Many Australian businesses are now subject to strict 12-hour cyber incident reporting requirements under a series of amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act).
The new requirements, which took effect on 8 July, apply to cyber attacks which impact any "critical infrastructure assets", as defined under the newly introduced Critical Infrastructure Bill.
Whereas the SOCI Act previously categorised assets under "critical asset classes" across four different sectors, such as gas, electricity, water and ports, the legislation now expands to 11 sectors.
Some of the new sectors and asset classes that fall under the amended SOCI Act include education, data storage or processing, food and grocery, financial services and transport.
In total, there are 22 specific critical asset classes outlined in the amended legislation, leaving many business owners concerned they may be unknowingly subject to security and reporting requirements under the recent changes.
A business is subject to the 12-hour time frame after it becomes aware of a critical incident, such as ransomware or unauthorised access to an asset.
Pressure on small businesses
The changes introduced by these amendments also have the capacity to impact many small businesses, who are often less equipped to adequately identify and secure their assets compared to larger enterprises.
Failure to notify the Australian Cyber Security Centre (ASCS) within 12 hours of becoming aware of an incident may leave businesses facing fines starting from $11,100.
Some companies reported having received a letter from the Department of Home Affairs which indicated that an asset of theirs had been identified under the new amendments.
However, said letter did not explicitly specify which particular asset(s) were identified under the new amendments.
Mark Culhane, small business owner and Chief Technology Officer of IT services and consulting company Security Shift, said he "can understand why there may be resistance to additional requirements on businesses, particularly with reasonably loose definitions”.
"That being said – there is clearly an increase in the targeting of critical infrastructure in both the conflicts and crimes occurring around the world at present." he added.
Attacks against infrastructure
Cyber security experts have predicted an increase in attacks against critical infrastructure for years, and the past 18 months have seen alarming trends in Australia.
In the financial year 2020-21, where ACSC saw cyberattacks being reported at an average of once every eight minutes, 25 per cent of a collective 67,500 reports were linked to Australia's critical infrastructure and essential services.
And at a global level, an alleged 80 per cent of critical infrastructure organisations suffered at least one ransomware attack in 2021.
Some of the most notable attacks in recent memory include a ransomware incident that impacted over 80,000 SA govt employees, the JBS Food incident which disrupted
Australian food supply chains (and culminated in a $14.2 million pay-out), and of course, the Australian Parliament breach of 2019 which was widely attributed to state actors from China.
Australia invests in security
The amendments to the SOCI Act are linked to the Department of Home Affairs' Critical Infrastructure Resilience Strategy, an initiative aimed at "enhancing the security and resilience of Australia’s critical infrastructure assets so they continue to operate in an all-hazards environment."
Last month, Parliament appointed Clare O’Neil as the federal Minister for Cyber Security.
Furthermore, these changes to the SOCI Act have arrived soon after an unprecedented, $9.9 billion commitment towards cyber security by the Australian Government.
Given recent trends in cyber crime and cyber warfare, these federal investments into cyber security indicate the Australian Government is taking a clear priority towards national cyber security in the new decade.
"The protection of our nation's critical infrastructure needs to be driven by Government policy and regulation," said Culhane.
"Whilst no policies are perfect, the Critical Infrastructure Resilience Strategy that Home Affairs is pursuing makes sense to me so far."
Despite the apparent struggle these legal changes may cause for small business owners, the SOCI Act amendments are primarily centred around awareness of an incident, according to the Home Affairs reporting manual.