requirements and have included a grace period for each element before any enforcement action could be taken for non-compliance.

“The third key obligation, which will be in the near future, you may also be required to adopt, maintain and comply with a written risk management program. That program will need to identify and mitigate ‘material risks’ to your critical infrastructure asset.

“This obligation may be ‘switched on’ after we consult with industry. As with our asset register and the cyber incident reporting obligations, we intend to advise Government to provide a grace period so you can get used to the changes before they commence.

“And we’ll encourage you to provide a submission during that consultation period on the risk management program. We want to work in partnership with you through the consultation process and on compliance with the reforms.”

Clark said for a small number of CI assets there is the possibility they will be declared a ‘system of national significance’.

“These are assets are the most crucial to the nation, by virtue of their interdependencies across sectors and potential for cascading consequences to other critical infrastructure assets and sectors if disrupted,” she explained.

“In addition to the obligations outlined, entities responsible for those assets designated as systems of national significance may be subject to enhanced cyber security obligations.

“Those obligations can be considered upon the circumstances for the sector and similar assets, which recognises that different sectors have different networks and systems and could face different risks.”

The Enhanced Cyber Security Obligations include:

* Developing cyber security incident response plans to prepare for a cyber security incident
* Undertaking cyber security exercises to build cyber preparedness
* Undertaking vulnerability assessments to identify vulnerabilities for remediation
* Providing system information to develop and maintain a near-real time threat picture.

“In addition to all these obligations, we have government assistant measures that enable the Federal Government, as a last resort, to help industry respond to those cyber security incidents that seriously prejudice Australia’s prosperity, national security, or defence,” Clark said.

“We are committed to continued engagement with critical infrastructure owners and operators, especially through the Trusted Information Sharing Network. This network is the Government’s primary engagement mechanism with industry on critical infrastructure.”

Security managers, security consultants and security providers can find fact sheets on critical infrastructure obligations here.

The coverage of the framework under the Act has been expanded from 4 sectors (water, electricity, gas and ports) to to 11 sectors and 22 asset classes:

* Communications sector
–  telecommunications asset
– broadcasting asset
– domain name system

*  Data storage and processing sector
– data storage or processing asset

* Financial services and markets sector
– banking asset
– superannuation asset
– insurance asset
– financial market infrastructure asset

* Water and sewerage sector
– water asset

* Energy sector
– gas asset
– electricity asset
– energy market operator asset
– liquid fuel asset.

* Health care and medical sector
– hospital

* Higher education and research sector
– education asset

* Food and grocery sector
– food and grocery asset

* Transport sector
– freight infrastructure asset
– freight services asset
– port asset
– public transport asset
– aviation asset

* Space technology sector, and

* Defence industry sector
– defence industry asset.

#SEN #SENnews #security #electronics