INSIGHT

Proposed updates to security of critical infrastructure legislation

By Valeska Bloch, William Coote, Max Jones
Cybersecurity & Privacy Defence Energy Infrastructure Technology Telecommunications

In brief

As part of a broader strategy to strengthen the security of Australia's infrastructure, particularly cybersecurity, the Government has released exposure drafts of its Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Draft Bill) and accompanying Intelligence Services Regulations 2020.

The proposed regulations will implement changes initially put forward in August (and foreshadowed during industry workshops held in September) to expand the application of the Security of Critical Infrastructure Act 2018 (SCI Act) to cover a far broader cross-section of the Australian economy.

The Draft Bill will affect entities operating in the following sectors:

  • Communications;
  • Data storage and processing;
  • Defence;
  • Financial services and markets;
  • Food and grocery;
  • Higher education and research;
  • Health care and medical;
  • Transport;
  • Energy;
  • Space technology; and
  • Water and sewerage.

Key takeaways

  1. The Draft Bill expands the scope of existing obligations under the SCI Act and introduces a host of new obligations. These include obligations to:
    1. Adopt and maintain a risk management program that aligns with sector-specific rules.
    2. Provide an annual written report (in the required form), signed by each member of the board or other governing body, attesting as to whether the entity's critical risk management program was up to date at the end of the financial year and providing information about hazards that had a significant impact on relevant critical infrastructure assets.
    3. Assist the government in responding to cybersecurity incidents by providing information and complying with directions. In very limited circumstances, the government may also authorise the Australian Signals Directorate (ASD) to step in to respond to an incident (including allowing it to access, modify or analyse computer systems or data).
    4. Provide ownership and operational information in respect of critical infrastructure assets, in line with existing SCI Act obligations.
    5. Report cyber security incidents to the ASD within relatively short timeframes.
    6. Notify data storage and processing service providers, if the services being provided relate to 'business critical data'. Business critical data includes Personal Information relating to 20,000+ individuals, Sensitive Information (as defined under the Privacy Act) or certain classes of data relating to a critical infrastructure asset.

      Whether some or all of the above obligations apply to an entity will depend on whether it is classified as a 'responsible entity' or a 'relevant entity' in respect of a regulated 'critical infrastructure asset' (see the sector-specific application tables below).
  2. A handful of entities will also be subject to additional cyber security obligations if the assets they own or operate are declared by the Minister to be systems of national significance. These obligations may include adopting incident response plans, undertaking cyber security exercises and vulnerability assessments, and providing the ASD with access to system information.
  3. Failure to comply generally attracts civil penalties of between 50 and 200 penalty units (between $11,100 and $44,400) per breach. There are also a small number of offences (eg, breaching a direction to do an act or thing to respond to a cyber security incident). Infringement notices can also be issued for non-compliance with these obligations, meaning there is an easy path to enforcement which does not require the relevant regulator(s) to institute legal proceedings in the first instance.  Infringement notices can be issued (in relation to a body corporate):
    1. in respect of single contraventions, for the lesser of:
      1. 1/5 of the maximum civil penalty for that contravention; and
      2. 60 penalty units ($13,320).
    2. in respect of multiple contraventions, for the lesser of:
      1. 1/5 of the total maximum civil penalties for the contraventions; and
      2. 60 penalty units multiplied by the number of contraventions.
  4. Sector-specific rules will be developed in consultation with regulated industries, which will inform the scope and content of obligations in the Draft Bill, and will specify an appropriate regulator for each sector. While some of these details are not yet known, the Department of Home Affairs (Department) has made initial proposals for some sectors in its Explanatory Document.
  5. The significant expansion of the definition of 'critical infrastructure asset' is expected to result in many more transactions being subject to a FIRB approval requirement. This is because the proposed changes to the FIRB regime include a new requirement to obtain FIRB approval to acquire a 10%+ interest in any 'national security business', which will be defined to include ‘responsible entities’ and ‘direct interest holders’ of critical infrastructure assets within the meaning of the Security of Critical Infrastructure Act 2018.
  6. Affected entities will have opportunities to shape the regime through consultation on the Draft Bill, and on the development of the sector-specific rules next year which will sit alongside it. In responding to the Draft Bill, some issues that warrant particular consideration may include:
    1. The obligation to notify data storage and processing service providers that their services relate to 'business critical data' – we consider this obligation to be very broad, and expect it will require the notification of a large number of IT outsourced service providers (both existing and prospective) (section 12F(3)).
    2. The potential impact of government assistance obligations, including the impact if government were to exercise its rights to obtain sensitive information, issue directions or exercise step-in rights, and whether the proposed guardrails and thresholds are sufficient (Part 3A).
    3. The extent to which the proposed obligations in the Draft Bill overlap or conflict with existing regulatory regimes. A number of the affected sectors are already subject to security regulation, and there is a risk additional obligations could lead to duplication or inconsistency. The Department has indicated that sector-specific rules will be tailored to avoid these issues, and has already flagged sectors where it expects to rely on or leverage existing frameworks. However, consideration should still be given to whether they arise on the face of the Draft Bill.
    4. Given the obligations under the Draft Bill only apply to an entity in respect of relevant regulated assets, there may well be some assets of a regulated entity which are not caught. Consideration should be given to how new requirements will be operationalised, taking into account the effect on its business as a whole.

What to do next

  • Register to attend the Town Hall event on 19 November or 23 November, which will provide an opportunity to learn more about the reforms (register here).
  • Make your submission on the proposed reforms (here). Submissions close at 5:00pm (AEDT) on Friday 27 November 2020.
  • Once the Draft Bill is finalised, members of regulated sectors will have the opportunity to participate in the development of sector-specific rules to further define the scope and content of obligations. Updates on the consultation process will be published on the Department website and CIC website, and we will keep you updated as the regime develops.

Implementation timeframe

Amendments to SCI Act are expected to be introduced to Parliament by the end of the year. Following co-design of the sector-specific rules, which will take place in early 2021, the obligations are intended to take effect from mid-2021.

Summary of obligations under the Draft Bill

The existing and new obligations under the SCI Act will be imposed using a tiered approach, with three 'categories' of obligations, each applying to a progressively narrower group of entities within a sector. While this basic structure applies across the board, the thresholds for application vary from sector to sector. An obligation also applies across all sectors for entities to notify data service providers that host their business critical data.

Sector-specific rules will inform the obligations under the SCI Act and their scope, including by further defining the boundaries for critical infrastructure assets, informing the content of the positive security obligations under the Draft Bill, and specifying sector-specific regulators, which may or may not include the Department.

Category 1 – Government assistance obligations (Part 3A)
Application Key obligations and provisions
  • Applies to a relevant entity in respect of an asset affected by a cyber security incident.
  • 'Relevant entity' encompasses a broad range of entities, including:
    1. the responsible entity for an asset (see below);
    2. a direct interest holder in relation to the asset;
    3. an operator of the asset; or
    4. a managed service provider for an asset.
  • A 'cyber security incident' is an act, event or circumstance involving unauthorised access, modification or impairment of computer data, a computer program or a computer.
  • However, these powers are an emergency mechanism, and can only be used where (per section 35AB):
    1. a cyber security incident has occurred, is occurring or is imminent;
    2. the cyber security incident impacts or is likely to impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset;
    3. there is a material risk that the incident seriously prejudices or is likely to seriously prejudice, the social or economic stability of Australia and its people, the defence of Australia, or national security; and
    4. the Minister is satisfied that no existing regulatory scheme can be used to provide a practical and effective response to the incident.
  • In response to a cyber security incident the Government can issue directions:
    1. Requiring disclosure of information to a relevant entity it believes has information that may assist with determining whether a power under the Act should be exercised in relation to the incident/asset. Information must be likely to facilitate a practical and effective response (see sections 35AB and 35AK);
    2. Requiring an entity to do an act or thing in circumstances where the entity is unwilling or unable to resolve the incident (see sections 35AB and 35AQ); or
    3. Allowing the ASD to step in to do one of a limited list of acts or things (including accessing, modifying or analysing computer systems or data), in circumstances where directing the entity to do the act or thing would not be practical or effective, including where the entity is unwilling or unable to do the act or thing itself (see sections 35AB, 35AC and 35AX).
  • Safeguards against the abuse of these powers include that:
    1. directions must be proportionate and technically feasible;
    2. directions requiring an act or thing or allowing step in must be reasonably necessary to respond to the incident;
    3. a direction allowing step in must be authorised by the Prime Minister or Defence Minister;
    4. a direction can only operate for up to 20 days, and must then be renewed;
    5. the Government cannot require information, or use its step in powers to do something, that would amount to prohibited interception or access under the Telecommunications (Interception and Access) Act 1979 or the Telecommunications Act 1997;
    6. information provided cannot be used as evidence against the provider, except in connection with the SCI Act for proceedings (under the Criminal Code) relating to false or misleading information or documents, or civil proceedings for failure to comply with the direction;
    7. the Government cannot direct a person to take offensive cyber action outside its systems – the regime focusses on protecting and defending assets; and
    8. an entity will not be liable in damages for complying in good faith with a direction.
  • The Draft Bill amends the Administrative Decisions (Judicial Review) Act 1977 to provide that decisions made under this Part are not subject to judicial review, largely due to national security considerations and concern with making information about cyber security incidents public. Although this excludes a legislative pathway for reviewing the legality of a decision, the original jurisdiction of the Federal Court and High Court are unaffected.
Category 2 – Positive security obligations (Parts 2, 2A and 2B)
Application Key obligations and provisions
  • May apply to a responsible entity for one or more critical infrastructure assets within a regulated sector (see sector-specific definitions below).
  • These obligations will not automatically apply, and will need to be 'switched on' by the Minister (sections 18A, 30AB and 30BB). For example, the Minister might choose to apply obligations to only certain classes of assets within a sector to avoid duplicating obligations or reporting that occur in accordance with existing regulatory frameworks.

There are 3 key positive security obligations.

(1) Provide ownership and operator information

  • Provide ownership and operator information for the Government's Register of Critical Infrastructure Assets, a non-public register used to assist the Government to gain visibility of who owns, controls and has access to critical infrastructure assets. This obligation builds on the existing obligations in the SCI Act relating to the Register, to which responsible entities will be subject.

(2) Adopt and maintain a critical infrastructure risk management program

  • The Draft Bill sets out overarching, principles-based outcomes, providing that risk management programs must:
    • identify hazards that present a material risk to the availability, integrity, reliability and confidentiality of critical infrastructure assets, information or data about, or stored in, those assets;
    • mitigate risks to prevent incidents;
    • minimise the impact of realised incidents; and
    • implement effective governance and oversight procedures, including testing and evaluation, relating to security.
  • Specific requirements of the risk management program, as well as guidance on regulatory expectations (e.g. for frequency of testing and updating the risk management program) will be co-developed with industry in sector-specific rules. The rules may also recognise where existing industry standards and practices are sufficient, or provide clarity for entities with assets within multiple definitions of critical infrastructure asset to avoid duplicate or conflicting requirements.
  • Regulated entities will need to report annually on their risk management program.

(3) Report cyber security incidents

  • Cyber security incidents must be reported to the ASD (or another body prescribed in the sector-specific rules). There are two tiers of reportable incidents:
    • Critical cyber security incidents must be reported within 12 hours of the responsible entity becoming aware that the incident is 'critical' (meaning that it had or is having a significant impact on the availability of the relevant critical infrastructure asset). The CIC will issue sector-specific guidance to assist in determining whether an incident meets this threshold.
    • Other cyber security incidents must be reported within 24 hours of becoming aware that the incident has occurred, is occurring or is imminent, and has had, is having or is likely to have any impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset.
Category 3 – Enhanced cyber security obligations (Part 2C)
Application Key obligations and provisions
  • The Minister may declare a particular critical infrastructure asset to be a system of national significance, having regard to the nature and extent of interdependencies between the asset and other critical infrastructure asset or any other relevant matters, and following consultation with the responsible entity (section 52B).
  • No systems of national significance have been declared at this stage.

These obligations require close partnership between responsible entities and government, including obligations to:

  • adopt and maintain incident response plans;
  • undertake cyber security exercises, potentially under Department observation, and subsequent self-evaluation;
  • undertake and report on vulnerability assessments; and
  • provide the Government with access to system information (excluding Personal Information) to allow Government to build a real-time threat picture.
Obligation to notify data service providers
Application Key obligations and provisions
Applies to any responsible entity for any critical infrastructure asset.
  • Under section 12F(3), the responsible entity must take reasonable steps to notify providers of data storage and processing services if the services they provide relate to 'business critical data', as soon as practicable after becoming aware.
  • 'Business critical data' is very broadly defined as:
    • personal information (under the Privacy Act) relating to at least 20,000 individuals;
    • sensitive information (under the Privacy Act);
    • information relating to research and development in relation to a critical infrastructure asset;
    • information relating to systems needed to operate a critical infrastructure asset; and
    • information relating to risk management and business continuity in relation to a critical infrastructure asset.
  • Each contravention of this obligation attracts a civil penalty of up to $11,100.

Application to regulated sectors

The obligations under the Draft Bill apply to 11 'Critical Infrastructure Sectors' and apply in respect of specific 'critical infrastructure assets' designated within the sector.

Communications

Critical infrastructure sector

The 'communications sector' is defined as the sector of the economy that involves:

  1. suppling a carriage service; or
  2. providing a broadcasting service; or
  3. owning or operating assets used in connection with the supply of a carriage service; or
  4. owning or operating assets used in connection with the transmission of a broadcasting service; or
  5. administering an Australian domain system.

This definition aims to capture:

  • all entities involves in the supply, maintenance or operation of communication services and assets located in Australia; and
  • all entities involved in administering the Australian domain name system, specifically the .au namespace.

The definition is also intentionally flexible to accommodate evolving technology and infrastructure.

Critical Infrastructure Asset / Responsible entity

The Draft Bill introduces three types of critical infrastructure assets in the communications sector:

  1. A critical telecommunications asset includes:
    1. a telecommunications network or facility owned or operated by a carrier and used to supply a carriage service;
    2. a telecommunications network or asset owned or operated by a carriage service provider and used in connection with the supply of a carriage service.

    Responsible entity: The carrier that holds the carrier licence for the telecommunications network, or a carriage service provider, or, another prescribed entity, as defined under the Telecommunications Act 1997.

    Carveout: The Department intends to implement a carve-out in the rules to ensure that the definition will not include Over-the-Top applications which operate over the top of this infrastructure (for example, Netflix and Skype).

  2. Broadcasting transmission(section 12E) – aims to capture the transmission and distribution infrastructure which Australian broadcasters rely on. This is defined as a radio communications transmitter, a broadcasting transmission tower, or an associated transmission facility, that is owned and operated by the same entity and:
    1. is operating from at least 50 different sites; or
    2. is located on a prescribed site.

    Further, the asset must be used, or be capable of being used, in connection with the transmission of a national, radio or television broadcasting service.

    Responsible entity is the owner or operator of the asset or another prescribed entity.

  3. Domain name systems (section 5) – this is defined as a system owned by an entity that:
    1. has been declared to be a 'manager of electronic addressing' by ACMA under section 474(1) of the Telecommunications Act 1997; and
    2. is used to administer an Australian domain name system.

    Note: the regs may prescribe that specified systems are excluded.

    Responsible entity is the 'declared manager of electronic addressing' that is the subject of a determination under subsection 474(1) of the Telecommunications Act 1997, or another prescribed entity.

    In recognition of the current governance and oversight mechanisms, it is proposed that the Positive Security Obligation will remain dormant for this subsector.

System of national significance

No systems of national significance have been designated at this stage.

Data Storage and Processing

Critical infrastructure sector

The 'data storage and processing sector' is defined as the sector of the economy that involves providing commercial data storage (including data back-up) or processing services (section 5).

As well as capturing various kinds of data centres (enterprise data centres, managed services data centres, colocation data centres and cloud data centres), this definition also captures the different types of cloud services: infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS).

Critical Infrastructure Asset / Responsible entity

The definition of 'critical data storage or processing asset’ captures the physical infrastructure or computing platforms used primarily for storing or processing data on a commercial basis, where the entity knows that it is a direct supplier to:

  1. Australian Government clients;
  2. State and Territory government clients; or
  3. a responsible entity of a critical infrastructure asset, where the data or information is business critical data or information

'Business critical data' is defined in the Draft Bill as:

  1. personal data that relates to at least 20,000 individuals or sensitive information (as defined in the Privacy Act 1988); or
  2. information relating to any research and development in relation to a critical infrastructure asset; or
  3. information relating to any systems needed to operate a critical infrastructure asset; or
  4. information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset.

There is a corresponding obligation in section 12F(3) for responsible entities for critical infrastructure assets to notify their data storage and processing service providers where the services being provided relate to business critical data.

Responsible entity is the entity that is a data storage or processing provider to the end-user identified above; vis, the Commonwealth, State or Territory Government clients and other responsible entities for critical infrastructure assets. (Section 12L(4)).

System of national significance

No systems of national significance have been designated at this stage.

Defence

Critical infrastructure sector

The 'defence industry sector' means the sector that involves the provision of critical defence capabilities.

critical defence capability’ includes the following: material, technology, a platform, a network, a system, and a service, that is required in connection with the defence of Australia or national security. This definition intends to exclude entities captured under other sectors in the Draft Bill (e.g. electricity or water).

Critical Infrastructure Asset / Responsible entity

A 'critical defence industry asset' is an asset that is, or will be, supplied by an entity to the Department of Defence, or the Australian Defence Force, under a contract; and consists of, or enables, a critical defence capability.

The definition of critical defence industry asset is intended to be a sub-set of the ‘critical military related goods, services and technologies’ identified in the context of the proposed reforms to the Foreign Acquisitions and Takeovers Regulations 2015; noting reforms to Australia’s foreign investment review framework are still subject to Parliamentary consideration.

A responsible entity is an entity that would be the authorised operator or supplier of critical defence industry assets (section 12L(22)).

System of national significance

No systems of national significance have been designated at this stage.

Financial Services and Markets

Critical infrastructure sector

The 'financial services and markets sector' is defined as the sector of the economy that involves:

  1. carrying on a banking business (defined in the Banking Act 1959);
  2. operating a superannuation fund (defined in the Superannuation Industry (Supervision) Act 1993);
  3. carrying on insurance business (defined in the Insurance Act 1973);
  4. carrying on life insurance business (defined in the Life Insurance Act 1995);
  5. carrying on health insurance business (defined in the Private Health Insurance Act 2007);
  6. operating a financial market (defined in Chapter 7 of the Corporations Act 2001);
  7. operating a clearing and settlement facility (defined in Chapter 7 of the Corporations Act 2001);
  8. operating a derivative trade repository (defined in Chapter 7 of the Corporations Act 2001);
  9. administering a financial benchmark (defined in Part 7.5B of the Corporations Act 2001);
  10. operating a payment system (defined in the Payment Systems (Regulation) Act 1998);
  11. carrying on a financial services business (defined in Corporations Act 2001); or
  12. operating a credit facility business (as defined in the Australian Securities and Investments Commission Regulations 2001
Critical Infrastructure Asset / Responsible entity
  1. Banking assets as defined in s 12G of the SCI Act. The rules may prescribe specific assets that are critical to the carrying on of banking business by an authorised deposit-taking institution (ADI) and requirements for such assets.

    Proposed rules threshold: the Department is proposing a threshold that captures those banking entities with total assets above $50 billion. This threshold is likely to capture around 10 entities.

  2. Superannuation assets that are critical to the operation of a registrable superannuation entity, as defined in s 12J of the SCI Act.

    Proposed rules threshold the Department is proposing a threshold that captures those superannuation entities with total assets above $20 billion. This threshold would capture approximately 30 superannuation entities.

  3. Insurance assets owned or operated by (and critical to the carrying on of) insurance business; or life insurance business; or health insurance business, as defined in s12H of the SCI Act.

    Proposed rules threshold: the Department is proposing a threshold that captures:

    • insurance businesses that have total assets above $2 billion – likely around 15 businesses;
    • private health insurance businesses that have more than $0.5 billion in total assets – likely around 10 businesses; and
    • life insurance businesses with total assets above $5 billion – likely around 10 businesses.
  4. Financial market infrastructure assets (defined under s12D of the SCI Act) as any of the following assets that are critical to the following components of the financial system:
    1. Domestic financial market: includes assets owned or operated by the holder of an Australian market licence that is incorporated in Australia or a related body corporate of that licence holder.

      Proposed rules threshold: the Department is proposing a threshold to capture a narrower cohort of the 11 Domestic (s795B(1)) Tier 1 market licensees, and be determined by a turnover metric).

    2. Australian clearing and settlement facilities: includes assets owned or operated by the holder of an Australian clearing and settlement facility licence that is incorporated in Australia or a related body corporate of that licence holder and is critical to the operation of a clearing and settlement facility.

      Proposed rules threshold: the Department is proposing a threshold that would likely cover the four ASX Group clearing and settlement facilities).

    3. Benchmark administrators: includes assets owned or operated by the holder of a benchmark administrator licence that is incorporated in Australia or a related body corporate of that licence holder and is critical to the administration of a financial benchmark.
    4. Derivative trade depositories: includes assets owned or operated by the holder of an Australian derivative trade repository licence that is incorporated in Australia or a related body corporate of that licence holder and is critical to the operation of a derivative trade repository.

      Proposed rules threshold: the Department is proposing a metric to determine a threshold for criticality.

    5. Payment systems: includes assets that are critical to the operation of a critical payment system. Rules may prescribe attributes which, if present in a payment system, mean that such a payment system is critical to ensuring the security and reliability of the payment system.

The responsible entities for each of these critical infrastructure assets is the entity licenced or authorised to operate the asset, or any other entity prescribed by the rules in relation to the asset. For example, this approach would mean that the obligations in respect of a critical superannuation asset apply to an registrable superannuation entity, as defined under the Superannuation Industry (Supervision) Act 1993 (Cth), in addition to any other entity specified in the rules.

System of national significance

No systems of national significance have been designated at this stage.

Food and Grocery

Critical infrastructure sector

The 'food and grocery sector' is the sector of the Australian economy that involves manufacturing, processing, packaging, distributing, or supplying food or groceries on a commercial basis.

Carveout: the Department has noted that this definition is not intended to capture farming.

Critical Infrastructure Asset / Responsible entity

A 'critical food and grocery asset' is an asset or network that is used for the distribution or supply of food or groceries; and is owned or operated by an entity that is prescribed within the rules to be a critical supermarket retailer; critical food wholesaler or a critical grocery wholesaler. The exact scope of those terms will be determined though industry consultation on the rules.

In practice, this means that if a supermarket (as prescribed within the rules) were to subcontract out the trucking of groceries from a warehouse to a supermarket, then the trucking portion of the food and grocery network would still be considered a critical food and grocery asset, even though it would not be directly operated by a critical retailer or wholesaler as prescribed by the rules.

The responsible entity for a critical food and grocery asset is the owner or operator of an entity declared by the rules to be a critical supermarket retailer, critical food wholesaler, or critical grocery wholesaler. Another responsible entity may also be prescribed by the rules if operated in relation to a critical food and grocery asset.

Carveout: The Department has noted that it does not consider other parts of the sector (for example food manufacturing) fall within the definition of critical food and grocery assets, as they are often disaggregated and, if disrupted, are unlikely to have a severe and widespread impact on the availability of food and grocery

System of national significance

No systems of national significance have been designated at this stage.

Higher Education and Research

Critical infrastructure sector

'Higher education and research sector' means the sector of the Australian economy that involves:

  1. being a higher education provider (as defined in the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act)); or
  2. undertaking a program of research that:
    1. is supported financially (in whole or in part) by the Commonwealth; or
    2. is relevant to a critical infrastructure sector (other than the higher education and research sector).

The sector definition captures 178 higher education providers that are registered with the Tertiary Education and Quality and Standards Agency. This could include institutions that carry out medical research or institutions that own large scale infrastructure.  

For example, the sector definition seeks to capture those entities that have received financial assistance from the Australian Research Council or the National Health and Medical Research Council, and research activities that are relevant to the space or health sector.

Critical Infrastructure Asset / Responsible entity

'Critical education asset' means a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers (as established under TEQSA Act).

Responsible entity: mirrors the definition of a critical education asset, being a registered higher education provider, or another that may be prescribed by the rules.

The effect of the these definitions will be to:

  • provide positive security obligations on entire universities, rather than particular assets owned by a university.
  • capture all 40 Australian owned and operated universities (excluding foreign universities)
  • exclude private research institutions (although these may be captured in respect of other sectors).
System of national significance

No systems of national significance have been designated at this stage.

Health Care and Medical

Critical infrastructure sector

The definition drafted intentionally broad to capture assets that are developed and become critical to the sector in the future.

‘Health care and medical sector’ means the sector of the Australian economy that involves the provision of health care, or the production, distribution or supply of medical supplies.

  • 'health care' is broadly defined to include services provided by individuals who practise in a list of professions or occupations, as well as treatment and maintenance as a patient at a hospital.
  • 'medical supplies' is similarly broad, and includes goods for therapeutic use, and other things specified in the rules.

The sector definition intends to capture:

  • physical, electronic and other assets that are involved in the provision of health care services (such as public health and preventive services, primary health care, emergency health services, hospital-based treatment, e-health services, pharmaceutical services, rehabilitation and palliative care, and diagnostic and imaging services);
  • assets involved in the production of medical supplies and devices which includes products that support the provision of health care services (such as personal protective equipment, and diagnostic equipment), pharmaceutical products and medicines, pacemakers and prosthetics.
Critical Infrastructure Asset / Responsible entity

A 'critical hospital' is defined as a hospital that has a general intensive care unit.

  • 'Hospital' has the same meaning as in the Private Health Insurance Act 2007.
  • 'General intensive care unit' is defined as an area within a hospital that is:
    1. equipped and staffed so it is capable of providing a patient with:
      1. mechanical ventilation for several days; and
      2. invasive cardiovascular monitoring; and
    2. is supported by:
      1. during normal working hours – at least one specialist or consultant physician specialising in intensive care, who is immediately available and exclusively rostered to that area; and
      2. at all times – at least one medical practitioner who is present in the hospital and immediately available to that area; and
      3. at least 18 hours each days – at least one nurse; and
    3. has admission and discharge policies in operation

The responsible entity for a critical hospital is:

  1. if the critical hospital is a public hospital—the local hospital network that operates the hospital; or
  2. if the critical hospital is a private hospital—the entity that holds the licence, approval or authorisation (however described), under a law of a State or a Territory to operate the hospital; or
  3. if another entity is prescribed by the rules in relation to the hospital—that other entity.

Carveout: Digital infrastructure has been carved out of this definition on the basis that existing safeguards exist within legislation such as the My Health Records Act 2012.

System of national significance

No systems of national significance have been designated at this stage.

Transport

Critical infrastructure sector

The 'transport sector' means the sector of the Australian economy that involves the transport of goods or passengers on a commercial basis, or the owning or operating assets used in connection with the transport of goods or passengers on a commercial basis s 8E(10)

The definition extends beyond the primary service of providing transport for goods or passengers on a commercial basis, to entities that own or operate assets used in connection with that service.

The definition is intended to capture the first link of the supply chain that enables the transport sector to function, recognising that disruption to those underlying assets can undermine the operation of Australia’s transport sector in a manner that damages Australia’s economic activity and national security.

Critical Infrastructure Asset / Responsible entity

Critical assets in the aviation and maritime sectors

There is currently no intention to apply the SCI Act positive security obligations to the aviation or maritime sectors. Instead, for the obligations to apply, a rule must be made by the Minister.  This will allow sufficient time to amend both the Aviation Transport Security Act 2004 and the Maritime Transport and Offshore Facilities Security Act 2003 and will avoid duplicating industry regulatory requirements.

  1. 'critical port' includes the 20 maritime ports already identified as critical under section 11 of the current SCI Act.
  2. 'critical aviation asset' means assets owned or operated by an aircraft operator or a regulated air cargo agent where those assets are used in connection with the provision of an air service. This also includes assets owned and operated by an airport operator where those assets are used in connection with the operation of an airport.

    Critical freight infrastructure asset – road and rail corridors and intermodal transfer facilities

  3. A 'critical freight infrastructure asset' means a road or rail network that functions as a critical corridor for, or an intermodal transfer facility that is critical to, the transportation of goods between two states, a state or territory, two territories, or two cities or towns with populations of 10,000 or more. 

    The responsible entity is defined to mean a Commonwealth, State or Territory, or statutory authority established under a Commonwealth, State or Territory law, that is responsible for the management of the critical freight asset.

    A 'critical freight infrastructure asset' means a road or rail network that functions as a critical corridor for, or an intermodal transfer facility that is critical to, the transportation of goods between two states, a state or territory, two territories, or two cities or towns with populations of 10,000 or more.
  4. 'critical freight services asset' means a network used by an entity carrying on a business that is critical to the transportation of goods by road, rail, inland waters or sea.

    The responsible entity is the operator of the critical freight services asset, or any other prescribed entity.

  5. 'critical public transport asset' is a public transport network or system managed by a single entity that is capable of handling at least 5 million passenger journeys per month.

    The responsible entity is the single entity managing the critical public transport asset or any other prescribed entity.

System of national significance

No systems of national significance have been designated at this stage.

Energy

Critical infrastructure sector

The 'energy sector' is defined as the sector of the Australian economy that involves:

  1. the production, distribution or supply of electricity; or
  2. the production, processing, distribution or supply of gas; or
  3. the production, processing, distribution or supply of liquid fuel.

This definition reflects those functions that are critical to maintaining the ongoing availability of energy, essential to maintaining Australia’s security and economy.

Critical Infrastructure Asset / Responsible entity
  1. 'critical electricity asset is defined as:
    1. an electricity generation asset that is critical to ensuring the security and reliability of electricity networks or electricity systems in a state or territory;
    2. an asset that is a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at  least 100,000 customers.

    Note that the existing Security of Critical Infrastructure Rules currently prescribe capacity thresholds for generation assets to determine whether an asset is critical to the security and reliability of electricity networks or electricity systems in a state or territory.

    The responsible entity for a critical electricity asset will continue to be defined as the entity that holds the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory to provide the service to be delivered by the asset – or, where another entity is prescribed by the rules in relation to the asset, that other entity.

  2. A 'critical gas asset' is defined as:
    1. a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the rules; or
    2. a gas storage facility that has a maximum daily withdrawal capacity of at least 75 terajoules per day or any other quantity prescribed by the rules; or
    3. a network or system for the distribution of gas to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules; or
    4. a gas transmission pipeline that is critical to ensuring the security and reliability of a gas market, in accordance with subsection (2).

      Gas is defined as a substance that:

    5. is in a gaseous state at standard temperature and pressure; and
    6. consists of naturally occurring hydrocarbons, or a naturally occurring mixture of hydrocarbons and non-hydrocarbons, the principal constituent of which is methane; and is suitable for consumption.

    The responsible entity for a critical gas asset will continue to be defined as the entity that holds the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory to provide the service to be delivered by the asset – or, where another entity is prescribed by the rules in relation to the asset, that other entity.

  3. A 'critical liquid fuel asset' means:
    1. a liquid fuel refinery that is critical to ensuring the security and reliability of a liquid fuel market; or
    2. a liquid fuel transmission pipeline that is critical to ensuring the security and reliability of a liquid fuel market (a threshold for pipelines with a minimum pressure of 2500kPag is proposed to be included in the rules); or
    3. a liquid fuel storage facility that is critical to ensuring the security and reliability of a liquid fuel market.

    These definitions will capture liquid fuel refineries, pipelines and storage facilities. Distribution pipelines are critical for inter-city distribution and for movement from refineries and ports to terminals.

    The responsible entity for a critical liquid fuel asset is:

    1. if the asset is a liquid fuel refinery – the relevant fuel industry corporation as defined by the Liquid Fuels Emergency Act 1984 that operates the asset;
    2. if the asset is a liquid fuel pipeline – the operator of the pipeline;
    3. if the asset is a liquid fuel storage facility – the operator of the facility;
    4. if another entity is prescribed by the rules in relation to the asset—that other entity.
  4. A 'critical energy market operator asset' means an asset that:
    1. is used by the Australian Energy Market Operator Limited (AEMO); or Power and Water Corporation; or Regional Power Corporation (Horizon Power - ABN 57 955 011 697); or Electricity Networks Corporation (Western Power- ABN 18540492861); and
    2. is critical to ensuring the security and reliability of an energy market.

    The responsible entity for a critical energy market operator asset is defined as the entity that uses the asset.

System of national significance

No systems of national significance have been designated at this stage.

Space Technology

Critical infrastructure sector

The 'space technology sector' is the sector that involves the commercial provision of space-related services, and reflects those functions that are critical to maintaining the supply and availability of space-related services in Australia.

For example, this would include those assets, functions and components enabling the operation of a space service or activity, including:

  1. position, navigation and timing in relation to space objects;
  2. space situational awareness services;
  3. space weather monitoring and forecasting;
  4. communications, tracking, telemetry & control in relation to space objects;
  5. remote sensing earth observations from space;
  6. facilitating access to space.
Critical Infrastructure Asset / Responsible entity

A 'critical space technology asset' is not specifically defined in the Draft Bill, as most of these assets are likely to already be covered under the communications sector.

Additional assets may be prescribed by the Minister under sections 9 and 51 of the SCI Act.

As such, the relevant responsible entity is the responsible entity for a 'critical telecommunications asset'. See the Communications sector notes above.

System of national significance

No systems of national significance have been designated at this stage.

Water and Sewerage

Critical infrastructure sector

The 'water and sewerage sector' is defined as the sector of the Australian economy that involves operating water or sewerage systems or networks.

The definition intends to capture wastewater, potable water, raw water and recycled water, and will therefore include desalination plants, water utilities and bulk water providers.

Critical Infrastructure Asset / Responsible entity

The definition of a 'critical water asset' under the SCI Act remains unchanged, and means one or more water sewerage systems or networks managed by a single water utility, which ultimately deliver(s) services to at least 100,000 water or sewerage connections.

This captures approximately 29 water and sewerage systems or networks.

The responsible entity means the entity that holds a licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide the service to be delivered by the critical water asset.

The Minister for Home Affairs may choose to designate additional assets that fall below the 100,000 connection requirement but are considered critical for electricity generation or for other purposes

System of national significance

No systems of national significance have been designated at this stage.