Australia's utilities, ports have to detail IT choices to the govt

Operators of Australia's electricity, water, gas and port infrastructure will be forced to detail their IT environments to the government under new legislation passed by the parliament last night.

The Security of Critical Infrastructure Bill 2018 [pdf] was first introduced in December and passed through both houses of parliament last night with a number of small amendments.

The bill is intended to secure Australia's critical infrastructure against espionage, sabotage and coercion from foreign actors.

It forces 160 utilities and ports operators to detail to the government information about who owns and controls their assets.

This includes any outsourcers or offshorers, and the level to which the critical infrastructure operator can access their own networks and systems.

Of "particular interest" to the government are outsourced or offshored industrial control systems, data holdings, security systems, and corporate systems, according to the bill's explanatory memorandum [pdf].

Operators will have six months from today to hand over this information to the government. The data will be contained within a register of critical infrastructure assets.

They are also required to update the government on any changes to this 'interest and control information' within 30 days of the changes occurring.

A "secure web portal" will be built to make it easy for the operators to report to government.

The law gives the government the power to direct asset operators to fix any perceived security holes.

It also allows the government to request specific information such as procurement plans, contracts, and tender documentation.

The government had argued that its ability to obtain information on how the critical infrastructure sector operates - and to therefore determine any vulnerabilities that may exist - had been limited predominantly to poring through applications to the Foreign Investment Review Board.

"[The government] cannot undertake a comprehensive risk assessment without understanding how the asset and sector operates and where there may be vulnerabilities," it said.

"It is essential to have a detailed understanding of who owns, controls and has access to a particular asset.

"Disruption of critical infrastructure sectors can have a serious impact on Australia’s national and economic security, both in terms of immediate costs incurred and long-term sector vulnerability."

The legislation does not cover telcos; the government passed legislation in the same vein - known as the telecommunications sector security reforms (TSSR) - specific to the sector late last year.