“Critical infrastructure” covers the can’t-live-without-them sectors. The stuff that “underpins the functioning of Australia’s society and economy and is integral to the prosperity of the nation”. So if you provide a service classed as critical, you’ve probably got a lot on your plate.
In 2022, the Critical Infrastructure Act was updated, and it’s essential for you to get your head around the new rules.
If you don’t, your business faces up to 50 penalty units - and a fine of up to $11,100.
Here’s what you need to know about the Critical Infrastructure Act, in the least dry terms possible.
The Security of Critical Infrastructure Act 2018
The Security of Critical Infrastructure Act 2018 (SOCI Act) was introduced to “manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia's critical infrastructure.” - as explained by our mates at the Department of Home Affairs.
Let’s break that down.
The Act is essentially a framework to manage the risks related to critical infrastructure. It involves the government working with industries to make sure Australia can always rely on the services it needs most.
What are Critical Infrastructure Assets?
Critical infrastructure assets are those that are essential to the functioning of the Aussie economy, society and/or national security.
Nope - Tim Tams didn’t make the list. What did were those things of national strategic and socio-economic importance, as well as items that need to meet increasingly strict regulations and approval requirements.
The Security of Critical Infrastructure Act 2022 update
The 2018 Act applied to traditional heavy infrastructure. It covered 4 assets: electricity, gas, water and maritime port.
In April 2022, the SOCI Act underwent some changes. Key to the makeover was that those 4 assets from 2018 were expanded to 11 critical infrastructures. As well as now capturing assets across a broader chunk of the Australian economy, the 2022 Act also aims to raise the security and resilience of critical infrastructure. The idea is to keep it safe from physical, supply chain, personnel and cyber security threats.
The following have been added to the Act:
- Data storage or processing
- Defence industry
- Financial services and markets
- Food and grocery
- Healthcare and medical
- Higher education and research
- Space technology
- Water and sewerage
If you own or run a business in any of the above asset classes, you may have some obligations to take care of.
My sector is a Critical Infrastructure Asset, what to do now?
If you’ve found yourself on the new (and improved?) Act, you’re obliged to make some moves. According to CISC (Cyber and Infrastructure Security Centre), certain entities are required to:
- Provide operational and ownership details to the Register of Critical Infrastructure Assets.
- Report any critical cyber security incidents to the Australian Cyber Security Centre (ACSC) within 12 hours. For non-critical cyber incidents, you have 72 hours to inform the ACSC.
- Adopt, maintain and comply with a written risk management program.
These security obligations can be “switched on” at different times, depending on the asset classes.
You also have an ongoing obligation to update the Register should information about your asset change.
What is a cyber security incident? Significant impact Vs. relevant impact
Since cyber security is such a big part of what we do here, we thought it made sense to focus on the second obligation: Report any critical cyber security incidents to the ACSC within 12 hours.
A cyber security incident is one that has an impact on its assets. This could take place because of:
- Unauthorised access to a computer’s system or data
- Unauthorised communications to or from a computer
- Unauthorised impairment of a computer’s security, operation or reliability
There are two types of cyber security impacts to keep in mind: Significant and relevant.
A cyber security impact is classed as “significant” when “both the critical infrastructure asset is used in connection with the provision of essential goods and services, and the incident has materially disrupted the availability of the essential goods or services”.
A relevant impact affects the “availability, integrity, reliability or confidentiality” of your business’ asset. However, it doesn’t impact your provision of that asset.
How to make a cyber security incident report
If your assets have been impacted due to a cyber security incident, you’ll have to report it to the ACSC.
There are 2 ways you can do that:
- Via the phone - call 1300Cyber1 (1300 292 371)
To make a report, you’ll need to provide:
- Contact information
- Organisation information (including ABN)
- Critical infrastructure sector
- The date and time of the incident, and whether it’s ongoing
- Confirmation of whether the incident is having a significant impact on your asset
- Details about the nature of the incident
If there’s a threat to life or safety, call 000 immediately.
What happens if you don't report an incident?
It all sounds like a lot of effort, doesn’t it? So what happens if you just…don’t comply?
Failing to report a cyber incident means you could face a maximum penalty of 50 units, which translates to a fine of up to $11,100.
How to prevent cyber security incidents in the first place
The best approach to keeping your business safe online is prevention. Since you’re responsible for a critical infrastructure asset, levelling up your IT security should be a priority.
Some quickfire ways to protect your organisation against cyber threats include:
- Implement endpoint security
- Educate yourself and your employees
- Update your software
- Install a firewall
- Keep data backed up
- Update access management
- Practise good password hygiene