The exposure draft of the Security Legislation Amendment (Critical Infrastructure Protection) Bill - SOCI 2 - includes a requirement to 'Establish, maintain, and comply with a Risk Management Program' -
11. The Risk Management Program would require owners and operators of critical infrastructure assets to manage the material risk of any hazards occurring, which pose a risk of impacting on the availability, integrity or confidentiality of the critical infrastructure asset. Where possible, the requirements under the Risk Management Program recognise or build on existing regulatory frameworks to minimise the regulatory burden on industry. Indeed, the Government has kept the public interest criteria in the proposed Bill to ensure that cost and the need to switch on the obligation through a rule following formal consultation is maintained. This ensure that if an existing regulation already exceeds the Risk Management Program requirement, there is not a duplicative set of obligations in place.
12. The Exposure Draft sets out the overarching obligations for the Risk Management Program with the more detailed requirements to be contained in rules that have been developed with industry during an extensive consultation process.
Enhanced Cyber Security Obligations for Systems of National Significance
13. The Enhanced Cyber Security Obligations would, if implemented, support a bespoke, outcomes- focused partnership between Government and Australia’s most critical assets – declared as systems of national significance’. These obligations would enhance the already mature Government-industry information sharing arrangements to build an aggregated threat picture and provide Government with a comprehensive understanding of the ability of entities responsible for Systems of National Significance to respond appropriately to, or mitigate the impact of, a cyber security incident. Importantly all obligations are exclusively outlined in the proposed bill.
14. Systems of National Significance are proposed to be a significantly smaller subset of critical infrastructure assets that, by virtue of their interdependencies across sectors and cascading consequences of disruption to other critical infrastructure assets and critical infrastructure sectors, are crucial to the nation.
15. Should the Minister for Home Affairs declare a critical infrastructure asset to be a System of National Significance, the Secretary of the Department of Home Affairs may require the responsible entity for a System of National Significance to undertake one or more prescribed cyber security activities. This does not mean that all obligations would apply. They would be considered on a case by case basis following consultation with the System of National Significance. The exclusive and exhaustive list of possible obligations include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and provision of system information to build Australia’s situational awareness. The Exposure Draft explicitly requires the Secretary of the Department of Home Affairs to request the prescribed activity in order to ensure activities have a clear, stated security objective.
16. Through consultation on these reforms, stakeholders have consistently supported greater threat information sharing and partnerships with Government. The Enhanced Cyber Security Obligations would support the bi directional sharing of threat information to provide industry with a more mature understanding of emerging cyber security threats, and the capability to reduce the risks of a significant cyber attack against Australia’s most critical assets.
Create a mechanism to declare critical infrastructure assets of the highest criticality as systems of national significance
17. The Exposure Draft sets out a new proposed Part 6A outlining the mechanisms for making a declaration to define critical infrastructure assets that are the most interconnected and interdependent assets, and critical to the security, economy and sovereignty of Australia, as Systems of National Significance, and enabling the requirement for enhanced cyber security obligations.
18. The Minister for Home Affairs would have ability to privately declare a critical infrastructure asset to be a system of national significance, once they have considered the asset’s interdependencies with other critical infrastructure assets, and the consequences to Australia’s national interest if the asset is significantly impacted.
Other measures
19. The Exposure Draft proposes information sharing provisions to make it easier for regulated entities to share information with their relevant regulator(s).
The statement indicates
Combined, the SOCI Act and the proposed rules would ultimately require responsible entities of critical infrastructure assets to manage security risks by meeting the following principles-based outcomes:
a. Identify material risks – Entities would have a responsibility to take an all-hazards approach when identifying risks that may affect the availability, integrity, reliability and confidentiality of their asset. This would require considering both natural and human induced hazards, which pose a material risk, with the detail outlined in rules that have been designed with industry. This may include understanding how these risks might accumulate throughout the supply chain, understanding the way systems are interacting, and outlining which of these risks may have a significant consequence to core service provision.
b. Mitigate risks to prevent incidents – Entities would be required to understand the identified risks and have appropriate risk mitigations in place to manage those risks so far as is reasonably practicable. Risk mitigation should consider both proactive risk management as well as having processes in place to detect and respond to threats as they are being realised to prevent the risk from eventuating.
c. Minimise the impact of realised incidents – Entities would be required to have robust procedures in place to mitigate, so far as is reasonably practicable, the impacts in the event a threat has been realised and recover as quickly as possible. This may include ensuring plans are in place for a variety of incidents, such as having back-ups of key systems, adequate stock on hand, redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers.
d. Effective governance – Through rules, entities would be required to have appropriate risk management oversight arrangements in place, including evaluation and testing. This would involve strong governance with clear lines of accountability, demonstrated comprehensive planning, and a robust assurance and review process. Compliance would be assessed by the relevant regulator, noting that what is appropriate would be unique to each entity. Regulators would focus on security and resilience outcomes and seek to avoid compliance action wherever possible.\
71. Subsection 30AH(1)(c) specifically requires the critical infrastructure Risk Management Program to comply with any requirements specified in the rules. At a minimum, it is proposed that rules, to be developed with industry, would require responsible entities to consider and address risks in the following four domains:
a. Physical security and natural hazards: This includes risk of harm to people and damage to physical assets. For example, mechanical failures, natural hazards such as floods and cyclones, as well as human induced hazards such as terrorism.
b. Cyber and information security hazards: Malicious cyber activity is one of the most significant threats facing Australian critical infrastructure assets and can range from denial of service attacks, to ransomware and targeted cyber intrusions.
c. Personnel security hazards: This refers to the ‘insider threat’ or the risk of employees exploiting their legitimate access to an organisations’ assets for unauthorised purposes including corporate espionage and sabotage.
d. Supply chain hazards: The reliance on supply chains inherently involves dependencies on other assets, or providing other entities with some level of access to, or control of, your asset or business’ deliverables. As is the case for personnel risk, supply chain risks relate to entities exploiting their legitimate access to, or control of, an organisations’ assets for unauthorised purposes or otherwise creating a cascading impact to dependent assets.
As forecast, the Bill encompasses vetting, with the statement indicating
Background checking
77. Trusted insiders are potential, current or former employees or contractors who have legitimate access to information, techniques, technology, assets or premises. Trusted insiders can intentionally or unknowingly assist external parties in conducting activities against the organisation or can commit malicious acts of self-interest. Such action by a trusted insider can undermine or severely impact the availability, integrity, reliability or confidentiality of those assets captured as critical infrastructure assets.
78. Recognising the importance of personnel security, the Exposure Draft would make two key amendments to support industry’s ability to understand and manage personnel security risks through background checking.
79. The Exposure Draft would insert new paragraph 8(1)(ba) into the AusCheck Act 2007 to provide the ability for the AusCheck scheme prescribed in the AusCheck Regulations 2017 to be amended to enable industry to utilise background checking of an individual if that entity considers that individual to be a critical employee or a member of critical personnel. Please note that this is not a mandatory background check for critical infrastructure. Nor is it to be used as a justification for excessive and unwarranted background checking of staff. The provisions to enable entities to conduct background checking of critical employees or personnel under the critical infrastructure Risk Management Program would be made by rules under new subsection 30AH(4).
80. Currently, the AusCheck Scheme has been established to provide background checking services for the Aviation Security Identification Card (ASIC), Maritime Security Identification Card (MSIC), National Health Security (NHS) check schemes, and in relation to Major National Events (MNE), amongst others.