27 Feb Critical Infrastructure protections and implementation in Europe and Australia
Author: Helaine Leggat
Cyber-attacks, besides being among the fastest-growing form of crime worldwide, are growing in scale, cost and sophistication. Not only companies but also citizens and entire countries have been affected. The first known cyber-attack on a country’s critical infrastructure was mounted on Estonia in April 2007, affecting the online services of banks, media outlets and government bodies for weeks. Since then, many other countries have suffered cyber-attacks on critical infrastructure, such as on electric power systems, hospitals or water plants. Countries around the world are responding accordingly.
The Security of Critical Infrastructure Act 2018
In March 2022 the Australian Government passed the final amendments to the Security of Critical Infrastructure Act 2018 (SOCI).
SOCI Act was amended to strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes that SOCI applies to, and to introduce new obligations. It now places obligations on specific entities in the electricity, communications, data storage or processing, financial services and markets, water, health care and medical, higher education and research, food and grocery, transport, space technology, and defence industry.
The NIS2 Directive
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.
NIS2 came into force in January 2023 and all EU states now have 21 months in which to enact national legalisation. They are required to establish the necessary rules, guidance standards and oversight regimes to improve the cyber resilience and incident response capabilities of public and private sector organisations across the EU.
The annual risk management report for Australian critical infrastructure businesses
Directors and board members of critical infrastructure businesses in Australia will now be forced to submit an annual risk management report to the Government under the Critical Infrastructure Risk Management Program (CIRMP), which aims to protect the data of individuals from having their sensitive information leaked and has been developed in response to the devastating Optus and Medibank attacks last year.
Businesses are required to establish, maintain, and comply with a written risk management program that manages the ‘material risk’ of a ‘hazard’ occurring, which could have a relevant impact on their critical infrastructure asset. Responsible entities must identify, and as far as is reasonably practicable, take steps to minimise or eliminate these ‘material risks’ that could have a ‘relevant impact’ on their asset.
Cyber Security Minister Clare O’Neil has said that the program will ensure businesses are better prepared in the event of a cyber incident, as well as other areas of risk. “We must continue to ensure the security of our essential services … and protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” Minister O’Neil said.
In addition, Minister O’Neil is launching an updated Critical Infrastructure Resilience Strategy, which assists critical infrastructure in responding to cyber, supply chain and physical attacks and ensures they stay operational. The update takes into account new emerging risks and aims to promote co-operation between government agencies and private businesses.
Protecting critical infrastructure and essential services has become an increasing concern over the last few years, with both being increasingly targeted over the pandemic. “The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” Minister O’Neil said to The Australian. “The best way to protect our critical infrastructure is through close co-operation between business and government — an alliance that leverages the expertise of all parties and reflects the complex and evolving nature of the threat.”
The heart of the challenge to critical infrastructure are the cyber vulnerabilities introduced through increased digitisation. To address these challenges at scale Australia has a world first solution in the form of the Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC) which recognises this and has been established to address this major challenge though sharing cyber threat intelligence.
For further information, we will share some of CI-ISAC’s sector overviews, starting with communications.
 In December 2021, the Australian Government passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) building on safeguards established within the Security of Critical Infrastructure Act 2018 (Cth) (SOCI), in response to increasing threats facing Australia’s critical infrastructure and economy. In March 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 was passed, which finalised the package of legislative amendments to the SOCI Act, first introduced into Parliament in December 2020.