The Federal Department of Home Affairs has announced a more than doubling of the number of critical infrastructure assets to be declared to be Systems of National Significance, from 81 to a total of 168 assets or facilities.
The declaration recognises the facilities as Australia’s most vital critical infrastructure assets that underpins the country’s social and economic stability, defence and national security. Being declared as such means the government can apply a robust set of enhanced cyber security obligations on the owners and operators.
In February 2023, the government announced the establishment of the Critical Infrastructure Risk Management Program, and owners and operators of critical infrastructure assets were given six months to establish risk management programs in consultation with the Department of Home Affairs.
Devised by the Cyber and Infrastructure Security Centre (CISC), the obligation of critical infrastructure business owners include developing response plans to cyber security incidents, undertaking cyber security exercises to build cyber preparedness, undertaking assessments to identify and fix vulnerabilities, and providing system information to the Australian Signals Directorate (ASD) so that it may develop and maintain a near real-time threat picture.
Although the announcement didn’t specify which assets the declaration covers, the 2023 Critical Infrastructure Resilience Strategy defines them as “physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security”.
“These are the assets and services that underpin our society and on which we rely for our everyday business and lives,” it says.
“Our national security, economy and general wellbeing can be negatively impacted if any of our critical infrastructure is damaged and unavailable, owing to, for example a natural disaster, terrorist attack or interference from a foreign actor. “
The 2023 Critical Infrastructure Resilience Strategy was established to work with critical infrastructure entities and all levels of government to enhance the security and resilience of Australia’s critical infrastructure.
It says examples of critical infrastructure include communications hubs and facilities, financial services and markets, data storage or processing hubs, defence industry facilities, higher education and research facilities, energy production plants and distribution hubs, food and grocery distribution, health care and medical facilities, space technology manufacturing and research and development, transport hubs, water storage and sewerage plants.
It is therefore reasonable to assume that a large number of Systems of National Significance are located in and around the Canberra region.
“We are relentlessly focused on safeguarding our country against significant cyber-attacks, but it’s not something we can do alone,” Home Affairs Minister Clare O’Neil said in an 8 September release.
“I want to thank the owners and operators of Systems of National Significance for helping make Australia the most cyber secure country in the world,” she added. “The protection of our critical infrastructure is a shared responsibility, and these declarations will help to build vital partnerships with the owners and operators of our most important assets.”