By Staff Writer.
The Australian Government introduced a second tranche of critical infrastructure security reforms to parliament last week after it successfully passed the first round of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) in November.
The first bill extended the definition of critical infrastructure assets from four to eleven sectors, introducing positive security obligations for those assets and significantly increased government assistance powers.
Controversially, those boosted assistance powers include last resort powers for the Australian Signals Directorate empowering that agency to install and maintain specified computer programs in certain circumstances.
Last week’s bill introduced the first element of the positive security obligations affected entities with those sectors face. Those entities considered to be of national significance will now have to develop and comply with a critical infrastructure risk management program.
“The reforms in the Bill seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats,” a statement from Home Affairs reads.
Under the enhanced cybersecurity obligations, entities will have to develop and maintain an all-hazards critical infrastructure risk management program. This includes creating a cybersecurity incident response plan, undertaking scenario-based exercises, conducting a vulnerability assessment, and providing access to system information relating to the functioning of a system.
Part Two of the Critical Infrastructure Bill also details what entities within the 14 sectors will be declared entities of national significance and captured by the new legislation. The relevant Home Affairs Minister can amend this list as required.
“The enhanced framework will uplift security and resilience in across Australia’s critical infrastructure assets. This framework, when combined with better identification and sharing of threats, will ensure that Australia’s critical infrastructure assets are more resilient and secure,” the Home Affairs statement adds.
Scott McKinnel from cybersecurity company Tenable, supports the bill saying it will put Australia in a much stronger position to protect vulnerable systems and industries while raising the overall standards of care for critical infrastructure.
“The security legislation bill is a clear insight into the government’s priorities for Australia’s future and a positive step forward when it comes to cybersecurity and the protection of our most important industries,” he says.
But McKinnel does have some reservations about the legislation. He says Tenable is concerned about the forced installation of reporting software. Tenable also argues that the Australian Government will be better placed to recommend topics for cybersecurity exercises rather than designate one of its choosing.
“This will ensure the exercises remain an invaluable tool in developing and testing cyber risk management programs through their relevance to an organisation and buy-in from operational leaders,” McKinnel says.
Home Affairs Minister Karen Andrews says the Critical Infrastructure Bill is necessary, and a partnership approach is the best way to protect entities of national significance from cyber-attacks. The first bill of the Critical Infrastructure Act came into effect in December. However, the Australian Government has not yet announced a timeline for last week’s bill.
