Is your business a part of Australia’s critical infrastructure?
In late 2021, the Security Legislation Amendment (Critical Infrastructure) Bill (2021) was passed that sought to amend the 2018 SoCI (Security of Critical Infrastructure) Act. This Act expands the sectors considered as CI from four sectors (electricity, gas, water, and ports) to now also include communications; f inancial services and markets; data storage or processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.
One of the major catalysts for this expansion was the substantial increase in cyber-attacks that have been observed, with the United Nations reporting a 600% increase in cyberattacks. Perhaps the most sobering aspect of these attacks, however, is that 25% are aimed at CI organisations. Indeed, the Global Risk Report 2022 by the World Economic Forum shows that Australia’s number one risk concern is “Failure of Cyber Security Measures”:
The new legislation also allows for the government to intervene and assist when there is a concern regarding the cyber control measures currently in place
Under the new legislation, there are enhanced cyber security obligations whereby organisations will need to establish processes for incident response, regular cyber security test exercises, vulnerability management, and to be able to provide security incident reporting on-demand.
The implementation of this new legislation carries with it some substantial challenges for organisations that now fall under the Act. Some of these include:
- registration of critical assets: identification, classification, and accountability
- common understanding or risk-based and protective security
- effective risk management framework by sector, with common measurements and assessments
- communication between Home Affairs, state governments, and other stakeholders
- definition and parameters of scope of Ministerial Controls (Cyber)
- communication in a national security context
- mandatory reporting of cyber issues
- transparency requirements for the CI Owners:
- Reporting requirements
- Cyber intervention
- Government intervention in cyber-attack/s
(Sourced from: www.cisc.gov.au)