Operators of Australia's “highest-risk” electricity, water, gas and port infrastructure to have six months to detail their IT environments to the federal government under new powers introduced this week.
The Security of Critical Infrastructure Act 2018 came into force on Wednesday following a three-month implementation period.
It introduces new measures to secure around 165 of the “highest-risk critical infrastructure assets” and their operators nationwide against hacking, espionage, sabotage and coercion from foreign actors.
The bill – which passed through parliament in March - forces owners and operators to provide information to government about who owns and controls their assets.
This includes any outsourcers or offshore providers, and the level to which the critical infrastructure operator can access their own networks and systems.
The government is particularly interested in any industrial control systems, data holdings, security systems and corporate systems that are outsourced or offshored.
Operators have been given until 11 January 2019 to report information to the critical infrastructure assets register.
Any changes to this information is also required to be reported within 30 days of the changes occurring.
While owners and operators have been given a six-month grace period for reporting, ministerial and information gathering powers are now in play.
These powers allow government to direct asset operators to fix any perceived security holes or request specific information such as procurement plans, contracts, and tender documentation.
Telcos are exempt from the new powers, but are covered by the separate telecommunications sector security reforms (TSSR) passed late last year.
Minister for Home Affairs Peter Dutton dubbed the new powers an “essential step” towards address complex national security risks.
““While foreign involvement in Australia’s infrastructure and economy is welcomed, it does mean our critical infrastructure assets are potentially more exposed than ever,” Dutton said.
“The Act establishes a register, providing government visibility of who owns and controls the highest-risk critical assets and is based on public consultations involving more than 300 owners and operators and state governments.”