Critical Infrastructure #3

Chem
Critical Infrastructure – Part 3

Author: Mel Griffiths

The threat to Critical Infrastructure is increasing

Michael Pezzullo, Secretary of the Department of Home Affairs, has stated that an increase in exploitation of the vulnerabilities in critical sectors has been building over the course of the last five years and “has accelerated over the course of the global pandemic”. He has characterised the new threat landscape as soon to be reaching “global pandemic proportions”. These attacks have highlighted the extreme vulnerability of a much broader swathe of sectors critical to the Australian economy and way of life.

Sapien Cyber believes that it is the responsibility of trusted information-sharing networks the educate the community on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. This series of articles aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Transport and Food and Grocery sectors. Submissions for comment on the Bill from organisations in these sectors and sectors examined in our last post have highlighted several common views, including a lack of specificity in the legislation, concern over costs associated with the increased regulatory burden, and overlap with existing legislation potentially creating duplication of effort and bureaucratic process.

A “lazy” approach to the Transport sector?

At the time of writing, the Australian Logistics Council (ALC) has called on the Federal Government for more time to facilitate the proper identification of which freight and logistics assets are to be made subject to the new law. ALC interim CEO Rachel Smith has criticised the threshold approach as “lazy”, and ALC members have argued that this approach is a catch-all which will fail to capture key assets, capture assets not of strategic importance, and increase regulatory burden.

The rules define a critical freight infrastructure asset as a road or rail network, or intermodal transfer facility that acts as a critical corridor for the transportation of goods between States, Territories, or regional centres. A critical freight services asset is defined as a network critical to goods transportation by road, rail, inland waters, or sea, and also as any national logistics provider with an annual revenue threshold of over $150 million. The critical freight infrastructure asset definition of “a critical corridor for the transportation of goods” is limited to road and rail in the proposed legislation, however, several critical sea corridors such as the Torres Strait fall outside of this scope.

Ports are defined as critical if they encompass land that forms part of any of the named security regulated ports, although there appears to be no intention of extending the requirements that currently exist to Australian vessels under the Bill. The Maritime Industry Australia Ltd (MIAL) has highlighted that supply chain security is incomplete unless the vulnerabilities that exist due to the majority of sea transport capability being performed by foreign entities is also addressed. MIAL has also argued that ships act as both pipelines and storage and are therefore captured under the critical liquid fuel asset definition, without explicit recognition of vessels themselves.

Critical public transport assets encompass public transport networks that are managed by a single entity and have a 5 million passenger journeys per month capacity (excluding aviation assets). V/Line, who provide public transport services to regional Victoria have indicated that a more mature understanding of the Transport sector and sub-sectors is required. In their submission for comment on the proposed legislation, V/Line have pointed to pre-existing issues, such as the absence of a specific transport connection to the Australian Strategy for Protecting Crowded Places from Terrorism, as contributing to the erosion of “operator confidence in the Federal Government’s ability to manage the implementation of the proposed legislation and its regulatory provisions”.

V/Line has also have asserted that identifying the most appropriate regulator in this space will likely be contentious. This is evident in VicTrack’s submission for comment, in which they have called for examination of how existing state-based approaches to cyber incident response and infrastructure resilience might be used to meet the proposed Positive Security Obligations.

Critical aviation assets are defined as assets owned or operated by airports or aircraft operators providing a service, or regulated air cargo agents that utilise air services. As with the other areas of the Transport sector, the aviation sector has highlighted concerns regarding the costs of the increased regulatory burden, the lack of clarity around how and when it is likely the Government assistance provisions would be used, and the potential for overlap between the Bill and requirements imposed by exiting legislation.

In Sydney Airport’s submission in response to the proposed legislative changes, it is noted that Airports are already subject to a range of requirements stipulated under the Aviation Transport Security (Incident Reporting) Instrument 2018, and call for “harmonisation between all legislative and regulatory underpinnings in efficiently managing security requirements”. The shift away from the existing ‘unlawful interference’ approach to the more holistic ‘all hazards approach’ will require further consideration of information sharing arrangements between industry and Government. Given the impact of the ongoing global pandemic, the aviation sector is understandably concerned that the increased security requirements imposed will add significant cost to the industry at a time when revenue is increasingly unpredictable.

The Food and Grocery sector requires clarity on criticality

Despite the fact that Australian beef, wool, and dairy supply chains have suffered cyber-attacks in the last 18 months, the Federal Government has stated that applying specific thresholds in this area of the Food and Grocery sector could create unnecessary confusion and regulatory burden, “especially when new competitors emerge in the market or unexpected market fluctuations occur”. As a result, production, agriculture, food manufacturing, and packaging will not be defined as critical assets in the Bill. The Australian Food and Grocery Council agrees with this logic but have highlighted that food manufacturing is not explicitly exempted in the proposed legislation.

The new definitions applied to the Food and Grocery sector will include critical Food and Grocery assets as networks used for distribution or supply of food or groceries, owned, or operated by critical supermarket retailers, or food or grocery wholesalers. It is anticipated the Legislation will include Woolworths Group, Coles Group, Aldi, Costco, and Metcash as critical supermarket retailers, as they collectively account for over 80 per cent of market share in Australia.

The AFCG notes that the term “food and grocery” as used within the industry includes non-food grocery products, such as personal care products, house care products, pet care products, as well as a litany of other items. The distribution of such products and occupy the same supply chains as food products. The legislation is not clear on the status of such non-food grocery manufacturing and supply chains and the AFCG has called for clarity in this area.

Confusion and cost remain significant issues

Looking at the way the Government has defined the Transport and Food and Grocery sectors and the submissions from industry, there appears to be a lack of clarity and understanding around inclusions and exemptions in the definitions. There is also clear concern from industry regarding the costs of increased regulatory burden and a call for support measures. It remains to be seen how the Government will respond to these concerns, however given their ubiquity across these and other sectors, it would be surprising if these issues remain unaddressed in at least some holistic form as the Bill makes its way through the Parliamentary process.