{"id":166171,"date":"2022-07-01T10:29:19","date_gmt":"2022-07-01T17:29:19","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=166171"},"modified":"2022-07-05T08:17:47","modified_gmt":"2022-07-05T15:17:47","slug":"australias-critical-infrastructure-reforms","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2022\/07\/australias-critical-infrastructure-reforms\/","title":{"rendered":"An Overview of Australia\u2019s Critical Infrastructure Reforms"},"content":{"rendered":"<p>On 2 April 2022, the Australian Government\u2019s final tranche of amendments to the <a href=\"https:\/\/www.legislation.gov.au\/Details\/C2022C00160\" rel=\"nofollow,noopener\" ><em>Security of Critical Infrastructure Act 2018<\/em><\/a> (herein referred to as \u201cthe Act\u201d) achieved royal assent. These amendments completed the Government\u2019s series of reforms aimed at enhancing Australia\u2019s critical infrastructure resilience.<\/p>\n<p>Around the world we have seen a growing range of cyber security threats levelled against critical infrastructure, including the recent high-profile SolarWinds, Exchange and Colonial Pipeline attacks. Australia is not immune from this trend. During 2020-21, approximately <a href=\"https:\/\/www.cyber.gov.au\/sites\/default\/files\/2021-09\/ACSC%20Annual%20Cyber%20Threat%20Report%20-%202020-2021.pdf\" rel=\"nofollow,noopener\" >one quarter of cyber incidents<\/a> reported to the Australian Cyber Security Centre (ACSC) were associated with Australia\u2019s critical infrastructure or essential services.<\/p>\n<p>Cyber security threats are only set to increase, particularly as technology and connectivity become more pervasive and underpins our critical infrastructure services.<\/p>\n<h2><a id=\"post-166171-_jj0dp958to4f\"><\/a>An Overview: Australia\u2019s Critical Infrastructure Reforms<\/h2>\n<p>The Australian Government\u2019s reforms seek to improve the cyber security posture and resilience of Australia\u2019s \u201ccritical infrastructure assets\u201d and \u201csystems of national significance\u201d (more on this below), through the following measures:<\/p>\n<ol>\n<li><em>Increasing the Number of Australia\u2019s Regulated Critical Infrastructure Sectors<\/em><\/li>\n<\/ol>\n<p>The Australian Government has now increased the number of regulated critical infrastructure sectors from the previous four sectors (electricity, gas, water and ports) to the following 11 sectors:<\/p>\n<ul>\n<li>Financial Services and Markets<\/li>\n<li>Communications<\/li>\n<li>Data Processing and Storage<\/li>\n<li>Defence Industry<\/li>\n<li>Higher Education and Research<\/li>\n<li>Energy<\/li>\n<li>Food and Grocery<\/li>\n<li>Health Care and Medical Sector<\/li>\n<li>Space Technology<\/li>\n<li>Transport<\/li>\n<li>Water and Sewage<\/li>\n<\/ul>\n<p>This expanded scope recognises and reflects the range of sectors critical to Australia\u2019s national security, as well as economic and social prosperity.<\/p>\n<p style=\"padding-left: 40px;\"><em>2. Establishing \u201cPositive Security Obligations\u201d for \u201cCritical Infrastructure Assets\u201d<\/em><\/p>\n<p>\u201cCritical infrastructure assets\u201d must be drawn from the above 11 \u201ccritical infrastructure sectors.\u201d Under the Act, the Minister may \u201cturn on\u201d any or all of the following obligations for an asset:<\/p>\n<p style=\"padding-left: 40px;\">A. Provide Government with the information necessary to be placed on its register of critical infrastructure assets. This may include a comprehensive picture of ownership and operational arrangements.<\/p>\n<p style=\"padding-left: 40px;\">B. Adopt a critical infrastructure Risk Management Program (RMP) which should include an all-hazards approach across cyber, physical, natural hazard, personnel and supply chain risks. Organisations are required to report to the Government annually on their RMPs, with board-level sign off that the RMP is up to date at the end of the financial year. Organisations also must report to the Government if a hazard had a \u201csignificant relevant impact\u201d during the period and required an RMP update.<\/p>\n<p style=\"padding-left: 40px;\">C. Adhere to mandatory cyber incident reporting requirements. Under the Act, critical infrastructure assets have an obligation to report cyber incidents to the ACSC, as per two defined categories:<\/p>\n<p style=\"padding-left: 80px;\">a. \u201cCritical Cybersecurity Incidents\u201d need to be reported within 12 hours of the responsible entity becoming aware of the event. If the first report is given orally, then a written report must be provided within 84 hours of that first report.<\/p>\n<p style=\"padding-left: 80px;\">b. \u201cOther Cybersecurity Incidents\u201d which need to be reported within 72 hours of the responsible entity becoming aware of the event, and if done so orally, a further written report within 48 hours of the first report is required.<\/p>\n<p>Per the Act, this reporting obligation is intended to help the Australian Government gain better insights into the cyber threat landscape and, as appropriate, support incident response.<\/p>\n<p style=\"padding-left: 40px;\"><em>3. Introducing \u201cEnhanced Cyber Security Obligations\u201d for \u201cSystems of National Significance\u201d<\/em><\/p>\n<p>The Minister for Home Affairs has the ability to designate entities as \u201csystems of national significance\u201d (SoNs) \u2013 a smaller subset of critical infrastructure assets, most crucial to the nation by virtue of their interdependencies across sectors and potential for cascading consequences if disrupted. SoNs entities may be subject to enhanced cyber security obligations, which means in addition to meeting the positive security obligations listed in #2, they may need to take further steps:<\/p>\n<p style=\"padding-left: 40px;\">A. Adopt and maintain incident response (IR) plans, and take reasonable measures to regularly review and update those IR plans. Entities may also be required to provide a copy of their IR plans to the Government, as soon as practicable, after the plan\u2019s adoption or update.<\/p>\n<p style=\"padding-left: 40px;\">B. Undertake cyber security exercises within a specified period, prepare a report evaluating the exercise, and provide a copy to the Government. The entity may also be required to allow one or more government officers to observe the cyber security exercise.<\/p>\n<p style=\"padding-left: 40px;\">C. Undertake vulnerability assessments within a specified period and provide a report to the Government. In certain circumstances, a SoNS entity may be directed to have a Government officer undertake the vulnerability assessment on its behalf.<\/p>\n<p style=\"padding-left: 40px;\">D. Provide system information on a periodic or event basis to the Government. In certain circumstances, a SoNS entity can be directed to install software to send system information directly to the Government.<\/p>\n<p style=\"padding-left: 40px;\"><em>4. Establishing Government Assistance Powers <\/em><\/p>\n<p>Finally, the Act provides the Australian Government with information gathering, action direction and intervention powers to be exercised as a \u201clast resort\u201d in circumstances where a cyber security incident has, is or is likely to impact a critical infrastructure sector.<\/p>\n<h2><a id=\"post-166171-_65qh08o06xbf\"><\/a>Getting Ready for Australia\u2019s Critical Infrastructure Reforms<\/h2>\n<p>To help ensure your organisation is ready for these reforms, you may want to consider the following measures:<\/p>\n<ol>\n<li>Review the Act and seek legal advice as to the nature and extent of your obligations.<\/li>\n<li>Connect with the Australian Government to learn more about these reforms. The <a href=\"https:\/\/www.cisc.gov.au\/\" rel=\"nofollow,noopener\" >Cyber and Infrastructure Security Centre<\/a> has a range of helpful factsheets.<\/li>\n<li>Consider an organisational review of key practices and procedures. In particular, consider updating your IR plans. Responding to an incident is stressful enough, but well-prepared entities are more likely to be ready to meet their incident reporting requirements. You may also want to do a self-assessment against key international risk management standards, such as ISO27001.<\/li>\n<li>Seek buy-in from your corporate board. Given boards will have a role under the Act, organisations may want to brief their board and other executive stakeholders highlighting areas where further investment and focus may be required.<\/li>\n<li>Consider organisational roles and responsibilities. Ensure your organisation has clear internal accountability and responsibilities for cybersecurity.<\/li>\n<\/ol>\n<p><strong>Conclusion<\/strong><\/p>\n<p>The loss of a critical infrastructure service could have devastating impacts across Australia. In recognition of this, the Australian Government passed these reforms to set the strategic vision for uplifting cyber security across those services most integral to our national security and economic prosperity.<\/p>\n<p>Palo Alto Networks is committed to assisting our customers on their road towards compliance with Australia's new critical infrastructure reforms. Organisations who are unsure of the Act\u2019s applicability to them, should seek independent legal advice.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Networks is committed to assisting our customers on their road towards compliance with Australia's new critical infrastructure reforms.<\/p>\n","protected":false},"author":723,"featured_media":166175,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6769],"tags":[123],"coauthors":[7248],"class_list":["post-166171","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-public-sector","tag-government2"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/07\/Meeting-3.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/166171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=166171"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/166171\/revisions"}],"predecessor-version":[{"id":166174,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/166171\/revisions\/166174"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/166175"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=166171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=166171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=166171"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=166171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}