Critical Infrastructure #4

Wires
Critical Infrastructure – Part 4

Author: Mel Griffiths

Cost and Duplication are Major Concerns from Industry

This time we are looking at the Energy and Higher Education sectors and the impact of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill). Despite assurances from Government, there are several key concerns that reoccur across almost all sectors impacted by the Bill, including the Energy and Higher Education sectors which we will be discussing in this post. Industry has been vocal in asserting that the Bill lacks detail in its legislative form, that Governance Rules cast too wide a net, that existing regulations already govern many areas that the Bill seeks to upraise, and that there is little understanding of the financial implications. Delivery of the Framework objectives without unintended impacts and business costs continues to be the one of the primary messages from all areas of industry and the Higher Education and Energy sectors are no different.

The Higher Education sector has provided a scathing assessment of the Bill and its relevance to the sector. Innovative Research Universities has gone as far as to request that universities be removed from the Bill entirely. Both Swinburne University and the Australian Technology Network of Universities (ATN) have argued that the Bill leaves too much to be developed within the rules, noting that the significant powers the Bill provides to Government are largely enacted by these rules which sit outside of the legislation. Universities Australia, the peak body for Australia’s 39 comprehensive universities, is concerned that the Bill leaves a range of very significant matters to the rules, with little guidance as to rule making and determination in the primary legislation. They have argued that the details of the legislation are more appropriately contained in the primary legislation. The Bill is seen as somewhat of a broadsword where a scalpel is required in order to mitigate the risk facing diverse industries. The Higher Education and Research sector has called for the government to further develop and refine the Bill in order to produce a statute that is more nuanced and detailed in its application, and also to consider individual level of institution risk.

The Energy sector has also called on the government for further development of details, particularly regarding the proposed intervention powers. The proposed powers would essentially allow Government to shut down, change, analyse, remove or control infrastructure and its component parts. Essential Energy has requested more clarity be provided on the circumstances under which enhanced obligations for systems of national significance would be enforced, given that operators will not be obligated to comply, but “may be required to do so from time to time”, following written notice from the Secretary of Home Affairs. Santos has likewise expressed the need for further detail as to the circumstances in which investigatory powers will be used, the potential operational impacts, and any potential consequences and penalties associated with the use of these powers.

But Aren’t We Already Doing That?

The risk of regulatory duplication within and across sectors has been identified as an issue by almost every sector. Deakin University has indicated that the Higher Education sector is already subject to significant scrutiny by the Commonwealth and sees the new measures as an unfair regulatory burden, adding to already existing compliance regimes. Many stakeholders in the Higher Education and Research sector have advised that they already have standard risk process in place through business impact analysis and disaster recovery planning. As a result, Murdoch University has questioned why universities need to be included in the Bill at all, arguing that there are already numerous existing agencies and legislation that appropriately manage the risks faced by the sector. These concerns about duplication and regulatory over-burden have been echoed by such Energy sector organisations as Ausgrid, the largest distributor of electricity on Australia’s east coast.

Like many organisations, Ausgrid are worried about the potential overlap in accountability between state and federal requirements. Essential Energy, which distributes electricity across 95 per cent of New South Wales (NSW) and parts of southern Queensland, have highlighted that they are already subject to a number of critical infrastructure obligations through conditions that were added to their Distributor’s Licence in 2019. Likewise, the National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA), the Australian Government offshore energy regulator, is of the view that oversight of offshore facility cyber security threats falls under the existing Maritime Transport and Offshore Facilities Security Act 2003 and its associated regulations. There are fears that this duplication and overlap of legislation will trickle down to the day-to-day processes of Cyber Risk Management. Ampol and Shell believe that the potential duplication of existing regulatory systems and processes will lead to duplication in the risk/hazard identification, mitigation, and assurance processes. Some have even argued that the application of irrelevant and duplicative legislation actually elevates the risk to the sector by diverting resources into “rechecking every corner and ticking boxes instead of watching the gate”.

While many sectors have pointed to these areas of legislative overlap, some have argued for the appropriation of them to achieve the Bills aims, rather than apply a potentially cumbersome and expensive duplicative approach. AMEO have asserted that any changes to enhance the Commonwealth critical infrastructure regime will be most effective if they operate alongside the existing State-based legal frameworks for the energy sector. As with many other sectors, the Energy and Higher Education and Research sectors feel that if additional regulatory impositions are inevitable, more needs to be done in regard to increasing clarity around obligations and processes and reducing any regulatory burden and cost. In order to facilitate this, many organisations have set forward their expectations of the framework.

If a Job’s Worth Doing…

Ampol has been clear in their expectation that only the most significant of critical infrastructure assets will have a positive security obligation. There has been much comment from industry on this point, and many sector-specific cases highlighting the realities of what would and would not be captured under the Bill. Industry also expects more detail from Government on a range of areas that are currently characterised as vague and unhelpful in enabling organisations to plan for, and move forward with, preparations for compliance. For example, Santos, Australia’s biggest domestic gas supplier, have requested more detail on the current rules around the “on switch” for implementation of positive security obligations.

There is also concern from both the Higher Education and Energy sectors that timelines for compliance may be unrealistic or may not consider varying levels of organisational maturity. Ampol has argued for realistic compliance timelines to be provided for any new obligations, systems, or processes, while Universities Australia have requested that implementation timeframes are tailored to match the different maturity levels of the various sectors.

Many sectors are interested to know what the implications would be if blanket compliance timeframes were to be unrealistic or unachievable for a less mature organisation. Santos has noted that the civil penalties for failure to develop appropriate systems, monitor, and report, appear to be more punitive than the current legislation, and has asked for more details about Government’s approach and expectations in regard to timing for implementation.

That’s a little outside my budget

Concerns in the Energy Sector in regard to the regulatory impacts and associated costs of the new measures are being magnified by the impacts of the pandemic and negative fiscal outlooks. The Higher Education and Research sector has also called on the Government to quantify the likely additional compliance costs that the proposed changes will impose. Many operators in the Energy Sector want to ensure that costs of compliance are kept to a minimum and are concerned that a number of unknowns are making it difficult to prepare appropriately. This perception of regulatory imposition with an unknown price tag is fuelling calls for Government financial support. The Australian Institute of Petroleum (AIP) believes that if the Government has national security objectives associated with the Bill that go beyond current commercial imperatives, then government support should address any cost from these imperatives.

One of the key factors at the root of the associated costs is the lack of clear and appropriate definitions provided thus far, which most sectors have described as inadequate. Definitions frequently capture too many assets, or the wrong assets, while obligations are described as vague, and processes for the “switch on” of government intervention powers are shrouded in mystery. As Shell pointed out in their submission, without clear and agreed definitions of assets, it is impossible to assess whether the significant costs associated with the implementation of cyber security measures need to occur company-wide or only to specific assets and infrastructure.

We’re Not Critical, You Are

Definitional confusion and disagreements range from debate over which assets are critical to the nation, to confusion over what it means to be “using” an asset. For example, the University of Sydney has called for tightening the definition of a “critical infrastructure asset” owned and operated by a Higher Education provider, only to those whose compromise would truly represent a threat to the nation, while AEMO have pointed out that the terminology of an agent “using” an asset may unintentionally capture third-party systems.

Many organisations and peak bodies in both the Higher Education and Energy sectors have taken issue with the broad nature of the definitions in general, and of several specifically. The Australian Institute of Petroleum (AIP) noted that the broad nature of many asset definitions and thresholds  highlight the importance of identifying only truly critical infrastructure assets. Many areas of industry are attempting to provide feedback on these definitions in order to make them clearer and more usable. For example, the Clean Energy Council (CEC), peak body for the clean energy industry in Australia, has reiterated its position on the definition of ‘critical electricity asset’ after seeing no change based on their Consultation Paper feedback. The CEC has strongly reaffirmed that the proposed electricity generation capacity threshold is currently too low and should be increased from 30MW.

The Australian Energy Market Operator (AEMO), who manage electricity, gas systems and markets across Australia, have argued that the definition of “energy sector” in the Draft Bill should also include transmission as well as distribution and supply. AMEO have also proposed changes to the new definition of “critical energy market operator asset”, arguing that AMEO should be excluded from the definition to avoid duplication of critical infrastructure responsibilities existent in the Security of Critical Infrastructure Act 2018. The Group of Eight (Go8) also have taken issue with asset definitions, calling the proposed definition of a “critical education asset” a vague and ill-defined over-reach of the “intent and purview of the proposed reforms”. They have called for the definition to be made tighter and clearer. The definition of “significant impact” is another example which Ausgrid has raised as requiring more clarification in reference to security incidents. Shell Australia have argued that clearer definitions are required on critical cyber breaches and critical infrastructure asset data to assist asset owners in navigating reporting and sharing requirements.

What’s next?

Recounting the journey of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) thus far, we see that the initial consultation and amendments to the proposed legislative changes occurred just over one year ago in August and September 2020. Before the end of 2020, the Government had consulted for three weeks on an Exposure Draft of the Bill before introducing the Bill to Parliament on 10 December 2020. This was followed by the Parliamentary Joint Committee on Intelligence and Security commencing a review into the operation, effectiveness, and implications of the reforms. In March 2021, the Government began the co-design consultation phase for the development of the Governance Rules for the Risk Management Program aspect of the Positive Security Obligations introduced in the Bill. It is expected that the staggered co-design process will continue into 2022. In April 2021, the Government published the Draft Critical Infrastructure Asset Definition Rules and thresholds, welcoming further feedback. The remainder of 2021 and early 2022 will see the Government continue a staged sector by sector approach and work with industry to design the sector-specific requirements.