Using national security laws passed by the Coalition for the protection of essential services, Minister O’Neil has designated 82 of the most sensitive critical infrastructure assets, companies and institutions critical to the Australian economy, including energy, utilities, communications, banking, healthcare and education operations, which will receive bolstered protection from foreign cyber attacks.

Under the laws passed in December 2021 and April 2022, the minister can declare a system of national significance if compromise, disruption or major damage would affect Australia’s security, economy and sovereignty.

Managed by 38 different entities, the assets cannot be publicly named under the laws. The group is considered the most susceptible to attack from malicious cyber threats and interference, coming amid a deteriorating global threat environment in the wake of the COVID-19 pandemic.

VIEW ALL

According to The Australian, the assets protected by the new designation keep everyday life and economic activity ticking. Often overlapping and with interdependencies, even temporary loss of such systems could lead to death, communications chaos and economic disruption.

“We need to build resilience in our essential services, things such as energy and water, health care, education, supply chains and communications, to protect them from a range of threats, including cyber, physical, personnel, supply chain and natural hazards,” Minister O’Neil explained.

“Australians deserve a government that provides them resilience, reassurance and safety in how we guard our sovereignty and protect our national life.”

“Instead, our national conversation on these matters has been characterised by anxiety, vitriol, and confusing chest-beating with strength,” Minister O’Neil said.

Companies and owners behind the systems, including major Australian and multinational firms, have been alerted to the new designations and associated responsibilities.

The specific declaration of a system of national significance and any supporting documentation is protected information under the law and cannot be shared publicly.

“While there are clear threats to our critical infrastructure, particularly cyber threats, by embedding preparation, prevention and mitigation activities through a risk management program we will build resilience, not only for individual assets, but also our whole society,” Minister O’Neil said.

System operators have increased responsibilities to protect against malicious activity. They can be required to provide systems information to the Australian Signals Directorate for the purposes of threat identification and to maintain emergency response plans and test for threats.

Special “switch on” powers also exist, and existing sector regulators can be called on to monitor risk management activities.

The Australian Cyber Security Centre (ACSC) can provide private and public sector organisations with expert advice in preventing, managing and mitigating attacks and use external data to create an aggregated threat picture for Australian entities.

The bolstered-up defensive safeguards come as Russia’s invasion of Ukraine and the targeting of networks in Taiwan amid China’s growing military aggression add to a worsening threat landscape. Australia’s national security and intelligence agencies monitor attacks and say a cyber incident is reported about every eight minutes in Australia, while threats to critical infrastructure are reported every 32 minutes on average.

Requirements for the ACSC to be notified of cyber incidents came into force on 8 July this year. Operators of electricity, gas, ports, water and sewerage assets must report significant breaches within 12 hours of an attack.

Since critical infrastructure assets have been deemed “systems of national significance” under the law, the government will offer greater protection in the form of technical assistance but obliges operators to share details of attacks as quickly as possible. Federal agencies can then improve threat tracking or cyber attacks, including ransomware, across the economy using the information.

“These declarations support the continued availability and integrity of assets, which are the most crucial and interdependent to Australia’s economic, social and national security.

“These measures will boost Australia’s collective cyber defences and ensure that the community and economy remain protected through a regulatory program based on education, threat mitigation and timely advice in partnership with industry,” Minister O’Neil said.