Categories for Security Legislation Amendment Bill 2021

Critical Infrastructure #6

October 12, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 6

Author: Mel Griffiths

Preparing For a Cyber Pearl Harbour

“What I’m worried about is a ‘cyber Pearl Harbor’ — an online attack that cripples our critical infrastructure and catches us all by surprise… That’s why we’re seeking to pass legislation that safeguards those critical assets that make up our digital economy and sovereignty.”

Andrew Hastie, Assistant Minister for Defence

The Australian Government continues to reiterate the urgency of their plan to pass legislation intended to safeguard Critical Infrastructure in an increasingly hostile threat landscape. Industry sectors impacted by the Security Legislation Amendment (Critical Infrastructure) Bill 2020 have called on the government for further consultation, offering a plethora of sector-specific recommendations designed to clarify responsibilities, leverage existing frameworks, and reduce the regulatory burden.

In an effort to balance the urgent requirement to pass the legislation with industry concerns, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested that the government urgently pass the portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation.

This move may raise further concerns from industry given the number of objections regarding the extent of the proposed government powers, as well as the lack of any avenue for appeal. For example, the Australian Information Industry Association (AIIA) has questioned the appropriateness of the powers inherent in the legislation for the data storage or processing sector, given its complexity, interconnectedness, overlapping regulatory regimes, and the potential global implications. Palo Alto Networks has gone so far as to recommend that the data storage and processing sector be removed from the Bill altogether, citing other governments who have avoided defining this sector as Critical Infrastructure due to its complex and interdependent nature. There are also many aspects of mandatory notification requirements that have been challenged by industry, such as who should report, to whom, how often, under what circumstances, and in what timeframe.

The defence industry sector, the data storage and processing sector, and the space and technology sector are three areas targeted in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, although it appears the Bill is likely to impact businesses in these areas in very different ways. The government has stated that the current DISP defence security mechanisms are sufficient to manage obligations for the majority of the defence industry, and the infant space industry has no assets to regulate yet, aside from those already covered in other sectors. Conversely, the data storage and processing sector has warned that, given the degree of overlap in regulations and the number of cross-sector customers that use data storage and processing services, there is a high likelihood that the data storage and processing sector could be “subject to the regulations and responsibilities of all regulated sectors simultaneously”.

DISP Sufficient for Defence Industry

Little has been made available in relation to Defence Industry responses to the Bill, which may be among the 30 submissions to government that remain confidential. The Bill defines the defence industry sector as supplying or producing goods, technology and services that (a) maintain Defence’s capability advantage, or (b) are limited by Defence due to their potential impact on Defence interests. This definition is intended to exclude industry entities captured under other sectors, such as electricity or water, while including organisations which provide or support a critical defence capability. The Exposure Draft Explanatory document defines critical defence capability as including material, technology, platforms, networks, systems, and services that are required in connection with the defence or national security of Australia.

Under the Draft Asset Definition Rules, any organisation providing or enabling a critical defence capability under a contract to the Department of Defence or the Australian Defence Force may be a critical defence industry asset. The government has noted that, while critical defence industry assets may be subject to each of the Positive Security Obligations, the Department of Defence may continue to manage obligations under its current Defence Industry Security Program (DISP) framework. The DISP framework manages the security and resilience of critical defence industry assets via a non-regulatory risk management program run by the Department of Defence.

Defence industry stakeholders, including peak bodies and federal, state and territory representatives have been invited to work with government in co-designing the rules to shape the requirements for a risk management program that may be ‘switched on’, if required, under the Bill. However, the government has stated that the existing defence security mechanisms under the DISP are considered sufficient for the majority of the defence industry. As a result, it is unlikely that the risk management program will be ‘switched on’ for the majority of businesses that fall within the defence industry asset class.

Can You Hear Me, Major Tom?

The addition of the Space and Technology sector to the list of Critical Infrastructure is a move intended to future-proof the security of an industry that is expected to become increasingly critical. The Trusted Information Sharing Network Space Cross-Sectoral Interest Group have asserted that the legislation needs to cater for significant growth and transformation in the sector.

The explanatory document accompanying the exposure draft of the Bill states that the space technology sector “involves the commercial provision of space-related services, and reflects those functions that are critical to maintaining the supply and availability of space-related services”. However, in sharing their views on the relevant aspects of the Exposure Draft of the Bill, the Philippines Space Agency suggested that the definition of the sector may not encompass critical non-commercial aspects, such as government owned satellites and other space technologies.

It is anticipated that the types of space and technology assets that may be designated as critical will include assets relating to position, navigation, and timing of space objects, space situational awareness services, space weather, space communications, tracking and control, earth observation, and facilitating access to space. However, the Bill does not include a specific definition of a critical space technology asset, because the only existing critical space technology sector assets identified are communications assets which are already covered under the proposed definition of critical telecommunications assets. Further assets may be prescribed under subsection 9(2) of the current SOCI Act as the space sector evolves and more critical assets are identified.

When Criticality Met Privacy

The data storage and processing sector is defined as the sector providing data storage or processing services on a commercial basis. Data storage or processing services may include enterprise data centres, managed services data centres, colocation data centres, cloud data centres, infrastructure as a service (IaaS), software as a service (SaaS), or platform as a service (PaaS).

To be classed as a critical data storage or processing asset, the asset must be owned by a data storage or processing provider and provide services either to government, a body corporate established by law, or a critical infrastructure asset which uses the service for business-critical data. AWS has suggested an amendment to the definition of critical data storage or processing asset in the Bill to include a simpler threshold, such as power usage or number of server racks, and that the definition of asset be limited only to physical infrastructure.

Regardless of the threshold, organisations may not be aware whether they meet this definition or that they have Critical Infrastructure clients, as they often do not have visibility over client data due to privacy requirements. Subsection 12F(3) of the Bill requires entities responsible for Critical Infrastructure to inform their data storage or processing service provider if they meet the definition of a commercial service provider to Critical Infrastructure for business-critical data. However, CISCO has suggested that a more thorough approach would be for government and industry work together to map supply chains to enable the relevant regulators to notify cloud service providers that they are providing services to Critical Infrastructure.

Critical Mass

Every sector has raised concerns about broad and vague definitions within the Bill, and the data storage and processing sector is no different. According to AWS and the AIIA, there are a number of other definitions which, as drafted, are ambiguous, too easily triggered, confusing, and will lead to over-notification and increased compliance costs. For example, the government has stated that the intention of the definition for business-critical data is to capture a critical infrastructure asset’s crucial operational information which, if compromised, would affect the availability or reliability of the asset, or have national security implications. However, Amazon Web Services (AWS) asserts that the government’s intentions are not carried by the definition of business critical data as (a) personal information that relates to at least 20,000 individuals, (b) sensitive information, or (c) critical infrastructure information relating to research and development, operations, or risk management. It is anticipated that the proposed thresholds will capture a minimum of 100 data centres and at least 30 cloud service providers.

The Australian Information Industry Association (AIIA) has asked the government to clarify the definition of ‘activities relating to business-critical data’, while AWS has labelled the definitions of critical data storage or processing asset and business-critical data as vague and unnecessarily broad. They argue that assets would fall into this category even if they are processing or storing business-critical data that is “only ancillary in nature”. In addition, AWS has recommended that the definition of cyber security incident should apply only if the incident has a systemic or broad impact to the relevant critical infrastructure asset and is a direct result of a third party’s malicious actions.

 That’s Not My Cloud

Data storage and processing is a cross-cutting sector, a feature that appears to have been overlooked by government. In cloud environments, for example, responsibility for security is frequently shared between the provider and customer, where the cloud services provider is responsible for “security of the cloud,” and the customer is responsible for “security in the cloud”. Such sharing of security responsibility is not clearly reflected in the Bill.

It has been recommended that an amendment be made to clarify that a cyber security incident only occurs in respect of a data storage or processing services provider or its customer when the incident occurs in their respective areas of responsibility. CISCO has further suggested that cyber security incidents for cloud and data processing entities continue to be reported to customers, who would then report to the Australian Cyber Security Centre (ACSC) as part of their own Positive Security Obligations. CISCO argue that this will maintain the confidentiality of customers while still providing the ACSC with appropriate visibility.

Let’s Split the Bill

The government continues to use strong language to emphasise the urgency with which it feels the Security Legislation Amendment (Critical Infrastructure) Bill must be passed in order to avoid a potential “cyber Pearl Harbor”. The task government originally set itself was to achieve sufficient security uplift across a disparate group of sectors and industries, using broad legislation, within a limited timeframe. Across the sectors, organisations have raised a chorus of objections to the lack of specificity, the degree of overlap with existing regimes, and the lack of guardrails on broad powers proposed in the Bill. Upon review of the situation, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has suggested splitting the Bill in order to satisfy the urgent requirement for intervention powers to counter any significant impending threat, while also addressing the legitimate concerns from current, and soon-to-be, Critical Infrastructure owners and operators.

Whilst this compromise may be viewed more favourably than the alternative, it remains to be seen whether the numerous concerns about the government powers will be addressed to the satisfaction of the impacted sectors, if a splitting of the Bill occurs. Despite the benefits of splitting the Bill, there still remains a lack of clarity on reporting mechanisms and which existing regulatory regimes might be leveraged to avoid duplication of effort. Many sectors are also still very concerned about the prospect of government software and interference in systems and the associated business and risk impacts.

Even with a splitting of the Bill, there is still the risk of a one-size-fits-all approach to the government assistance mechanisms and mandatory notification requirements that will have different implications for different sectors. Although still subject to the Positive Security Obligations, critical defence industry assets will likely continue to manage their obligations under the DISP framework, with the risk management program remaining switched off for the majority of defence industry businesses. Meanwhile, the application of government assistance mechanisms and mandatory notification requirements to the data storage and processing industry is fraught with difficulties due to its complex and globally distributed nature, existing privacy requirements, and the shared control and responsibility models used between providers and customers.

The defence industry remains publicly mute on the Bill, while cloud and data storage providers are strongly calling out the shortcomings of the legislation as it applies to their business, some even calling for an elimination of the sector from the Bill entirely. If the PJCIS recommendation to split the Bill is undertaken, it remains unclear if and how this feedback will be managed by the government.


Critical Infrastructure #5

September 25, 2021Published by Jeffrey Eaton
Critical Infrastructure – Part 5

Author: Mel Griffiths

Dams and Dollars: The Impact of the Critical Infrastructure Bill on the Finance and Water Sectors

The overall objective of the Government’s Security Legislation Amendment (Critical Infrastructure) Bill is to ensure that Australia’s Critical Infrastructure is secure; however, the expansion of critical sectors in the Bill has underscored not only the complex interconnections between industries and sectors, but also the number of existing regulatory frameworks that need to be leveraged, or at least considered, to make the amendments work as efficiently as possible. The co-design consultation for sector-specific obligations that will underpin the risk management program is currently underway for the Financial Services and Markets (payment systems) sector and has been completed for the Water and Sewage sector. However, some aspects of the Bill may be passed before others if the compromise suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is implemented. The PJCIS has recommended that the Government urgently pass the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements, while introducing the remaining aspects under a separate Bill following further consultation.

The thinking appears to be that this would enable the swift passage of laws to counter current threats, while also providing additional time for co-design with industry. However, many of the concerns of the Water, Finance, and other sectors, centre around the Government’s proposed intervention powers (assistance mechanisms) which essentially allow the Government to shut down, change, analyse, remove, and control a piece of infrastructure and its component parts if an attack on that asset is perceived to put national security at risk. When discussing the Government’s proposed intervention powers in the Security Legislation Amendment (Critical Infrastructure) Bill, it is important to be aware of the counterbalances in place.

I’ve Got the Power

Most of the intervention actions cannot be undertaken without ministerial authorisation approved by the Prime Minister and the Minister of Defence, and only in the event of an attack on critical infrastructure impacting national security. Affected organisations can be ordered to perform internal or external audit of the security of their systems, and to report on systems either regularly or based on an event. Interestingly, if the information in the reports is potentially incriminating to the company or an individual, it cannot be used for criminal or civil proceedings unless they relate to the Act. The Government can also require that an organisation install, maintain and, wherever possible, keep online software for collecting and recording computer operation information to determine if further powers under the act should be exercised. Personal information is still protected by the Privacy Act 1988 in these circumstances.

The proposed powers also allow Government to intervene in systems for analysis including adding, removing, or modifying installed programs, and connecting computers to the organisation’s systems. Under some circumstances, the Government may order an organisation to take or refrain from taking certain actions, request access to premises, or take equipment for analysis. If access to premises is refused, the Government may engage the police, but cannot engage in force against an individual.

Is All This Really Necessary?

Most sectors have voiced their concern regarding the extent of the powers provided to Government in the Bill and the lack of conventional rights of appeal and oversight. The Water sector have stated that this “erodes natural justice and provides significant concerns in relation to potential regulatory over-reach and poor community outcomes”. For example, the Bill allows for Governmental intervention based on Ministerial authorisation, which would potentially allow an intervention order to be made prior to an event without the involvement or knowledge of the impacted organisation.

The Water sector have argued that there needs to be provision for notification and cooperation prior to an intervention, which should only be implemented in the event of non-cooperation or lack of response capability on the part of the Critical Infrastructure owners and operators.

The Australian Banking Association (ABA) have also voiced concern regarding the Step In powers, stating that the potential for implementing software and/or running scripts in intricate banking technology environments and networks is extremely high risk. Given the complexity and time-sensitive nature of banking systems and networks, there are fears that the potential impacts of interventions may not be easily defined and could unintentionally degrade system security or operate beyond the authorised scope. The Water sector have pointed out that Section 30DJ the legislation allows the Government to install software without any liability for potential damage that may be caused to systems, and has argued for a right of appeal or ability to recover costs.

The powers of physical entry have also raised some questions for the Australian Banking Association (ABA). The Government has indicated that such powers of entry would only be enforced on Australian soil, however, as the ABA has noted that “entry and action on Australian premises could create a connection to… overseas data centres and raise questions about liability under foreign law including regulatory obligations and contractual liability”. Consider a hypothetical scenario in which an Australian financial sector entity is using Amazon to host both their critical systems and their main corporate portal for customers to access. The entities systems and data in the cloud are replicated across different regional availability zones and they use a Security as a Service (SaaS) product provided by a company located in India. If an attack were to occur within the Amazon infrastructure or against the SaaS in India in such a scenario, it is not clear whether the Government would seek to gain access to Amazon or the SaaS infrastructure and premises, where and how access might occur, and which entity would have obligations to ensure this would be possible.

The Australian Financial Markets Association (AFMA) have called for robust checks and balances against these powers, particularly in regard to what clear evidential grounds would be sufficient to satisfy the Government that ministerial action would be warranted. The AFMA have made it clear that in their view, APRA regulated entities have the maturity and sophistication to warrant the ministerial ‘on switch’ for activating the Positive Security Obligations for a critical infrastructure to be kept ‘off’ for these entities. The AFMA have also warned that justified use of intervention powers should not promote distrust in industry cyber capabilities.

Burn After Reading

The Australian Banking Association (ABA) has noted that the information the Bill will require to be provided to government may be sensitive. They have raised questions over how such information will be protected throughout its lifecycle, arguing that legislation should detail its classification, handling, storage, retention and destruction. There is also concern from industry that the provision of the Bill to collect information may be broader than the stated intention of Government policy. Industry understands that the intention of the Government is to ask for data logs, excluding information or documents that may be under third party Intellectual Property. Given this understanding, the ABA has requested that an amendment be made to Section 30DB so that it expressly applies to data logs only, with third party IP exempted, and that entities may refuse to comply with some or all of a request for information that goes beyond this.

The Critical Infrastructure legislation makes it an offence to disclose some protected information, such as when as asset has been declared by the Government to be a System of National Significance (SoNS). However, the ABA has asserted that not all scenarios where an entity has a legitimate reason for disclosing information have been addressed. They have proposed that section 46 be amended “to permit an entity to disclose protected information, if the entity reasonably believes that doing so would assist the entity to comply with its obligations under the SOCI Act, other Australian and overseas law, or if the entity reasonably believes doing so is required under contract.”

The Financial Services Council (FSC) has rather gloomily predicted that, based on the exposure draft, the Bill will result in “another regulatory agency being imposed on financial services without a requirement for a streamlined approach with other agencies that already operate in financial services”. The FSC is not the first to note the degree of overlap and duplication of the Bill with existing frameworks.

One Size Fits None

The ABA has highlighted the need to eliminate differences between proposed requirements and existing regulatory regimes, particularly under prudential regulation. Financial Services Prudential regulations are the current benchmark in the Financial Sector. The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance, and superannuation, and is accountable to the Australian Parliament. Fundamentally, the Financial Services sector feels that the new regime under the Bill should defer to APRA’s existing financial sector regulatory obligations. These include CPS 220 Risk Management, CPS 234 Information Security, CPS 232 Business Continuity, and CPS 231 Outsourcing. Under the APRA prudential standard CPS 220, the Board of an APRA-regulated institution is required to provide APRA with a risk management declaration within three months of its annual balance date.

As it currently stands, the Bill would require an additional annual risk management program report to be submitted within 30 days. There is concern that Prudential Standard overlap with the requirements of the Bill will result in organisations having to prepare two reports with substantially the same information and adopt two distinct procedures for approval and sign off for the reports. The Australian Institute of Superannuation Trustees (AIST) has stated that the requirement to produce an annual report in this timeframe will put significant pressure on superannuation fund staff during an already demanding period.

Not only does the Financial Services sector feel that this would result in a substantial increase of the compliance burden without any meaningful difference in personal accountability of Board members, but that it is also inconsistent with the requirements under CPS 220 by requiring each Board member to sign the risk management program annual report. AIST has argued that such a requirement may be impractical, particularly if superannuation funds are required to do so 30 days after the end of the financial year. As a result, the Financial Services Sector has urged the Government to consider leveraging existing sector regulations covering similar board approval requirements.

Another imposed timeframe raising concerns is the proposed six-month period which organisations have to comply with the provisions of the Bill. The Water Services Sector Group (WSSG) has suggested that the six-month timeframe for compliance with reporting obligations may be insufficient and has suggested that this be amended to provide organisations with six months to provide an agreed implementation timeline.

We’ve Already Got One and it’s Very Nice

In their responses to the Draft of the Bill, many industries have pointed out to Government that they already have existing regulatory regimes and standards that adequately manage the risks to their assets. For example, the New Payments Platform (NPP Australia) have suggested that an asset should only be identified as critical to a critical payment system if the asset is already identified as a SIPS (Systemically Important Payment System). A SIPS is a payment system which, if attacked, could potentially endanger the operation of the whole economy, and are expected to observe the Principles for Financial Market Infrastructures issued by the CPMI and IOSCO. The Reserve Bank Information and Transfer System (RITS), used by banks to settle payment obligations, is the only system that has been determined to be a SIPS. This is not the only example where industry feels that the Bill may disrupt current best practice.

APRA Prudential Standard CPS 234 has been adopted as the cyber security benchmark for the Australian banking sector and is seen as driving appropriate levels of visibility, funding, and support to cyber security in the Financial Sector. As many organisations have undertaken significant work to respond to the APRA CPS 234 requirements, the Australian Banking Association (ABA) has asked Government to consider modifying the reporting requirements for cyber-security incidents in the Bill to match APRA CPS 234 for APRA regulated entities. However, there are several significant misalignments that need to be addressed.

For example, APRA CPS 234 requires an entity to notify APRA as soon as possible and, in any case, no later than 72 hours of a cyber incident, whereas the Critical Infrastructure Bill will require critical cyber incidents to be reported within 12 hours. The Water Sector has noted that the 12-hour reporting timeframe is also inconsistent with international good practice, such as the US National Institute for Standards and Technology (NIST) 800-53 Standard. Both NIST and APRA standards require reporting within 72 hours and the Water and Finance sectors are agreed that this requirement in the Bill should be aligned accordingly.

Apart from critical incidents, all other cybersecurity incidents are required by the Bill to be reported within 24 hours. The Water sector has argued that this obligation places additional regulatory burden on entities, particularly over weekends and holiday periods, and has recommended that the Government restrict reporting to significant risks only. Financial Services Council (FSC) has also urged the Government to revise these timeframes from 24 to 72 hours from the time of becoming aware of a confirmed incident.

In addition to incident reporting timeframes, there have also been calls from both the Financial Services Council (FSC) and the Australian Banking Association (ABA) for Government to clarify the types of incidents that would be covered by sections 30BC and 30BD of the Bill, and to align them with the incidents covered by the term information security incident in CPS 234. Another suggestion aimed at reducing the burden on industry whilst maintaining the integrity of the regime, is that Government agencies share incident reports to avoid imposing duplicate reporting obligations under different regimes. For example, where information on serious cyber security incidents has already been reported to a government agency (such as reporting to APRA under CPS 234), other agencies should seek to obtain the information intra-governmentally.

It Does Not Mean What You Think it Means

As with other areas of industry, there has been much discussion in the Finance and Water sectors of the appropriateness of the definitions in the proposed legislation. The Water Services Sector Group (WSSG) summarised this issue, stating that the uncertainty created by the vague terminology of the Bill undermines industry’s capacity to assess potential compliance costs. This is particularly concerning given the provision for penalties for noncompliance. The consensus from industry indicates that the Government has some work to do to ensure that terms are clear, precise, and that sectors fully understand the activities and costs associated with compliance.

For example, the definition of direct interest holder is expected to capture financiers, including banks, according to the Australian Financial Markets Association (AFMA). This is because banks may have a security position in assets that fall within the scope of the Bill, which means they would be subject to both the reporting requirements with respect to the Register of Critical Infrastructure, and the civil penalties for non-compliance. As a result, the Australian Financial Markets Association (AFMA) has suggested that banks and other lenders should be excluded from the definition of direct interest holder.

The Australian Institute of Superannuation Trustees (AIST) has taken issue with the definition of a critical superannuation asset, which is intended to capture funds with Funds Under Management (FUM) of $20 billion or more. However, the AIST notes that a fund’s FUM can increase or decrease over time, where a fund may have FUM of $19 billion in one year and experience an increase the following year, putting the fund over the $20 billion threshold.

The Australian Banking Association (ABA) has emphasised that the Bill’s definition of business critical data is overly broad and there are fears that, as it stands, the definition will capture a significant proportion of an organisation’s supply chain. In their submission in response to the exposure draft of the Bill, the ABA have also sought clarification as to whether or not the definition of the Data Storage and Processing Sector is intended to capture banks or other organisations that may hold data or provide data storage as an adjunct part of its business.

 

The Writing on the Wall

The consultation phase of the Security Legislation Amendment (Critical Infrastructure) Bill has underscored the complex interconnections between industries and sectors. It has also revealed that there are a number of existing regulatory frameworks that need to be leveraged, or at least considered, if the amendments are to work as efficiently as possible.

It is unclear whether the Government will manage the differences between the Bill and existing regulatory regimes and standards through consultation and integration, or by imposing requirements regardless of existing benchmarks, overshadowed by the threat of penalties for non-compliance. Sectors have also raised a great deal of concern regarding the extent of the powers provided to Government and the lack of conventional rights of appeal and oversight. There has been no indication from Government that any amendment to rights of appeal is being considered.

Many submissions in response to the Bill’s draft from across the impacted sectors have commented on the adversarial tone of the legislation, indicating that it lacks the spirit of cooperative engagement that Government and Critical Infrastructure owners and operators have a strong history of. The feedback from industry is that the Government needs to ensure that terms are clear and precise, that sectors fully understand the activities and costs associated with compliance, and that existing frameworks should be accommodated by, and integrated into, the legislation.

If the Government is not able to achieve this, it may not only result in increased cost and regulatory burden, bureaucratic overlap, jurisdictional disputes, and unintentional non-compliance, but may also require the Government to use Step In powers to defend Critical Infrastructure whose security has suffered from these inefficiencies.

However, the Government also needs to balance the potential of that outcome with the increasingly frequent and sophisticated cyber threats levelled against Critical Infrastructure. A compromise has been suggested by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), recommending that the portions of the Bill that focus on Government assistance mechanisms and mandatory notification requirements should be passed with urgency, while the remaining aspects of the Bill should be introduced under a separate Bill following further consultation. It remains to be seen whether this recommendation will be implemented by Government or welcomed by industry.


Critical Infrastructure #4

August 14, 2021Published by Jeffrey Eaton
Wires
Critical Infrastructure – Part 4

Author: Mel Griffiths

Cost and Duplication are Major Concerns from Industry

This time we are looking at the Energy and Higher Education sectors and the impact of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill). Despite assurances from Government, there are several key concerns that reoccur across almost all sectors impacted by the Bill, including the Energy and Higher Education sectors which we will be discussing in this post. Industry has been vocal in asserting that the Bill lacks detail in its legislative form, that Governance Rules cast too wide a net, that existing regulations already govern many areas that the Bill seeks to upraise, and that there is little understanding of the financial implications. Delivery of the Framework objectives without unintended impacts and business costs continues to be the one of the primary messages from all areas of industry and the Higher Education and Energy sectors are no different.

The Higher Education sector has provided a scathing assessment of the Bill and its relevance to the sector. Innovative Research Universities has gone as far as to request that universities be removed from the Bill entirely. Both Swinburne University and the Australian Technology Network of Universities (ATN) have argued that the Bill leaves too much to be developed within the rules, noting that the significant powers the Bill provides to Government are largely enacted by these rules which sit outside of the legislation. Universities Australia, the peak body for Australia’s 39 comprehensive universities, is concerned that the Bill leaves a range of very significant matters to the rules, with little guidance as to rule making and determination in the primary legislation. They have argued that the details of the legislation are more appropriately contained in the primary legislation. The Bill is seen as somewhat of a broadsword where a scalpel is required in order to mitigate the risk facing diverse industries. The Higher Education and Research sector has called for the government to further develop and refine the Bill in order to produce a statute that is more nuanced and detailed in its application, and also to consider individual level of institution risk.

The Energy sector has also called on the government for further development of details, particularly regarding the proposed intervention powers. The proposed powers would essentially allow Government to shut down, change, analyse, remove or control infrastructure and its component parts. Essential Energy has requested more clarity be provided on the circumstances under which enhanced obligations for systems of national significance would be enforced, given that operators will not be obligated to comply, but “may be required to do so from time to time”, following written notice from the Secretary of Home Affairs. Santos has likewise expressed the need for further detail as to the circumstances in which investigatory powers will be used, the potential operational impacts, and any potential consequences and penalties associated with the use of these powers.

But Aren’t We Already Doing That?

The risk of regulatory duplication within and across sectors has been identified as an issue by almost every sector. Deakin University has indicated that the Higher Education sector is already subject to significant scrutiny by the Commonwealth and sees the new measures as an unfair regulatory burden, adding to already existing compliance regimes. Many stakeholders in the Higher Education and Research sector have advised that they already have standard risk process in place through business impact analysis and disaster recovery planning. As a result, Murdoch University has questioned why universities need to be included in the Bill at all, arguing that there are already numerous existing agencies and legislation that appropriately manage the risks faced by the sector. These concerns about duplication and regulatory over-burden have been echoed by such Energy sector organisations as Ausgrid, the largest distributor of electricity on Australia’s east coast.

Like many organisations, Ausgrid are worried about the potential overlap in accountability between state and federal requirements. Essential Energy, which distributes electricity across 95 per cent of New South Wales (NSW) and parts of southern Queensland, have highlighted that they are already subject to a number of critical infrastructure obligations through conditions that were added to their Distributor’s Licence in 2019. Likewise, the National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA), the Australian Government offshore energy regulator, is of the view that oversight of offshore facility cyber security threats falls under the existing Maritime Transport and Offshore Facilities Security Act 2003 and its associated regulations. There are fears that this duplication and overlap of legislation will trickle down to the day-to-day processes of Cyber Risk Management. Ampol and Shell believe that the potential duplication of existing regulatory systems and processes will lead to duplication in the risk/hazard identification, mitigation, and assurance processes. Some have even argued that the application of irrelevant and duplicative legislation actually elevates the risk to the sector by diverting resources into “rechecking every corner and ticking boxes instead of watching the gate”.

While many sectors have pointed to these areas of legislative overlap, some have argued for the appropriation of them to achieve the Bills aims, rather than apply a potentially cumbersome and expensive duplicative approach. AMEO have asserted that any changes to enhance the Commonwealth critical infrastructure regime will be most effective if they operate alongside the existing State-based legal frameworks for the energy sector. As with many other sectors, the Energy and Higher Education and Research sectors feel that if additional regulatory impositions are inevitable, more needs to be done in regard to increasing clarity around obligations and processes and reducing any regulatory burden and cost. In order to facilitate this, many organisations have set forward their expectations of the framework.

If a Job’s Worth Doing…

Ampol has been clear in their expectation that only the most significant of critical infrastructure assets will have a positive security obligation. There has been much comment from industry on this point, and many sector-specific cases highlighting the realities of what would and would not be captured under the Bill. Industry also expects more detail from Government on a range of areas that are currently characterised as vague and unhelpful in enabling organisations to plan for, and move forward with, preparations for compliance. For example, Santos, Australia’s biggest domestic gas supplier, have requested more detail on the current rules around the “on switch” for implementation of positive security obligations.

There is also concern from both the Higher Education and Energy sectors that timelines for compliance may be unrealistic or may not consider varying levels of organisational maturity. Ampol has argued for realistic compliance timelines to be provided for any new obligations, systems, or processes, while Universities Australia have requested that implementation timeframes are tailored to match the different maturity levels of the various sectors.

Many sectors are interested to know what the implications would be if blanket compliance timeframes were to be unrealistic or unachievable for a less mature organisation. Santos has noted that the civil penalties for failure to develop appropriate systems, monitor, and report, appear to be more punitive than the current legislation, and has asked for more details about Government’s approach and expectations in regard to timing for implementation.

That’s a little outside my budget

Concerns in the Energy Sector in regard to the regulatory impacts and associated costs of the new measures are being magnified by the impacts of the pandemic and negative fiscal outlooks. The Higher Education and Research sector has also called on the Government to quantify the likely additional compliance costs that the proposed changes will impose. Many operators in the Energy Sector want to ensure that costs of compliance are kept to a minimum and are concerned that a number of unknowns are making it difficult to prepare appropriately. This perception of regulatory imposition with an unknown price tag is fuelling calls for Government financial support. The Australian Institute of Petroleum (AIP) believes that if the Government has national security objectives associated with the Bill that go beyond current commercial imperatives, then government support should address any cost from these imperatives.

One of the key factors at the root of the associated costs is the lack of clear and appropriate definitions provided thus far, which most sectors have described as inadequate. Definitions frequently capture too many assets, or the wrong assets, while obligations are described as vague, and processes for the “switch on” of government intervention powers are shrouded in mystery. As Shell pointed out in their submission, without clear and agreed definitions of assets, it is impossible to assess whether the significant costs associated with the implementation of cyber security measures need to occur company-wide or only to specific assets and infrastructure.

We’re Not Critical, You Are

Definitional confusion and disagreements range from debate over which assets are critical to the nation, to confusion over what it means to be “using” an asset. For example, the University of Sydney has called for tightening the definition of a “critical infrastructure asset” owned and operated by a Higher Education provider, only to those whose compromise would truly represent a threat to the nation, while AEMO have pointed out that the terminology of an agent “using” an asset may unintentionally capture third-party systems.

Many organisations and peak bodies in both the Higher Education and Energy sectors have taken issue with the broad nature of the definitions in general, and of several specifically. The Australian Institute of Petroleum (AIP) noted that the broad nature of many asset definitions and thresholds  highlight the importance of identifying only truly critical infrastructure assets. Many areas of industry are attempting to provide feedback on these definitions in order to make them clearer and more usable. For example, the Clean Energy Council (CEC), peak body for the clean energy industry in Australia, has reiterated its position on the definition of ‘critical electricity asset’ after seeing no change based on their Consultation Paper feedback. The CEC has strongly reaffirmed that the proposed electricity generation capacity threshold is currently too low and should be increased from 30MW.

The Australian Energy Market Operator (AEMO), who manage electricity, gas systems and markets across Australia, have argued that the definition of “energy sector” in the Draft Bill should also include transmission as well as distribution and supply. AMEO have also proposed changes to the new definition of “critical energy market operator asset”, arguing that AMEO should be excluded from the definition to avoid duplication of critical infrastructure responsibilities existent in the Security of Critical Infrastructure Act 2018. The Group of Eight (Go8) also have taken issue with asset definitions, calling the proposed definition of a “critical education asset” a vague and ill-defined over-reach of the “intent and purview of the proposed reforms”. They have called for the definition to be made tighter and clearer. The definition of “significant impact” is another example which Ausgrid has raised as requiring more clarification in reference to security incidents. Shell Australia have argued that clearer definitions are required on critical cyber breaches and critical infrastructure asset data to assist asset owners in navigating reporting and sharing requirements.

What’s next?

Recounting the journey of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) thus far, we see that the initial consultation and amendments to the proposed legislative changes occurred just over one year ago in August and September 2020. Before the end of 2020, the Government had consulted for three weeks on an Exposure Draft of the Bill before introducing the Bill to Parliament on 10 December 2020. This was followed by the Parliamentary Joint Committee on Intelligence and Security commencing a review into the operation, effectiveness, and implications of the reforms. In March 2021, the Government began the co-design consultation phase for the development of the Governance Rules for the Risk Management Program aspect of the Positive Security Obligations introduced in the Bill. It is expected that the staggered co-design process will continue into 2022. In April 2021, the Government published the Draft Critical Infrastructure Asset Definition Rules and thresholds, welcoming further feedback. The remainder of 2021 and early 2022 will see the Government continue a staged sector by sector approach and work with industry to design the sector-specific requirements.


Critical Infrastructure #3

July 22, 2021Published by Jeffrey Eaton
Chem
Critical Infrastructure – Part 3

Author: Mel Griffiths

The threat to Critical Infrastructure is increasing

Michael Pezzullo, Secretary of the Department of Home Affairs, has stated that an increase in exploitation of the vulnerabilities in critical sectors has been building over the course of the last five years and “has accelerated over the course of the global pandemic”. He has characterised the new threat landscape as soon to be reaching “global pandemic proportions”. These attacks have highlighted the extreme vulnerability of a much broader swathe of sectors critical to the Australian economy and way of life.

Sapien Cyber believes that it is the responsibility of trusted information-sharing networks the educate the community on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. This series of articles aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Transport and Food and Grocery sectors. Submissions for comment on the Bill from organisations in these sectors and sectors examined in our last post have highlighted several common views, including a lack of specificity in the legislation, concern over costs associated with the increased regulatory burden, and overlap with existing legislation potentially creating duplication of effort and bureaucratic process.

A “lazy” approach to the Transport sector?

At the time of writing, the Australian Logistics Council (ALC) has called on the Federal Government for more time to facilitate the proper identification of which freight and logistics assets are to be made subject to the new law. ALC interim CEO Rachel Smith has criticised the threshold approach as “lazy”, and ALC members have argued that this approach is a catch-all which will fail to capture key assets, capture assets not of strategic importance, and increase regulatory burden.

The rules define a critical freight infrastructure asset as a road or rail network, or intermodal transfer facility that acts as a critical corridor for the transportation of goods between States, Territories, or regional centres. A critical freight services asset is defined as a network critical to goods transportation by road, rail, inland waters, or sea, and also as any national logistics provider with an annual revenue threshold of over $150 million. The critical freight infrastructure asset definition of “a critical corridor for the transportation of goods” is limited to road and rail in the proposed legislation, however, several critical sea corridors such as the Torres Strait fall outside of this scope.

Ports are defined as critical if they encompass land that forms part of any of the named security regulated ports, although there appears to be no intention of extending the requirements that currently exist to Australian vessels under the Bill. The Maritime Industry Australia Ltd (MIAL) has highlighted that supply chain security is incomplete unless the vulnerabilities that exist due to the majority of sea transport capability being performed by foreign entities is also addressed. MIAL has also argued that ships act as both pipelines and storage and are therefore captured under the critical liquid fuel asset definition, without explicit recognition of vessels themselves.

Critical public transport assets encompass public transport networks that are managed by a single entity and have a 5 million passenger journeys per month capacity (excluding aviation assets). V/Line, who provide public transport services to regional Victoria have indicated that a more mature understanding of the Transport sector and sub-sectors is required. In their submission for comment on the proposed legislation, V/Line have pointed to pre-existing issues, such as the absence of a specific transport connection to the Australian Strategy for Protecting Crowded Places from Terrorism, as contributing to the erosion of “operator confidence in the Federal Government’s ability to manage the implementation of the proposed legislation and its regulatory provisions”.

V/Line has also have asserted that identifying the most appropriate regulator in this space will likely be contentious. This is evident in VicTrack’s submission for comment, in which they have called for examination of how existing state-based approaches to cyber incident response and infrastructure resilience might be used to meet the proposed Positive Security Obligations.

Critical aviation assets are defined as assets owned or operated by airports or aircraft operators providing a service, or regulated air cargo agents that utilise air services. As with the other areas of the Transport sector, the aviation sector has highlighted concerns regarding the costs of the increased regulatory burden, the lack of clarity around how and when it is likely the Government assistance provisions would be used, and the potential for overlap between the Bill and requirements imposed by exiting legislation.

In Sydney Airport’s submission in response to the proposed legislative changes, it is noted that Airports are already subject to a range of requirements stipulated under the Aviation Transport Security (Incident Reporting) Instrument 2018, and call for “harmonisation between all legislative and regulatory underpinnings in efficiently managing security requirements”. The shift away from the existing ‘unlawful interference’ approach to the more holistic ‘all hazards approach’ will require further consideration of information sharing arrangements between industry and Government. Given the impact of the ongoing global pandemic, the aviation sector is understandably concerned that the increased security requirements imposed will add significant cost to the industry at a time when revenue is increasingly unpredictable.

The Food and Grocery sector requires clarity on criticality

Despite the fact that Australian beef, wool, and dairy supply chains have suffered cyber-attacks in the last 18 months, the Federal Government has stated that applying specific thresholds in this area of the Food and Grocery sector could create unnecessary confusion and regulatory burden, “especially when new competitors emerge in the market or unexpected market fluctuations occur”. As a result, production, agriculture, food manufacturing, and packaging will not be defined as critical assets in the Bill. The Australian Food and Grocery Council agrees with this logic but have highlighted that food manufacturing is not explicitly exempted in the proposed legislation.

The new definitions applied to the Food and Grocery sector will include critical Food and Grocery assets as networks used for distribution or supply of food or groceries, owned, or operated by critical supermarket retailers, or food or grocery wholesalers. It is anticipated the Legislation will include Woolworths Group, Coles Group, Aldi, Costco, and Metcash as critical supermarket retailers, as they collectively account for over 80 per cent of market share in Australia.

The AFCG notes that the term “food and grocery” as used within the industry includes non-food grocery products, such as personal care products, house care products, pet care products, as well as a litany of other items. The distribution of such products and occupy the same supply chains as food products. The legislation is not clear on the status of such non-food grocery manufacturing and supply chains and the AFCG has called for clarity in this area.

Confusion and cost remain significant issues

Looking at the way the Government has defined the Transport and Food and Grocery sectors and the submissions from industry, there appears to be a lack of clarity and understanding around inclusions and exemptions in the definitions. There is also clear concern from industry regarding the costs of increased regulatory burden and a call for support measures. It remains to be seen how the Government will respond to these concerns, however given their ubiquity across these and other sectors, it would be surprising if these issues remain unaddressed in at least some holistic form as the Bill makes its way through the Parliamentary process.


Critical Infrastructure #2

April 5, 2021Published by Jeffrey Eaton
Infrastructure
Critical Infrastructure – Part 2

Author: Mel Griffiths

A new approach for a new threat landscape

On the 11th of July 2018, the Security of Critical Infrastructure Act 2018 came into effect, along with its obligations for owners and operators of assets in the electricity, gas, water, and ports sectors. The aim of the Act was to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure”. However, the provisions in the Act were developed prior to the COVID-19 pandemic, which was accompanied by a flood of cyber-attacks frequently targeting critical sectors not captured in the Act.

This new threat landscape prompted revision of the Security of Critical Infrastructure Act’s definition of which sectors qualified as critical. As a result, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is currently before Parliament. The Bill will expand the number of regulated sectors to include banking/finance, communications, data and the cloud, defence, education, research and innovation, food and grocery, health, energy, space, transport, and water.

It is the position of Sapien Cyber that it is the responsibility of trusted information-sharing networks the educate the community on the Bill’s purpose and consequences. This article aims to provide clarity on the impact of the Bill to the various sectors affected by the obligations and to characterise the response from industry. In this post, we will discuss the Healthcare and Medical and Communications sectors.

The Healthcare and Medical sector – Significant threat in a challenging area

The Health Care and Medical sector has increasingly become a favourite target of cybercriminals and provides an excellent example of the rationale behind extending the Security of Critical Infrastructure Act 2018 to include more industry sectors. The Health Care and Medical sector, as defined in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 includes the provision of health care, or the production, distribution, or supply of medical supplies, while the definition of Health Care includes dental, medical, radiography, nursing and midwifery, occupational therapy, optometry, pharmacy, physiotherapy, podiatry, and psychology services provided by individuals. The new definition of critical hospital asset refers to critical infrastructure assets owned or operated by a hospital with a general intensive care unit. However, Telstra Health has rightly emphasised that critical hospital risk management is challenging and that security and continuity of service is comprised of a complex interconnection of technology and people-based systems with long and complex supply chains.

MISA, the Medical Software Industry Association which represents this area of the industry, has asserted that there is a lack of detail regarding incident reporting as well as a lack of alignment with existing legislation, such as the My Health Record Act and various Commonwealth and Jurisdictional legislation and policies. Duplication in these areas may result in organisations being required to undertake “multiple conformance testing without any perceived or real security value”.

Likewise, Medicines Australia which leads the research-based pharmaceutical industry, are cautious of the introduction of government powers that might inadvertently impede the ability of companies to continue usual business operations. They have stated that it “would be an undesirable outcome if, due to onerous security requirements, clinical trials were delayed, thereby denying patients access to innovative life-saving medical treatments”. There is also concern that the costs associated with increased security measures may be passed on to industry and Medicines Australia have urged the Government consider support measures that will assist public and private institutions in transitioning to the higher security obligations.

Consumer Healthcare Products (CHP) Australia, representing the manufacturers and distributors of consumer health care products, have outlined concerns that their industry is impacted by the sector-specific standards and obligations for both the Health Care and Medical and the Food and Grocery sectors in the Bill, arguing that the current definitions of these sectors, as well as Health Care and Medical supplies are overly broad. This position has been repeated by Telstra Health, who have noted that “complex supply lines relating to hospital care in particular” may result in the intent of the measures being difficult to achieve. CHP Australia have highlighted that the manufacture and supply chains required for their products are already subject to a high level of regulatory obligations, characterising the regulatory framework proposed in the Bill as “wide-ranging”, “onerous”, and neither necessary nor warranted.

A common question regarding the Bill raised by a number of sectors and echoed by CHP Australia is why, if no significant cyber security failings have been identified in their specific area, should they be subject to the introduction of such “widespread and onerous legislated requirements”? This may be a somewhat naive and self-preserving position, given the emerging threat landscape in the Health Care and Medical sector, which has become more critical than ever due to the ongoing pressure of the Covid-19 pandemic. Already in a vulnerable position from a cybersecurity perspective, the pandemic has compounded the pre-existing issues for this sector, and together with a surge in targeted exploitation from cybercriminals, the need to provide greater protection is vital.

Fear and loathing in the Communications sector

The Communications sector is defined as businesses that supply, own, or operate a carriage or broadcasting service or asset, or are used in connection with these services or assets. It also encompasses sectors that administer an Australian domain name system. Broadcasting transmission assets are considered critical if they are (a) owned or operated by the same entity and located on a critical transmission site, (b) located on at least 50 different sites and are not broadcasting re-transmission assets, or (c) owned or operated by an entity critical to the transmission of a broadcasting service. Some companies may still be prescribed without meeting the above thresholds, including TX Australia which services many major broadcasters which otherwise do not meet the “at least 50 sites” threshold.

BAI Communications Australia (BAI) have argued that simply defining a number of sites does not capture an accurate measure of control of critical broadcasting assets. Other factors such as population served, unique coverage provided, and alternative modes of delivery available are more appropriate and would allow entities who own and control critical transmission assets to be specified more accurately.

The Communications Alliance which represents the Australian communications industry, is also critical of the asset definitions which it says are overly broad and simply provide a “non-exhaustive list of items that may be considered an asset instead of a clear definition of the term”. For example, the terminology “use in connection with the supply of a carriage service” might conceivably result in every asset within the sector becoming a critical telecommunications asset. This sector is experiencing much confusion as a result of a lack of detail provided by the Government thus far. It has been argued that the timeframe allocated for the co-development of sector specific rules has been too short, making it difficult for this sector to properly understand the impact and function of the obligations. The Communications Alliance has even gone as far as to question whether the proposed regime will meet regulatory best practice at all.

Once again, we also see a lot of disquiet that the Bill will introduce conflict as a result of overlapping and duplicative obligations, both within the Bill, and from co-existence with existing legislation, such as the Telecommunications Sector Security Reforms (TSSR) and the Telecommunications Act 1997. The Communications Alliance has advised that enhancing security obligations would best be achieved under the TSSR, rather than within the proposed legislation, thereby avoiding duplication of obligations such as maintaining a risk management program, which is already captured by the section 313 requirements of the Telecommunications Act 1997.

Both Free TV Australia and the Communications Alliance have joined the chorus of other sectors regarding concerns over potential increased administrative, operational and financial burdens. Free TV have stated that any required boost in security arrangements should have a matching boost in the form of “a funding deed with the Government in recognition of the driver for these costs being a change in Government policy, rather than changes in best practice asset management”. This caustic assessment of the of the proposed legislation is not unique to the owners and operators of broadcast assets.

Within the proposed legislation, an asset is considered a critical domain name system if it is managed by or used in connection with an entity that is critical to the administration of an Australian domain name system. It has also been recommended that the .au country code Top Level Domain be made a critical domain name system. Afilias, the Registry Operator for the .au ccTLD, has clearly stated that “the Government is well-advised to continue its path to keep the Positive Security Obligation dormant for the .au namespace”. They feel the existing “structural guardrails” are sufficient and do not require any further Positive Security Obligations or Agency intervention, which they fear will add unnecessary burdens and costs. Afilias has strongly stated their position, saying that the existing management and oversight of the .au ccTLD is more than sufficient.

Overreach and overlap are common concerns

In this post, we examined the Healthcare and Medical and Communications sectors. It is clear that the proposed Government intervention powers are commonly seen as over-reach that may impede or threaten industry. There is also much concern over the lack of alignment with existing legislation and potential overlap within the Bill for some businesses caught between defined sectors. As a result, there have been calls for an approach that leverages existing legislated obligations. Given the increasing risk to Australian Critical Infrastructure evident in the evolving threat landscape and the urgency with which the proposed legislation is being developed, it seems unlikely the sufficient time will be available to manage amendments or even consult with industry on such suggestions. At this stage, it appears the Bill will proceed, although its final form and specific impacts to Critical Infrastructure owners, operators, and assets remains to be seen.


Critical Infrastructure #1

March 3, 2021Published by Jeffrey Eaton
Running Tap
Critical Infrastructure – Part 1

Author: Mel Griffiths

Critical Infrastructure cyber-attacks are on the rise

Cyber-attacks targeting Critical Infrastructure are increasing in frequency and efficacy. These attacks are profitable for cybercriminals and offer plausible deniability for Nation States who use these groups as “hired guns”. In late 2020, the software supply-chain compromise of SolarWinds resulted in one of the most significant cyber intrusion incidents to date, impacting businesses and Critical Infrastructure assets across the globe. In February of this year, a cyber-attack on a water treatment system in Oldsmar, Florida very nearly resulted in the poisoning of water supplies. In May, a ransomware attack led to the shutdown of the Colonial Pipeline, resulting in one of the most significant and successful cyber-attacks in US history. June saw ransomware attacks on meat producer JBS USA and on St. Joseph’s/Candler Hospital in Georgia, impacting food supply chains and healthcare systems.

There is a clear global uptick in cyber-attacks on vulnerable Critical Infrastructure chokepoints, with the intention of creating severe and significant impacts to maximise profit or damage. It is also clear that threat actors have broadened their targets beyond traditional ideas of what constitutes Critical Infrastructure. The reality is, if it is critical and vulnerable, there is money to be made. Australia’s Critical Infrastructure clearly faces a realistic, credible, and immediate threat.

The Critical Infrastructure Bill is now a matter of urgency

In response to the increasing threat, the Australian Government’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020 is set to significantly broaden the defined Critical Infrastructure sector. The proposed Bill will introduce positive security obligations, including enhanced obligations for systems of national significance, and allow Government intervention in security incidents.

Despite several Tech giants who operate within Australia taking issue with the proposed Government interventions, Minister for Home Affairs, Karen Andrews has recently announced that passage of the Critical Infrastructure Bill through Parliament will be prioritised, stating that the Bill “provides significantly more protections than it does introduce risks”.

Understanding your sector, your security, & your obligations

However, it may not be clear exactly how these changes may impact your sector and how your organisation will be required to change the way it manages its cybersecurity function. The Bill itself is not an easy read, and many Critical Infrastructure owners and operators are unclear as to what the proposed changes will mean to them. Additionally, the broadening of the definition of Critical Infrastructure means that many organisations which were not previously identified as such may be caught unaware and unprepared for the obligations laid out in the impending Bill.

Michelle Price, CEO of AustCyber has highlighted the importance of education on the Bill’s purpose and consequences through trusted information-sharing networks. This series of blog articles from Sapien Cyber is intended to assist organisations in tackling the challenges they may face with the introduction of this new legislation and provides fresh insights as the Bill progresses. These articles will discuss the broadened definition in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, what will constitute Critical Infrastructure, and how the new legislation will impact the security function of each of these defined sectors.

We will also examine the positive security obligations imposed by the Bill, what they entail, and what changes Critical Infrastructure Owner / Operators will need to make to meet these obligations. In addition, we will tackle the somewhat controversial topic of Government intervention in the incident response process in the event of a significant attack on Critical Infrastructure, what this actually entails, and how organisations can prepare.