Securing our future: call for views on an enhanced regulatory framework for Australia’s critical infrastructure

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Cheng Lim and Jonathan Beh.

The security and resilience of Australia's critical infrastructure is fundamental to its economy, security and sovereignty. 

Last week, the Department of Home Affairs published a consultation paper seeking submissions on proposed reforms to the critical infrastructure regulatory framework.  In this alert, we describe what critical infrastructure is and the current regulatory framework, identify the key initiatives from the enhanced regulatory framework being proposed by the Government and explain why it is crucial that industry participates in the development and implementation of a flexible, comprehensive and resilient security strategy.

Three aspects will be of critical interest:

  1. The sectors and entities that will be subject to the enhanced regulatory framework;
  2. The content and implications of the Positive Security Obligation, Enhanced Cyber Security Obligations and Government assistance with cyber security; and
  3. Navigating the journey: ongoing consultation and industry participation in the development of the critical infrastructure regulatory framework.

Why is critical infrastructure so important and what is the current regulatory framework?

Critical infrastructure underpins the delivery of essential services that are fundamental to Australia's economy, security and sovereignty.  The Government's Critical Infrastructure Resilience Strategy defines critical infrastructure as:

those physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia's ability to conduct national defence and ensure national security.

The current regulatory framework is set out in the Security of Critical Infrastructure Act 2018 (Cth) (Act) and consists of 3 main elements:

  1. a Register of Critical Infrastructure Assets which contains ownership and operational information for specific critical infrastructure assets;
  2. an information gathering power, which allows the Secretary of the Department of Home Affairs to obtain more detailed information from owners and operators of critical infrastructure assets; and
  3. a Ministerial direction power, which allows the Minister for Home Affairs to direct an owner or operator of critical infrastructure assets to take, or not take, specified actions to mitigate against a national security risk where no other mechanism will eliminate or reduce that risk.

Who will the enhanced regulatory framework apply to?

Currently, the critical infrastructure regulatory framework only applies to specific entities in the electricity, gas, water and maritime ports sectors.  The proposed reforms will significantly expand the scope of the framework, introducing security obligations to the following sectors:

  • Banking and finance;
  • Communications;
  • Data and the Cloud;
  • Defence;
  • Education, research and innovation;
  • Food and grocery;
  • Health;
  • Space; and
  • Transport.

The Government will also introduce 3 broad categories of criticality under which owners and operators of critical infrastructure assets will be classified: Critical Infrastructure Entities, Regulated Critical Infrastructure Entities and Systems of National Significance.  Categorisation will depend on a number of factors, including the consequences of a compromise in security and the interdependency of the entity or asset with other functions.  Each category will be subject to different obligations, in order to ensure that the obligations are proportionate and appropriate relative to the criticality of each entity.

What new initiatives are being introduced?

The enhanced regulatory framework consists of 3 key security initiatives that the Government will introduce to strengthen the security and resilience of Australia's critical infrastructure.

Government assistance with cyber security

In most cases, critical infrastructure entities will be best placed to protect from and mitigate the effects of cyber attacks on their networks and systems.  However, given the unique capabilities of Government and its comprehensive understanding of Australia's threat environment, there may be situations in which Government assistance or intervention is required to effectively respond to and manage cyber attacks.

Under the proposed reforms, if there is an imminent cyber threat or incident that could significantly impact Australia's economy, security or sovereignty and is within the capacity of the entity to address, the Government may provide directions to an entity to ensure all necessary action is taken to manage and reduce the impact of the threat.  In even more serious and limited circumstances, where the Government identifies an immediate and serious cyber threat to Australia's economy, security or sovereignty, the Government may declare an emergency and take direct action to protect a critical infrastructure entity or system in the national interest.  The Government will consider the potential consequences of the cyber threat, the extent to which the incident could spread across jurisdictions and the imminence of the threat in determining whether to declare an emergency and take direct action.

Positive Security Obligation

Regulated critical infrastructure entities and systems of national significance will also be subject to the Positive Security Obligation (PSO).  The PSO will consist of both a sector-agnostic set of principles-based outcomes, as well as sector-specific guidance and requirements that will be co-designed by entities and the appropriate regulator in each sector.

The high-level principles-based security outcomes will be set out in legislation and, at a minimum, ensure that critical infrastructure entities:

  • identify and understand risks;
  • mitigate risks to prevent security incidents;
  • minimise the impact of realised incidents; and
  • implement effective governance and oversight processes,

in relation to physical, cyber, personnel and supply chain security.

In order to reflect the specific needs and capabilities of each sector, avoid duplicating existing standards and requirements and reduce the regulatory burden on entities, regulators will work with entities in each sector to develop and implement sector-specific standards and guidance to achieve the security outcomes of the PSO.  The regulators will be responsible for educating and guiding entities towards best practice security management, as well as enforcing compliance with the PSO requirements.

Enhanced Cyber Security Obligations

In addition to government assistance with cyber security and the PSO, Australia's most critical entities, the systems of national significance, will also be subject to the Enhanced Cyber Security Obligations.  It is intended that these entities will build an active partnership with the Government to better understand, prepare for and manage cyber security threats.

The Government will develop a near real-time national threat picture by obtaining information from a variety of sources, including from industry and commercial partnerships, open source information and Government intelligence and international feeds.  At the beginning, provision of information will be on a voluntary basis as the near real-time threat capability is developed and tested; however, it is intended that in the long-term entities will be obligated under legislation to provide information about networks and systems when requested.

The Government will also utilise its understanding of the threat environment to help develop the cyber security capabilities of owners and operators of systems of national significance.  Entities will be required to participate in cyber security activities in partnership with the Government, which may include independent assessments by third-party providers, light-touch vulnerability scanning and assessment and Government-critical infrastructure collaboration to detect and isolate threats that have evaded existing security solutions.  The Government will also work with key entities to develop a playbook of response plans that will be tailored to each entity's capabilities and needs and outline the roles and responsibilities in the event of a significant security incident. 

What does this mean for industry?

Submissions to the consultation paper close on 16 September 2020.  However, given the far-reaching consequences of the proposed reforms and their importance to Australia's long-term security and economic wellbeing, the consultation paper is only the start of the consultation process with industry.  The Government intends to conduct further cross-sectoral consultation on the reforms, which will inform the development of legislative amendments to the Act.  Once the amendments have been passed, regulators will continue to work with critical infrastructure entities to develop and implement sector-specific obligations to give effect to the legislative regime.

The proposed reforms are a key initiative of the Government's Cyber Security Strategy 2020 and reflect an increased focus by the Government on the security risks that Australia's critical systems face.  Recent events, particularly the impact of COVID-19, have reflected well on the security and resilience of Australia's critical infrastructure, but have also exposed the underlying vulnerabilities and fragilities of an economy that is increasingly interconnected and interdependent.  Industry has an important role to play in participating and shaping the development of the strategies, polices and laws that will protect and promote Australia's economy, security and sovereignty.

On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022

The Federal Court has refused an application to stay proceedings to quantify compensation for patent infringement (quantum proceedings) pending the outcome of separate parallel proceedings challenging the validity of the infringed patent on new grounds. The case is significant as intellectual property cases are regularly bifurcated with liability determined separately damages or an account of profits. A patentee may also bring consecutive infringement cases and therefore have two separate cases considering invalidity issues for the same patent running in parallel.

03 August 2022

Since the introduction of a nationwide Marketing Authorization Holder (MAH) system in 2019, licenses have linked directly to therapeutic products rather than manufacturers.

03 August 2022