The Government has introduced the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 into the House of Representatives. Background.

The Bill if passed will expand on the Security Legislation Amendment (Critical Infrastructure) Act 2021 which received Royal Assent on 2 December 2021, which implemented key elements of the framework by amending the  Act to introduce:
• mandatory cyber incident reporting; and
• government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks that impact Australia’s critical infrastructure assets.

The Bill gives effect to this framework by introducing:
• critical infrastructure risk management programs for critical infrastructure assets; and
• enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance.

The Act covers financial services and markets as well as the following sectors: communications; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage.

The Bill creates an additional positive security obligation, for responsible entities to adopt and maintain an critical infrastructure risk management program.

This measure is intended to embed preparation, prevention and mitigation activities into the business as usual operating of critical infrastructure assets, ensuring that the resilience of essential services is strengthened.

The obligation to establish, maintain and comply with a critical infrastructure risk management program will only apply if the Minister has made a disallowable legislative instrument (rules) specifying
that the obligation applies in relation to a critical infrastructure asset or class of critical infrastructure assets. The rules will specify if the obligation is ‘switched on’ for a critical infrastructure asset or class of critical infrastructure assets.

The critical infrastructure risk management program will require responsible entities of specified critical infrastructure assets to:
• identify hazards for which there is a ‘material risk’ that the hazard impact their business operations;
• minimise the material risks of those hazards occurring; and
• mitigate the impacts of hazards on the operation of their critical infrastructure asset(s).

Under the enhanced cyber security obligations, the Secretary of Home Affairs may require the responsible entity for a system of national significance to undertake one or more cyber security activities. These include the development of cyber security incident response plans, cyber security exercises to build cyber preparedness, vulnerability assessments to identify vulnerabilities for remediation, and the provision of system information to build Australia’s situational awareness.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.