The federal government has introduced the remainder of its proposed critical infrastructure security reforms to parliament, after splitting a previous bill to get urgent cyber incident intervention powers across the line.
Home Affairs Minister Karen Andrews introduced the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 on Thursday.
It comes 10 days after the consultation period closed and just four days after the Department of Home Affairs held a final 'town hall' meeting to discuss feedback with industry.
The bill is the result of the Parliamentary Joint Committee on Intelligence and Security's (PJCIS) decision to split the Security Legislation Amendment (Critical Infrastructure) Bill in half last year.
A cut-down version of that bill, which contained last resort powers that would allow the government to intervene to contain a cyber attack on critical infrastructure, was “swiftly” passed in November.
In doing so, the government left out “less urgent measures” such as enhanced cyber security obligations for critical infrastructure assets it deems to be of national significance.
It began consulting on the new Security Legislation Amendment (Critical Infrastructure Protection) Bill in mid-December to address these outstanding reforms.
Nationally significant critical infrastructure assets will be required to undertake “one of more prescribed cyber security activities” such as cyber security exercises and vulnerability assessments.
The Home Affairs Minister of the day will be able to declare critical infrastructure assets as systems of national significance.
There may also be instances where an entity that operates a system of national significance needs to “install and maintain a specified computer program in limited circumstances”.
According to the explanatory memorandum [pdf], the government regards this as a “last resort” power, and has a “strong preference” for entities to provide information using their own capabilities.
The bill will also require “certain critical infrastructure assets” to “adopt, maintain and comply with" an all-hazards critical infrastructure risk management program.
If the bill passes, the government said the food, grocery and transport sectors will be exempt until at least January 2023 while they are dealing with ongoing disruption caused by the pandemic.
Andrews said the reforms were necessary given the increasing cyber security threat to essential services.
“The best approach to protecting our critical infrastructure from attack is partnership between business and government to ensure the businesses that provide essential services to Australians can be resilient and respond to evolving threats,” she said.
“Our sovereignty, economy and security depends on protecting our critical sectors including water and sewerage, financial services, food and grocery, energy and other sectors that sustain our prosperous way of life.”
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
