Due to the increased risk of cyber attacks, the Cyber and Infrastructure Security Centre (CISC), acting under the instruction of the Department of Home Affairs, has made a strong recommendation to all owners and operators of critical infrastructure assets. It has asked them to voluntarily commence implementing the obligations proposed in the draft Risk Management Rules under the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (Cth) (SLACIP Bill), which is currently before Parliament.
Security of Critical Infrastructure laws
The security of critical infrastructure laws are being introduced in two tranches, and enact (or will enact) the following measures:
1. Amendments already introduced in the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)
Asset register
If 'turned on' for a particular asset by Rules to be made by the Minister for Home Affairs (Rules), reporting entities must report ownership and operational information to CISC. They must report at the time of registration of the entity and keep CISC updated.
Incident reporting
If 'turned on' for a particular asset by Rules, responsible entities must notify the Australian Cyber Security Centre within 12 hours if there is significant impact on the availability of assets, and within 72 hours if there is relevant impact on the availability of assets.
Government assistance measures
Provided certain pre-requisite conditions are met, the Government will be empowered to issue information gathering and provision of support directions in response to a cyber security incident.
2. Amendments proposed to be introduced in the SLACIP Bill
Risk management program
Although the SLACIP Bill is not yet law, as indicated above, CISC has recommended affected organisations begin voluntarily complying with these requirements. Once enacted as law, if 'turned on' for a particular asset, responsible entities will be required to adopt and maintain a Risk Management Program, with annual compliance certification to CISC.
Enhanced security measures
If the SLACIP Bill is passed in its current form, enhanced security measures would apply to assets that are declared to be ‘systems of national significance’, where such measures are notified to a responsible entity. The measures that could be notified to responsible entities include obligations to:
- prepare incident response plans;
- conduct cyber security exercises;
- conduct vulnerability assessments; and
- provide systems and other information.
More information is available in our updates, First Security of Critical Infrastructure Bill is now live and SOCI Round 2 - Security of Critical Infrastructure regime update.
Responding to cyber security incidents
If your organisation has suffered a cyber incident or data breach, it's best not to panic. We recommend following these steps:
1. Contain the breach
2. Activate
- contingency plans
- incident response plan, including internal escalation pathways and external support (forensic, insurer, legal, PR)
3. Assess and mitigate/remediate
- gather and retain evidence
- protect legal professional privilege
- comply with legal and contractual obligations (including ransomware payments)
4. Notify
- regulators (OAIC, GDPR, APRA etc)
- counterparties to contracts that require notification
- affected individuals
- communications strategy
5. Review
- lessons learned
- update plans and cyber strategy