The exposure draft of the Security Legislation Amendment (Critical Infrastructure Protection) Bill - aka SOCI 2 - features a specific part 2C on 'Cyber Security Obligations', described thus in the explanatory statement for the draft Bill -
86. Critical infrastructure assets and the systems they rely on are increasingly interconnected and interdependent. While Parts 2, 2A, and 2B, discussed above, impose obligations to manage risks to the operation of these assets, a small subset of critical infrastructure assets are of the highest criticality due to their interdependences with other critical assets. A closer partnership is required in relation to these systems of national significance, and the computer infrastructure that underpins them, to build enhanced cyber resilience and preparedness.
87. The Australian Government has introduced the enhanced cyber security obligations to strengthen the cyber preparedness and resilience of entities that operate critical infrastructure assets of the highest criticality (system of national significance). Consultation on the Cyber Security Strategy 2020 supported initiatives to enhance cyber information sharing to build a stronger collective understanding of threats to Australian systems. These obligations enable the Government to establish a bespoke partnership, tailored to individual assets, to not only prepare entities to better manage cyber risks but also improve Australia’s situational awareness, particularly as the threat environment worsens.
88. Under Part 6A, the Minister for Home Affairs may declare a critical infrastructure asset to be a system of national significance. Part 2C would provide for a series of enhanced cyber security obligations which may be imposed on the responsible entity for a system of national significance. Responsible entities for Systems of National Significance would not be obligated to comply with each of these enhanced obligations following the Minister’s declaration, but rather may be required to do so, from time to time, following a written notice from the Secretary of Home Affairs. This approach reflects the different nature of the obligations provided under this Part, which are aimed at addressing or identifying vulnerabilities and building resilient practices.
89. The Australian Government would continue to build on the strong voluntary engagement and cooperation with critical infrastructure entities that has underpinned the success of the relationship to date. This includes providing voluntary support and guidance. However, there may be instances where entities are unwilling or unable to voluntarily cooperate and the Enhanced Cyber Security Obligations are necessary.
Division 2 of Part 2C – Statutory incident response planning obligations
90. The first of the enhanced cyber security obligations which the Secretary may require the responsible entity for a system of national significance to comply with is the statutory incident response planning obligation. Incident response plans are designed to ensure an entity has established processes and tools to prepare for and respond to cyber security incidents. Incident response plans would provide assurance to Government that entities are sufficiently prepared for cyber security incidents and would assist entities by clearly articulating ‘what to do’ and ‘who to call’ in the event of a cyber security incident. Clear escalation pathways and processes can be crucial to mitigating and minimising the consequences of fast moving cyber incidents.
91. Section 30CB would enable the Secretary of the Department of Home Affairs to determine that the statutory incident response planning obligations apply to the entity, meaning that it would need to adopt and maintain an incident response plan (section 30CD), comply with the plan (section 30CE), and regularly review (section 30CF) and take all reasonable steps to ensure the plan is up to date (section 30CG).
92. Section 30CJ would provide that an incident response plan is a written plan that relates to the system of national significance, for the purposes of planning for responding to cyber security incidents that could have a relevant impact on the system. The plan would need to comply with any requirements specified in the rules, which may include details on procedures to be included in the plan for responding to a particular cyber security incident.
93. Incident response plans would vary from entity to entity. However, common elements of an incident response plan include definitions of the types of systems being used, details of staff member roles and responsibilities, outlines of common cyber incidents and incident response processes to mitigate and remediate a cyber security incident.
94. A copy of the incident response plan would need to provided to the Secretary of Home Affairs, as soon as practicable after it is adopted or varied. This would ensure Government and entities have the necessary information to activate cyber security incident response arrangements at any point in time, particularly in the event of an emergency.
95. A civil penalty of up to 200 penalty units applies for failure to comply with the obligations in this Division (the value of a penalty unit is currently $222 for offences committed on or after 1 July 2020).
Division 3 of Part 2C – Cyber security exercises
96. The second of the enhanced cyber security obligations which the Secretary may require the responsible entity for a system of national significance to comply with is the requirement to undertake a cyber security exercise.
97. Cyber security exercises are an integral part of an entity’s cyber security procedures, as they are used to test response preparedness, mitigation and response capabilities. Such exercises enable an entity to develop an understanding of how to address a cyber incident through a scenario that requires the entity to draw upon resources, such as incident response plans, relevant legislation, policies and processes to identify the most appropriate response to a cyber security incident. Cyber security exercises can identify gaps in existing approaches and help streamline processes to ensure more effective and efficient responses to threats as they emerge.
98. During consultation on the Cyber Security Strategy 2020, submissions highlighted the importance of joint cyber security exercises involving industry and government to improve entities’ cyber resilience. Noting the interdependencies between critical infrastructure assets, these exercises can be used to develop interoperable response capabilities to prevent a cascading of impacts across sectors.
99. Section 30CM would provide that the Secretary of Home Affairs may, by written notice, require the entity to undertake a cyber security exercise in relation to all types of cyber security incidents, or one or more specified types of cyber security incidents (for example, a denial of service or ransomware attack).
100. The scope of the exercise would be determined based on analysis of threats and incident trends, as well as consideration of the consequential or cascading effects that may occur should the system be impacted by a cyber security incident.
101. A cyber security exercise would be defined in section 30CN to an exercise, the purpose of which is to test the entity’s: ability to respond appropriately to the cyber security incident/s; preparedness to respond appropriately to the cyber security incident/s; and ability to mitigate the relevant impacts the cyber security incident/s could have on the system.
102. Cyber security exercises are generally conducted through one of two formats: discussion-based or tabletop exercises, and operational or functional exercises.
103. The Secretary of Home Affairs may also require that the entity allow specified designated officers to observe the cyber security exercise, provide those officers with access to the premises or other assistance and facilities to allow the observation of the exercise, allow them to make reasonably necessary records and give them notice of when the exercise would commence. A designated officer is defined in section 30DQ to be an employee of the Department of Home Affairs or a staff member of the Australian Signals Directorate.
104. Section 30CQ would provide that, on completion of the exercise, the entity is required to prepare an evaluation report relating to the exercise and give a copy of the report to the Secretary. An evaluation report is a written report the purpose of which is to evaluate the entity’s: ability to respond appropriately to the cyber security incident/s; preparedness to respond appropriately to the cyber security incident/s, and ability to mitigate the relevant impacts the cyber security incident/s could have on the system.
105. However, if the entity has prepared, or purported to prepare an evaluation report, provided it to the Secretary for Home Affairs and the Secretary has reasonable grounds to believe that the report was not prepared appropriately, the Secretary may require the entity to appoint an external auditor to prepare an evaluation report for the entity. Alternatively, if the entity fails to comply with section 30CQ the Secretary for Home Affairs may require an external evaluation report to be prepared by an external auditor. An external auditor is a specified individual authorised by the Secretary as such for the purposes of the Act.
106. A civil penalty of up to 200 penalty units applies for failure to comply with the obligations in this Division (the value of a penalty unit is currently $222 for offences committed on or after 1 July 2020).
Division 4 of Part 2C – Vulnerability assessments
107. The third element of the enhanced cyber security obligations which the Secretary may require the responsible entity for a system of national significance to comply with is the requirement to undertake a vulnerability assessment.
108. Vulnerability assessments are a routine cyber security practice undertaken to identify vulnerabilities or ‘gaps’ in systems which expose them to particular types of cyber incidents. These preparatory activities also enable the entity to evaluate the risk of particular vulnerabilities. This would enable entities that operate Australia’s Systems of National Significance to remediate vulnerabilities before they can be exploited by malicious actors. The identification of vulnerabilities in one system may also enable the remediation of similar vulnerabilities across other critical systems.
109. A vulnerability assessment can consist of a documentation-based review of a system’s design, a hands-on assessment or automated scanning with software tools. In each case, the goal is to identify security vulnerabilities.
110. Section 30CU would provide that the Secretary of Home Affairs may require the entity to undertake, or cause to be undertaken, a vulnerability assessment in relation to the system and a particular type of cyber security incident, or cyber security incidents generally. The entity can undertake this assessment or may choose to engage the services of a third party to undertake the assessment. Prior to making such a request, the Secretary is required to consult with the entity. This consultation requirement would assist the Secretary to determine the entity’s capacity to undertake, or cause to be undertaken, the required vulnerability assessment.
111. If the Secretary of Home Affairs has reasonable grounds to believe that the entity would not be capable of complying with a notice or has not complied with an earlier notice, the Secretary may give a designated officer a written request to undertake the vulnerability assessment and require the entity to provide reasonable access, assistance and facilities to the officer to allow the assessment to be undertaken.
112. If the entity, or a designated officer, undertakes a vulnerability assessment they would need to prepare, or cause to be prepared, a vulnerability assessment report and provide a copy of the report to the Secretary.
113. A civil penalty of up to 200 penalty units applies for failure to comply with the obligations in this Division (the value of a penalty unit is currently $222 for offences committed on or after 1 July 2020).
Division 5 of Part 2C – Access to system information
114. The final of the enhanced cyber security obligations which the Secretary may require the responsible entity for a system of national significance to comply with is the requirement to provide system information.
115. During consultation on the Cyber Security Strategy 2020, stakeholders strongly supported initiatives to improve information sharing to make critical infrastructure more resilient and secure. The provision of system telemetry from Systems of National Significance would support the Government’s ability to build a near-real time threat picture through the CESAR capability and share actionable, anonymised information back out to industry. Aggregated system information, overlaid with intelligence and reporting, would also enable the Government to target its limited capabilities to the threats and vulnerabilities of greatest consequence to the nation.
116. System information is information that relates to the operation of the computer needed to operate a system of national significance. This information may assist with determining whether a power under this Act should be exercised in relation to the system of national significance. However, system information cannot include personal information within the meaning of the Privacy Act 1988. For example, system information may be network logs or alerts that provide visibility of the operation and functioning of a broader computer network. The monitoring of this information can be crucial to identifying a compromise of a system and deploying a rapid response to mitigating its potential impacts.
117. Section 30DB would provide that, if the Secretary of Home Affairs believes on reasonable grounds that the responsible entity for the system of national significance is technically capable of doing so, the Secretary may require the entity to provide the Australian Signals Directorate with periodic reports consisting of specified system information (‘a system information periodic reporting notice’). The Secretary may specify the intervals, manner and form in which the information is to be provided, as well as any other information technology requirements relating to the provision of the information. Depending on the information required and the ability for automated provision (such as automated machine-to-machine cyber threat intelligence sharing), these reports may be required to be made at rapid intervals, for example, every minute.
118. Section 30DC would provide that, if the Secretary of Home Affairs believes, on reasonable grounds, that the responsible entity for the system of national significance is technically capable of doing so, the Secretary may require the entity to provide the Australian Signals Directorate with reports consisting of specified system information as soon as practicable after each incidence of a specified event occurring (‘a system information event-based reporting notice’). For example, a report may be required every time a particular computer program raises a specified class of alert or error message.
119. In deciding whether to give a system information periodic reporting notice or a system information event-based reporting notice, the Secretary of Home Affairs would have to have regard to the costs that are likely to be incurred by the entity in complying with the notice. To support this consideration as well as the determination of whether the entity is technically capable of providing the report, section 30DD mandates that the Secretary of Home Affairs would need to consult with the entity prior to issuing the notice.
120. If the Secretary of Home Affairs does not believe on reasonable grounds that the entity would be technically capable of preparing reports under sections 30DB or 30DC, section 30DJ would provide that the Secretary may require the entity to install and maintain a specified computer program (‘system information software notice’). The computer program may only be specified in the notice if its purpose is to collect and record the required system information and cause the information to be transmitted electronically to the Australian Signals Directorate. The computer program would be provided by the Government and would, for example, operate as a host-based sensor reporting back to the Australian Signals Directorate telemetry information used to monitor the system for malicious behaviour.
121. In deciding whether to give a system information software notice, the Secretary of Home Affairs would need to have regard to the costs that are likely to be incurred by the entity in complying with the notice. To support this consideration, section 30DK mandates that the Secretary of Home Affairs would need to consult with the entity prior to issuing the notice.
122. A civil penalty of up to 200 penalty units applies for failure to comply with the obligations in this Division (the value of a penalty unit is currently $222 for offences committed on or after 1 July 2020).