Peter A Clarke

Australia has had legislative proscriptions relating security and reporting obligations in particular defined critical infrastructure industries for some time. Australia has adopted a similar legislative structure that has been adopted in other jurisdictions such as the United States.  The legislation is quite detailed, almost a code.  There is a need for this form of regulation.  Critical infrastructure is invariably networked and vulnerable to attack.  That vulnerability is caused by the development of systems servicing infrastructure over a long period where cyber security was unsophisticated.  Mergers and changes of strategy over the years often leads to information systems which were cobbled together with many weaknesses.  Many organisations put little effort and money into the upgrading cyber security until relatively recently.

It is important for privacy practitioners to be familiar with this legislation.

Today the Minister for Home Affairs, Clare O’Neil released the Risk Manager Program rules and Critical Infrastructure Strategy today.

The media release provides:

Australia’s critical infrastructure assets will be better protected following commencement of the Risk Management Program (RMP) obligation – a set of rules designed to strengthen the resilience of critical infrastructure and essential services vital to the security, prosperity and sovereignty of Australia.

Minister for Home Affairs and Minister for Cyber Security Clare O’Neil said critical infrastructure assets are vulnerable to natural disasters and attractive targets for foreign interference, cyber criminals and other malicious actors who seek to do Australia harm.

“As a nation we must continue to ensure the security of our essential services – things such as energy and water, food, health care, transport, supply chains and communications – and to protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” Minister O’Neil said.

“The RMP rules will strengthen the resilience of essential services by embedding preparation, prevention and mitigation activities into standard business practices, and provide responsible entities greater situational awareness of threats to critical infrastructure.”

The RMP rules are the third and final positive security obligation legislated in recent amendments to the Security of Critical Infrastructure Act 2018. This obligation requires responsible entities to consider the hazards they may face as a business, and take tangible steps to manage risks to operations of critical infrastructure assets. Now that all three obligations have been switched on, Australians will benefit from world leading protection.

As part of this comprehensive suite of measures to enhance the security and resilience of critical infrastructure, the Government has also launched an updated Critical Infrastructure Resilience Strategy.

The Strategy provides a roadmap for protecting essential services and assets – everything from electricity and water, to healthcare and groceries. Accompanying the Strategy is a Critical Infrastructure Resilience Plan, setting out how the Strategy’s objectives will be delivered.

The Strategy and Plan enshrines continued partnership and close engagement between industry and government, empowered by the Trusted Information Sharing Network, to collaboratively uplift the security and resilience of Australia’s critical infrastructure.

The Strategy has three key objectives:

• • Support critical infrastructure owners and operators to effectively manage risks through mature risk based and resilience approaches
  • Deliver initiatives through??? strong industry-government partnerships?
  • Support critical infrastructure owners and operators to strengthen their security and resilience through regulatory frameworks, and improved collaboration

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” Minister O’Neil said.

“We need to ensure our critical infrastructure security arrangements keep pace with the evolving threat environment and continue to deliver the essential services we all rely on.

The Rules and Strategy and Rules are found at the Cyber and Infrastructure Security Centre.