There has been another flurry of developments in Australia’s critical infrastructure regulation, with the registration of the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Asset Definition Rules) on 14 December 2021, and the release of three Exposure Drafts of the Security of Critical Infrastructure (Application) Rules 2021 (Draft Application Rules), Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) and Transport Security Amendment (Critical Infrastructure) Bill 2022 (Transport Security Bill) on 15 December 2021.
These developments have been much anticipated following the recent amendment to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) by the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SLACI Act). The SLACI Act significantly expanded the scope of the original SOCI Act from certain traditional infrastructure assets (ports, water, electricity and gas) to a much broader range of sectors and assets. For more background information, please see our previous article on the passing of the SLACI Act, “Security of Critical Infrastructure Act (SOCI) reforms – what your business needs to know”.
These changes form part of the Australian Government’s focus on uplifting Australia’s critical infrastructure security and resilience in response to the increasing frequency of cyber attacks affecting critical infrastructure assets. Government assistance measures have applied to all critical infrastructure assets since 3 December, while the two positive security obligations – provision of information to the Register of Critical Infrastructure Assets and mandatory cyber incident reporting – have been pending rules “switching on” these obligations and providing further clarity. With the release of the Asset Definition Rules and the Draft Application Rules, affected entities will need to begin taking active steps to comply with their upcoming obligations. The simultaneous release of the SLACIP Bill and Transport Security Bill will also require affected businesses to uplift their cyber security preparedness.
This article examines the impact of the Asset Definition Rules, Draft Application Rules, SLACIP Bill and Transport Security Bill, and also provides key dates businesses will need to be aware of if they intend to engage with government on the proposed raft of changes.
Asset Definition Rules
On 13 December 2021, the Asset Definition Rules were registered on the Federal Register of Legislation. These rules became effective from 14 December 2021 and repealed the Security of Critical Infrastructure Rules 2018 (Cth).
The SOCI Act includes definitions of the various types of critical infrastructure assets covered by the Act, but gives the Department of Home Affairs rule-making powers to prescribe further detail in relation to some of these definitions. The Asset Definition Rules now prescribe thresholds and the circumstances when an asset will fall within the definition of a “critical infrastructure asset” and also specifies certain relevant entities. For example:
- an authorised deposit-taking institution and its related body corporates will form part of the “critical banking assets” definition if it has total assets above $50 billion; and
- “critical supermarket retailers” under the definition of “critical food and grocery assets” include Aldi, Coles and Woolworths.
The Asset Definition Rules also provide specific details of relevant data arrangements responsible entities are required to report as “operational information” on the Register of Critical Infrastructure Assets.
The Asset Definition Rules were developed in consultation with Commonwealth, State and Territory Government partners. A policy paper containing proposed critical infrastructure asset definition rules was also published by the Department in April 2021 through which industry was provided with a further opportunity to engage. Of note is that some of the definitions in the Asset Definition Rules differ from the draft rules. For example, there has been a reduction from 49 intermodal terminals suggested in the draft rules as “critical freight infrastructure assets” to 14 intermodal terminals in the Asset Definition Rules. Businesses should carefully review these rules for relevant thresholds and requirements in respect of data arrangements for reporting to the Register.
Further details can be found in the Explanatory Statement to the Asset Definition Rules.
Draft Application Rules
Under the SOCI Act, the two primary obligations (mandatory reporting of cyber security incidents and providing information to the Register of Critical Infrastructure Assets) will only commence once a Rule is made “switching on” that obligation on for a particular critical infrastructure asset or class of critical infrastructure assets. The Draft Application Rules propose the critical infrastructure asset classes that these positive security obligations will initially apply to and excludes some specific assets, as outlined below. Although the Draft Application Rules designate initial asset classes, it is possible for the Minister to propose more Rules in the future which switch on obligations for additional asset classes.
Unlike the Asset Definition Rules, these Rules require a consultation period with affected entities under the SOCI Act, and submissions on the Draft Application Rules can be made until 1 February 2022.
The critical infrastructure asset classes that the Draft Application Rules propose the obligations apply to are explained below:
Register of Critical Infrastructure Assets
The Minister has proposed to apply the Register obligations to 13 additional critical infrastructure asset classes, including critical electricity and gas assets that newly became critical infrastructure assets due to the Asset Definition Rules. If the Draft Application Rules are implemented, the Register obligations will apply to 15 of the 22 asset classes, as the obligations will continue to apply to the critical infrastructure assets under the original SOCI Act prior to amendment by the SLACI Act .i.e. critical port, water, electricity and gas assets, as well as assets privately declared by the Minister. Affected entities will have a 6 month grace period to comply with this obligation.
Of note is that the critical infrastructure asset classes as defined in the draft Rules differ from those suggested in an industry town hall run by the Cyber and Infrastructure Security Centre on 25 November 2021 (Town Hall). In particular, these proposed rules no longer include critical telecommunications assets. Government recently determined that for critical telecommunications assets, the policy objective underlying this obligation can be achieved through reforms to the Telecommunications Act 1997 (Cth).
Mandatory reporting of cyber security incidents
The Minister has proposed to apply the mandatory reporting obligations to 20 of the 22 critical infrastructure asset classes. This obligation will not apply to critical defence and telecommunications assets. Affected entities will have a 3 month grace period to comply with this obligation. Again, the critical infrastructure assets proposed for this obligation under the Draft Application Rules differ from those suggested at the Town Hall given the exclusion of critical telecommunications assets.
Further details of the Draft Application Rules can be found in the Explanatory Statement.
Exposure Drafts of the SLACIP Bill and Transport Security Bill
The SLACIP Bill contains proposed amendments to the SOCI Act, where it will:
- introduce an additional positive security obligation, the Risk Management Program, which will be applied to entities responsible for critical infrastructure; and
- introduce enhanced cyber security obligations, including vulnerability reporting, cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).
The reforms proposed by the SLACIP Bill were originally intended to form part of the recently passed SLACI Act. However, the above elements were deferred for the separate SLACIP Bill in response to recommendations by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in September 2021. For further information, please see our articles “Reform of Australia’s critical infrastructure laws – PJCIS Report the catalyst for imminent change?” and “Reform of Australia’s critical infrastructure laws”.
The SLACIP Bill has incorporated recommendations by the PJCIS and been shaped by further industry consultation. Government is continuing to engage with industry and seek feedback by hosting four town halls from December to February and inviting submissions.
Further details can be found in the Explanatory Document to the SLACIP Bill.
Transport Security Bill
Parallel reform will also take place in the transport sector, where the Transport Security Bill seeks to implement an enhanced critical infrastructure security regulatory regime for the aviation and maritime transport sectors by amending the Aviation Transport Security Act 2004 (Cth) and the Maritime Transport and Offshore Facilities Security Act 2003 (Cth).
Forming part of the Australian Government’s critical infrastructure reforms and aiming to generally uplift security and resilience across the Australian economy, if passed, the Transport Security Bill will transition the regulatory framework for the aviation and maritime transport sectors from a focus on unlawful interference (terrorism) to encompass an enhanced ‘all hazards’ regulatory framework. Mirroring the mandatory cyber incident reporting requirements in the SOCI Act, the enhanced ‘all hazards’ regulatory framework will encompass any threat that could impact on the confidentiality, integrity, availability, or reliability of an industry participant’s operations.
As with the SLACIP Bill, Government will engage with industry for the Transport Security Bill by hosting town halls in January and inviting submissions.
Further details can be found in the Guide to the Exposure Draft Transport Security Bill.
What do you need to do - key dates and next steps
Organisations can engage in the consultation process on the Exposure Drafts of the Draft Application Rules, SLACIP Bill and Transport Security Bill through town halls and lodging submissions, with key dates to be aware of as follows:
- SLACIP Bill
- Open for public submissions until 9:00am (AEDT) Tuesday 1 February 2022
- Town Hall 1: 1:00pm – 2:00pm (AEDT) Tuesday 21 December 2021
- Town Hall 2: 1:00pm – 2:00pm (AEDT) Tuesday 18 January 2022
- Town Hall 3: 12:30pm – 1:30pm (AEDT) Tuesday 25 January 2022
- Town Hall 4: 1:00pm – 2:00pm (AEDT) Tuesday 8 February 2022
- Transport Security Bill
- Open for public submissions until 11:59PM (AEDT) Tuesday 1 February 2022
- Town Hall 1: 2:00pm – 3:00pm (AEDT) Tuesday 18 January 2022. Register here
- Town Hall 2: 2:30pm – 3:30pm (AEDT) Thursday 20 January 2022. Register here
- Town Hall 3: 1:30pm – 2:30pm (AEDT) Tuesday 25 January 2022. Register here
- Draft Application Rules
- Open for public submissions until 1 February 2022
Authors: Lesley Sutton (Partner), Dal Lim (Lawyer) and Hannah Kaine (Summer Clerk)