Security of critical infrastructure update14 July 2022
In response to the increasing seriousness and frequency of cyber-attacks, and as a result of recent changes to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), the mandatory reporting of cyber security incidents affecting critical infrastructure assets has now commenced. This legislation and its speedy implementation are designed to allow the Commonwealth Government to protect and secure infrastructure assets that could have material adverse effects of the Australian economy if compromised.
In our previous article, we reported on the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act), which was the first tranche of legislation to amend the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth), which was the second tranche. The reporting of cyber security incidents became mandatory through the first tranche of amendments, and has now become effective, following the expiry of a transition period.
The expanded definitions of what constitutes “critical infrastructure” and the mandatory cyber security notification requirements in the SLACI Act have been ‘switched on’ by the application rules which took effect on 8 April 2022.
Entities should by now be aware of whether they are caught by this legislation.
The cyber security reporting obligations imposed by the SLACI Act commenced on 8 July 2022. Affected organisations in the following sectors must be ready to comply with these obligations now:
- Data storage or processing
- Financial services and markets
- The water and sewerage
- Healthcare and medial
- Higher education and research
- Food and grocery
- Space technology
- Defence industry
Each responsible entity must notify the relevant Commonwealth body if it becomes aware of a cyber security incident.
If the cyber security incident has had a significant impact on the critical infrastructure asset- as soon as practicable and in any event, within 12 hours after the entity becomes aware that the cyber security incident has occurred, is occurred or is imminent.
If the cyber security incident has had a relevant impact on the critical infrastructure asset- As soon as practicable, and in any event, within 72 hours after the entity becomes aware that the cyber security incident has occurred, is occurring or is imminent.
A “cyber security incident” could be any of the following:
- unauthorised access to, or modification of, computer data or a computer program
- unauthorised impairment of electronic communication to or from a computer, or
- unauthorised impairment of the availability, reliability, security or operation of a computer, computer data, or a computer program.
A "significant impact" is generally where the cyber security incident materially disrupts the availability of essential goods or services, which will be a question of fact and degree in each case.
A "relevant impact" includes any other impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset.
Additionally, the Minister for Home Affairs now has various powers to respond to serious cyber security incidents. These powers are detailed in our previous article, and include the ability to give a direction to a responsible entity to do, or refrain from doing, a specified act or thing. This is a broad power and it will be interesting to see how it is used in practice.
Responsible entities of critical infrastructure assets should by now have considered and integrated the provisions described in this article into their risk management frameworks, disaster management plans and training programs for relevant staff. It would also be prudent to open dialogue with the Department of Home Affairs if you have not already done so, to better understand what assistance it can provide and what its expectations are.
Further information and assistance can be found at https://www.cyber.gov.au/.
 Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 issued by Minister for Home Affairs under section 61 of the SOCI Act. The reporting obligations extend to: critical broadcasting assets; critical domain name systems; critical data storage or processing assets; critical financial market infrastructure assets that are a payment system; critical food and grocery assets; critical hospitals; critical freight infrastructure assets; critical freight services assets; critical public transport assets; critical liquid fuel assets; critical energy market operator assets; and critical electricity assets and critical gas assets that were not critical infrastructure assets before the commencement of s18A of the SOCI Act.
 Three months after the commencement of the rules.
 SOCI Act, s30BC(1)(d).
 SOCI Act, s30BD(1)(d).