SOCI-ally aware: More Security of Critical Infrastructure Act reforms on the way
Market Insights
In the face of increasingly sophisticated cyber threats, Australia’s 2023–2030 Cybersecurity Strategy, underpinned by the Cybersecurity Legislative Package 2024, represents a decisive step toward robust critical infrastructure protections. A key part of the package is the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (SOCI Bill), which would amend the Security of Critical Infrastructure Act 2018 (SOCI Act).
The SOCI Act provides a structure for managing Australia’s critical infrastructure. It does this by defining certain assets as ‘critical infrastructure assets’ and imposing obligations on the entities who are responsible for those assets.
At a high-level, the key existing obligations on entities responsible for critical infrastructure assets are to:
- register the critical infrastructure asset with the Register of Critical Infrastructure Assets;
- report cyber security incidents within certain timeframes; and
- create and comply with a risk management program relating to the critical infrastructure asset.
The SOCI Bill would update the existing regime by enhancing government powers, refining risk management expectations, and consolidating regulatory oversight of sectors integral to Australia’s national interest.
In this article, we will provide a review of the SOCI Bill’s key amendments, examining the adjustments to critical infrastructure protections, expanded government intervention powers, refined risk and information-sharing processes, and the legal implications for entities tasked with safeguarding Australia’s critical infrastructure.
Expansion of critical infrastructure protections
Many of the key obligations of the SOCI Act apply to ‘critical infrastructure assets’. A critical infrastructure asset is an asset which, if destroyed or damaged, would significantly impact the wellbeing of Australia. There are 11 categories of critical infrastructure asset covered by the SOCI Act (such as communications, energy, and transport), and each category has a different definition for what assets within it are considered to be ‘critical’.
The SOCI Bill would expand the definition of critical infrastructure assets to include secondary assets storing ‘business critical data’. While previous protections applied, predominantly to systems directly impacting the operational integrity of critical infrastructure, the SOCI Bill recognises that secondary systems, such as data storage assets holding operational or sensitive data, are vulnerable entry points for cyber threats that could have cascading effects on primary infrastructure.
Key takeaways
- Under the proposed Bill, responsible entities would be required to incorporate data storage systems holding business-critical data within their Critical Infrastructure Risk Management Programs (CIRMP), alongside registering such systems on the Register of Critical Infrastructure Assets.
- Entities must assess each data storage system’s connectivity to primary assets, the criticality of the data it houses, and the potential impact of a compromise.
- This integration ensures that vital, albeit secondary systems are fortified under the same security requirements as primary operational systems, safeguarding against cascading disruptions.
Enhanced government intervention for multi-asset incidents
Under the current SOCI Act, the Minister can authorise directions to be provided to entities undergoing cybersecurity incidents. These include an ability to gather information from an entity, or require an entity to do, or not do, certain actions.
A central reform in the SOCI Bill is the expansion of these government intervention powers beyond cybersecurity incidents to address all-hazard scenarios, including physical, personnel, natural, and supply chain risks. The reform would equip the Secretary of the Department of Home Affairs with a ‘last resort’ directions power, authorised by the Minister, to manage critical incidents that involve matters other than cybersecurity, and impacting multiple infrastructure assets simultaneously.
The enhanced powers would enable the Secretary to:
- issue information-gathering directions to obtain details necessary for crisis response;
- direct entities to take specific response actions where immediate mitigation is required; and
- enable coordinated response mechanisms across multiple critical assets to ensure the continuity of essential services.
The expanded application of these abilities would not extend to the ‘intervention request’ power, which authorises the Australian Signals Directorate (ASD) to intervene in the event of a cyber incident. That power remains limited only to cybersecurity incidents and continues to be a mechanism of absolute last resort.
The Explanatory Memorandum for the SOCI Bill provides the following example of ‘a scenario when the expanded powers may be considered’:
a bushfire damages infrastructure that is part of a large power supply substation. This damage prevents the flow of electricity to smaller distribution substations, disrupting the supply of power to local networks in several rural centres and towns. In this scenario, the large substation is a critical infrastructure asset and provides power generation to smaller local substations that are not critical infrastructure assets. The operator of the larger substation is unwilling to supply alternative generation systems to power the local substations due to cost.
Provided all the legislative conditions outlined above are met, the Minister could authorise the Secretary of the Department of Home Affairs to give an action direction to the operator of the larger substation requiring them to provide mobile generation systems to power the smaller substations. An action direction could also be given to require power generation operators to prioritise the supply of power to critical infrastructure assets such as hospitals and telecommunications towers.
These kinds of natural disaster scenarios go well beyond the cyber security events that would enliven relevant powers under the existing SOCI Act.
How to prepare
- Entities should seek to review and update CIRMPs to ensure they meet the expanded all-hazards definition and revise incident response procedures to align with the broadened intervention powers.
- The expanded intervention powers require entities to examine escalation and response measures for cross-sector cooperation, ensuring compliance with government directions in all hazard scenarios.
- Any existing reporting procedures will also need to factor in the expanded definition of a ‘serious cyber incidents’ to the Australian Cyber Security Centre.
Harms-based approach for protected information
The SOCI Bill also introduces a revised definition of ‘protected information’ that employs a harms-based assessment. The current SOCI Act definition of protected information is strict and inflexible, and has the potential to limit information-sharing during incidents where timely dissemination is critical.
The new definition would permit the disclosure where the ‘relevant information’ does not prejudice national security, socio-economic stability, commercial interests, or the critical infrastructure asset’s availability and security.
This harms-based assessment empowers entities to evaluate the implications of sharing sensitive data, enhancing cross-industry collaboration and timely responses to threats. For instance, entities may now disclose CIRMP-related information if deemed appropriate, facilitating faster coordination with external consultants, security experts, or government agencies.
How to prepare
- To ensure compliance, entities may seek to update information governance protocols, implementing a two-tier assessment process: (1) to classify and label data of ‘relevant information’ and (2) conducting a harms-based assessment to determine whether it constitutes protected information.
- If such information is protected information, entities can integrate data loss prevention (DLP) mechanisms to prevent unauthorised disclosures, along with designated approval procedures to manage disclosure requests.
- Notably, entities should document decision-making processes regarding information sharing, establishing audit trails that reflect compliance with the harms-based criteria.
Authority to direct CIRMP adjustments
The Critical Infrastructure Risk Management Program (CIRMP) is a fundamental compliance mechanism under the SOCI Act, setting out material risks for critical infrastructure assets and how the entity will minimise or mitigate those risks. To date, enforcement capabilities have been limited, with government authorities able to review but not mandate CIRMP revisions.
To enhance oversight, SOCI Bill empowers the Secretary of Home Affairs to direct entities to rectify CIRMPs deemed ‘seriously deficient’. This intervention supports a proactive regulatory stance, addressing CIRMP deficiencies that may compromise the integrity or availability of critical assets.
The term ‘serious deficiency’ is defined as a risk to national security, defence, or socio-economic stability. Entities found with deficient CIRMPs may receive formal directions specifying corrective measures and timelines for compliance. Entities found in violation of compliance will face civil penalties under the amended SOCI framework, underscoring the government’s commitment to pre-emptive risk management.
How to prepare
- Entities may consider utilising third-party audits to identify and address potential deficiencies pre-emptively before being ordered to do so by the Secretary of Home Affairs.
- Additionally, entities may seek to document CIRMP revisions and remedial actions, ensuring preparedness in the event of a direction from the Secretary.
- This oversight mechanism requires a collaborative approach between regulators and entities, with the power to issue directions as a last resort, following consultation.
Integrating telecommunications security obligations
The SOCI Bill consolidates security requirements for critical telecommunications assets under the SOCI Act, integrating previously separate provisions of the Telecommunications Act 1997 under Part 14. This amendment aligns telecommunications sector security obligations with the SOCI Bill’s ‘all-hazards’ approach, reducing regulatory fragmentation and providing a compliance pathway for telecommunications providers.
Telecommunications providers must transition their existing Telecommunications Sector Security Reform (TSSR) compliance measures into the SOCI framework, adhering to expanded CIRMP obligations and notifying cyber incidents under SOCI standards.
How to prepare
- This harmonisation effort necessitates a thorough review of current TSSR protocols, ensuring conformity with the SOCI Act’s definitions and risk management criteria.
- Entities may seek to perform a gap analysis to address any definitional discrepancies against the ‘all hazards’ requirements.
- The co-design process for Telecoms sector-specific rules are slated for early 2025 with industry. Carriers and carriage service providers are already working with the government on telecommunications security through the Australian Cyber Security Centre and the Cyber and Infrastructure Security Centre.
Notification obligations for systems of national significance
The SOCI Bill alleviates certain reporting obligations by removing the requirement for direct interest holders to notify the government of changes in holdings for systems of national significance (SoNS). This shift lightens the compliance load for asset owners and enhances the government’s oversight by centralising notifications solely with responsible entities.
How to prepare
- This reduction in reporting requirements simplifies administrative procedures for direct interest holders, enabling more efficient resource allocation toward critical compliance and risk mitigation efforts.
- Entities managing SoNS should update internal policies to reflect these streamlined requirements, consolidating notification workflows to focus on priority compliance activities.
- As part of this streamlining, entities should update notification processes to exclude reporting redundancies for SoNS-related transactions or ownership changes, ensuring alignment with the revised notification standards.
Next step
The SOCI Bill underscores a strategic pivot towards a holistic, resilient framework for national security, integrating cyber and physical safeguards across essential infrastructure. Entities tasked with managing critical infrastructure are urged to adopt an anticipatory approach to compliance, embedding enhanced risk management and information-sharing across their operational frameworks.
Entities should engage in detailed CIRMP reviews to account for newly identified secondary assets and reassess existing crisis management plans. Such actions will ensure alignment with potential government-directed intervention, particularly given the SOCI Bill’s broadened powers for multi-asset incidents. Entities should establish governance processes for the harms-based disclosure assessment, incorporating operational safeguards to meet the revised information-sharing criteria.
The expanded regulatory landscape under the SOCI Bill demands a cohesive effort among industry stakeholders to safeguard Australia’s critical infrastructure assets in a complex threat environment. By adopting a proactive, legally rigorous approach to SOCI compliance, responsible entities can better position themselves to withstand emerging threats while fulfilling the critical mandate of protecting Australia’s national security interests.
To review our guidance on the Cyber Security Legislative Package, see our article on Australia’s Cyber Security Bill 2024 – Ransomware reporting, safeguards for voluntary co-operation and more.
This article is written by Daniel Kiley, Partner, Max Soulsby, Solicitor, Christopher Power, Graduate and Bellarose Watts, Clerk.
Subscribe for publications + events
HWLE regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business. To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.
* indicates required fields
