On 31 March 2022, the Australian Federal Parliament passed the Security Legislation Amendment (Critical Infrastructure Protection) Act (SLACIP Act). The Act amends existing legislation intended to protect Australia’s critical infrastructure from physical offences and cyberattacks.
Entities and organisations operating in the critical infrastructure sectors will now be mandated to upgrade their cybersecurity practices to comply with the obligations contained in the Act.
Here’s everything you need to know about the Critical Infrastructure Act, including the purpose behind implementing the laws and how it will impact companies across Australia.
What is the Critical Infrastructure Act?
What is commonly referred to as the ‘Critical Infrastructure Act’ is actually several pieces of legislation that have been enacted over the last few years. The most recent and final is the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act).
This bill, which the Parliamentary Joint Committee passed in late March 2020, follows on from the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act). These pieces of legislation are amendments to an existing Act called the Security of Critical Infrastructure Act 2018 (SoCI Act).
All of these pieces of legislation form part of the Australian Government’s broader efforts to strengthen the nation’s security and resilience against threats to its critical infrastructure. Essentially, the SoCI Act imposes various security obligations on entities and organisations that own or operate a critical infrastructure asset in Australia.
The latest set of amendments substantially expands the original scope of the SoCI Act, which largely focused on the physical security of traditional infrastructure assets such as electricity and water. The focus has now been extended to cover enhanced cyber security obligations in various sectors across a broader range of assets.
What is the Purpose of the Critical Infrastructure Act?
According to the Australian Cyber Security Centre’s annual Cyber Threat Report, which was published in the final quarter of 2021, not only is the severity of cyber-attacks rapidly increasing but so is the frequency. In fact, it was found that an attack is reported every eight minutes.
And at least a quarter of these reported incidents were of national significance and associated with Australia’s critical infrastructure.
The motivations behind these cyber security incidents vary, but they often target businesses or government agencies in an attempt to steal sensitive data or disrupt operations. The increasing sophistication of these attacks has made them very difficult to defend against, and businesses of all sizes are at risk.
A robust and reliable infrastructure is critical to the functioning of any society. It is the backbone upon which our economies and societies are built, and it is essential to our daily lives. Therefore, ensuring that infrastructure is resilient and protected from threats is a top priority for governments around the world.
In Australia, the Critical Infrastructure Act was recently passed, completing a reform package that will help to ensure the resilience of our essential services.
The Act establishes a new framework for the regulation of critical infrastructure, which includes:
- initiating a risk-based approach to identifying each vital infrastructure sector asset;
- obliging responsible entities to take reasonable steps to protect their assets from sabotage, interference, and espionage; and
- giving the Commonwealth Government new tools to manage national security risks to critical infrastructure.
This will ensure that our critical infrastructure is better prepared to withstand and recover from incidents while also protecting it from future threats.
What are Classified as Critical Infrastructure and Critical Infrastructure Assets?
Following the amendments to the SoCI Act, the definition of critical infrastructure and critical infrastructure assets was expanded to include the following 11 sectors:
- Critical Data Storage Or Processing
- Financial Services and Markets
- Communications
- Defence
- Higher Education and Research
- Food and Grocery
- Health Care and Medical
- Water and Sewerage
- Space Technology
- Transport
- Energy
What Does the Critical Infrastructure and Security Legislation Amendment Mean for Australian Organisations?
Entities operating in critical infrastructure sectors in Australia are now required to upgrade their cyber security exercises to comply with new mandatory cyber incident reporting obligations and critical infrastructure reforms.
This change will ensure that responsible entities take proactive measures to protect themselves against cyber threats and help the government identify and respond to national security risks in a timely manner.
The new requirements apply to a range of industries, including energy, water, transport, and communications. Affected entities will need to have systems in place to detect, assess, and report cyber incidents and take steps to prevent future attacks.
While the obligations may seem onerous at first, they are essential for protecting Australia’s critical infrastructure from the growing threat of cybercrime.
While the original legislation only required business owners to inform the government of cyber attacks, the new amendments have introduced the requirement to maintain a Risk Management Program. The program uses a risk-based approach to identify, assess and respond to risks to critical infrastructure.
Essentially, the aim of mandating the program is to ensure that organisations are identifying and assessing, and establishing ways to mitigate those risks.
What Do You Need To Do?
Owners and operators of “critical infrastructure assets” should consider the following factors given the expanded scope of the legislation:
- Consider how this new regime might impact any existing reporting obligations under other legislation or regulations.
- Cyber-attack response and recovery plans need to be proactive and comprehensive to comply with the mandatory reporting obligations under the SLACI Act. Plans should also be regularly reviewed and updated.
- Directors now face a much higher degree of accountability for cyber breaches, so their training programs should be updated.
- As a result of the SLACI Act, cyber security teams could have significant implications for investigating cyber-attack incidents and reporting on them, which could mean additional or updated training for your cyber security teams.
- If you have not already done so, you might want to implement a training program to ensure that all staff of affected entities are aware of what needs to be done and when.
Beyond implementing new training programs and policies within the organisation, it may be prudent to review your Personnel Security, including more thorough background checks of new candidates.
While organisations must manage many different types of risks, one of the most potentially destructive is people risk. Basically, this refers to the possibility that employees, contractors, or other personnel may exploit weaknesses within an organisation.
Background checks and ongoing screening of employees can mitigate people’s risk and reduce the possibility of critical assets being threatened by employees.
By taking these steps, organisations can help to ensure that their critical infrastructure assets are protected from the inside out.
How Can Accurate Australia Help?
When organisations face ever-increasing pressure to hire the right candidate, it has become even more critical to ensure that you are effectively pre-screening candidates.
Accurate Australia is a digital platform that streamlines the screening process, making it more efficient and cost-effective. Accurate Australia checks an applicant’s identity, employment history, and qualifications, allowing organisations to decide who to hire. In addition, Accurate Australia offers a range of other services, such as background checks and psychometric testing. As a result, Accurate Australia is an essential tool for any organisation that wants to recruit with confidence.
If you would like to know more about our recruitment and screening service and how it can help mitigate internal risk, get in touch with us today!