About 100 operators of critical electricity, water and port infrastructure in Australia may be forced to detail their IT security postures and outsourcers to the government under new rules proposed today.
The data would be collated in a register of critical assets, and the government would have the power to direct asset operators to fix any perceived security holes.
The rules were first flagged earlier this year, and following a period of consultation have now been laid out formally in an exposure draft of the bills published by the Attorney-General’s department today.
The government is concerned that foreign ownership or involvement in Australia’s critical infrastructure could provide a pathway for “espionage, sabotage and coercion”.
The government said it currently had limited oversight of foreign influence on critical infrastructure assets. It does not want to discourage such investments, but wants more than operator assurances that assets are properly protected.
The government isn’t only concerned about the owners or investors: it is also worried about outsourced providers being used as vectors for attacks.
Earlier today, the government separately revealed a contractor to Australian Defence agencies had been breached and data was stolen.
“The national security risks to critical infrastructure are complex and have continued to
evolve over recent years,” the government said.
“Rapid technological change has resulted in critical infrastructure assets having increased cyber connectivity, and greater participation in, and reliance on, global supply chains with many services being outsourced and offshored.
“Arrangements of particular interest for the government include the outsourcing or offshoring of industrial control systems and security or corporate systems.”
Comments on the draft bills close on November 10.