Raising a shield against increased threats to critical infrastructure – SOCI Act amendments take effect

The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Act 2024 (Cth) (SOCI Amendment Act) has taken effect, bringing with it important amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act).

The amendments give effect to one of the six cyber shields, identified by the Australian Government in its 2023-2030 Australian Cyber Security Strategy, aimed at ensuring critical infrastructure and essential systems can endure and recover from cyber attacks. The changes also address various gaps identified in the current SOCI Act, with the aim of strengthening the security and resilience of critical infrastructure and bringing Australia in line with international best practice.

As is evident from the Department of Home Affairs’ Critical Infrastructure Annual Risk Review for 2024, the risk landscape for critical infrastructure is at challenging levels, with cyber hazards (malicious and inadvertent), foreign interference and impacts of both global conflicts and domestic natural diverters being significant factors for increasingly interconnected industries, systems and networks.[1]

In this article, we outline what to expect from the latest amendments, applicable timelines, and our recommended priority areas of focus for entities responsible for critical infrastructure.

WHO IS IMPACTED?

The SOCI Act covers 11 sectors (energy, communications, data storage or processing, financial services and markets, water and sewerage, health care and medical, higher education and research, food and grocery, transport, space technology and the defence industry).

Importantly, as highlighted in our previous article here, not all businesses or assets within these 11 critical sectors are subject to obligations under the SOCI Act regime. The regime, or indeed parts of it, will apply if an asset is either a “critical infrastructure sector asset” or a “critical infrastructure asset”, which is in turn dependent on definitions and other provisions under the SOCI Act, applicable rules and/or any relevant Ministerial declarations in force. Under this regime, depending on the extent to which obligations have been ‘switched on’ to date, different obligations apply to different sectors and to the assets within them, reflective of perceived threat levels and security postures.

WHAT TO EXPECT?

There are six key amendments that have passed into law by virtue of the SOCI Amendment Act, which received Royal Assent on 29 November 2024. While most amendments have commenced with effect from 20 December 2024, certain provisions relating to critical telecommunications assets have a deferred start date into 2025.

Related amendments to legislation subordinate to the SOCI Act (in the form of rules) have been foreshadowed for 2025.

(1) Data Storage Systems

The definition of “critical infrastructure asset” under SOCI Act s 9 has been expanded to include “data storage systems that store or process business critical data”, where four criteria are met.

“Business critical data” has its exiting definition (including, broadly, information needed to operate a critical infrastructure asset, information relating to a critical infrastructure asset’s operational systems, information relating to risk management and business continuity or research and development, or personal information relating to at least 20,000 individuals).

Under the newly introduced s 9(7), a data storage system will be taken to be part of a primary critical infrastructure asset if the following requirements are satisfied:

• the data storage system is owned or operated by the responsible entity for the critical infrastructure asset;
• the data storage system is used (or is to be used) in connection with the critical infrastructure asset;
• the data storage system stores or processes business critical data (whether exclusively or otherwise); and
• where there is a material risk that a hazard could have an impact on the data storage system, there is also a material risk that the hazard could have a “relevant impact” (as defined in s 8G of the SOCI Act) on the critical infrastructure asset.

The need for these changes arises from the increasing trend of cyber attacks on non-operational data storage systems held by critical infrastructure entities, which can hold large quantities of both personal information and business critical data.[2] A balance has been struck, however, to impose regulation of such systems under the SOCI Act to the extent that vulnerabilities in a secondary system could put critical infrastructure at risk. Systems that might be caught include “data storage systems that hold business critical data where there is inadequate network segregation between information and operational technology systems, or data storage systems that hold operational data such as network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques and procedures”.[3]

Going forward, the responsible entity for a primary critical infrastructure asset will need to ensure that any applicable data storage systems are taken into account in the course of discharging its compliance obligations under the SOCI Act. For example:[4]

• Information required for the Register of Critical Infrastructure Assets under Part 2 must extend to relevant data storage systems.
• Critical infrastructure risk management programs (CIRMPs) under Part 2A must cover relevant data storage systems.
• Notification obligations under Part 2B will extend to relevant data storage systems (such as a cyber attack with a relevant impact on a data repository).

Timeframe: These amendments commenced on 20 December 2024. Associated amendments to the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 are also expected in 2025, to explicitly require entities to identify and manage risks to their data storage assets as part of their CIRMP.

(2) Secrecy / Disclosure Regime: New harms-Based Test and Athorisations

Following industry feedback on difficulties with the existing regime under the SOCI Act for secrecy / disclosure of information, these provisions have been significantly revised to reduce the burden on entities in the ordinary conduct of their business, while improving intra-government sharing of information.

New Definitions

A new harms-based test has been introduced, alongside a new definition for “protected information” and the new concept of “relevant information”. Protections have also been included for “confidential commercial information”.

Under the new s 5A of the SOCI Act, the restricted use and disclosure regime only applies to “relevant information” (broadly, documents or information obtained, generated or adopted under or in complying with the SOCI Act, with a non-exhaustive list provided) to the extent that it is also “protected information”, defined as either:

1. meeting a harms-based test: its disclosure would or could reasonably be expected to prejudice national security, the defence of Australia, the social or economic stability of Australia or its people, or the availability, integrity, reliability or security of a critical infrastructure asset; or
2. confidential commercial information: it is or contains information relating to trade secrets, or other information that has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if it were communicated.[5]

The inclusion of confidential commercial information as protected information is intended to give entities comfort that the Government will handle their commercially sensitive information in the same way as it treats sensitive security information.[6]

Authorised Use and Disclosure

An entity will continue to commit an offence under the SOCI Act for unauthorised use or disclosure of protected information (as newly defined). The existing authorisations and exceptions largely remain intact, subject to some minor amendments and changes to improve information sharing and handling within Government.

There are however three new authorised circumstances of note, whereby relevant entities for a critical infrastructure asset may record, use or disclose protected information:

• For a purpose relating to the continued operation of the critical infrastructure asset.[7]
• To mitigate a risk to the availability, integrity, reliability or security of the critical infrastructure asset.[8]
• For the entity’s business, professional, commercial or financial affairs, (provided the protected information was obtained, generated or adopted by the entity for the purpose of complying with the SOCI Act).[9]

These changes will facilitate the manner in which responsible entities conduct their affairs and use or disclose information in the ordinary course of business. They will also enable more timely communications and mitigation of risk in urgent situations.

Timeframe: These amendments commenced on 20 December 2024.

(3) Expansion of ‘Last Resort’ Government Powers

Currently, the three Government powers under Part 3A of the SOCI Act for the giving of information-gathering directions, action directions and requests for intervention by the Australian Signals Directorate (ASD) apply in relation to “serious cyber security incidents”.

In the case of the first two (the giving of directions to a relevant entity to provide information, or to do or refrain from doing something), these powers will now be exercisable in the event of “serious incidents” which have a relevant impact on one or more critical infrastructure assets. This captures non-cyber incidents, such as bushfires, floods or other natural disasters or physical attacks. So long as there is a relevant impact (namely, a direct or indirect impact on a critical infrastructure asset’s availability, integrity, reliability or associated confidentiality), ‘all-hazards’ incident types (including cyber and information security, physical security, natural, personnel and supply chain hazards) will be caught.

The existing safeguards remain in place, such that before the Minister for Home Affairs can authorise the issuance of an information-gathering or action direction, there must be (among other criteria):

• relevant impact(s) on one or more critical infrastructure asset(s);
• a material risk of serious prejudice to the social or economic stability of Australia or its people, the defence of Australia, or national security; and
• no existing regulatory system that can provide a practical and effective response to the incident.

An additional safeguard has been introduced, requiring authorisation by the Attorney-General (as the Minister responsible for the Privacy Act 1988 (Cth)) for any action direction that involves disclosing personal information.[10]

Intervention powers by the ASD (e.g., to modify, restore, copy, remove or delete an entity’s data, computers, devices or programs) remain limited to cyber security incidents, in acknowledgment that such powers would not be appropriate in responding to non-cyber incidents such as natural disasters.[11]

Timeframe: These amendments commenced on 20 December 2024.

(4) Remedy of Seriously Deficient Risk Management Programs

Under new s 30AI of the SOCI Act, responsible entities may be directed to vary CIRMPs which suffer from one or more serious deficiencies. A “serious deficiency” is defined as one that poses a material risk to national security, the defence of Australia, or the social or economic stability of Australia or its people.

Before issuing such a direction, the relevant official must engage in a collaborative process with the responsible entity, giving notice of the deficiencies and allowing 14 days for a written submission to be provided. The official must have regard to any written submission, and any action taken or proposed to be taken, as communicated within that 14-day period.

Any direction that is subsequently issued must identify the serious deficiencies, require the responsible entity to vary its CIRMP to address those deficiencies, and specify a period (of at least 14 days) for this to occur. Failure to comply with a direction will attract a civil penalty of up to 250 penalty units (currently, $82,500).

Those entities given a direction under the new powers will be required to include, in their annual reporting on their CIRMP under s 30AG, a statement setting out the content of the direction and how their CIRMP was varied in response.

Timeframe: These amendments commenced on 20 December 2024.

(5) Security Requirements for Critical Telecommunications Assets

The amendments will simplify regulatory arrangements by consolidating security requirements that are currently dispersed across the SOCI Act and the Telecommunications Act 1997 (Cth) (Telecommunications Act). The existing obligations in the Telecommunications Act will be uplifted into, and enhanced within, the SOCI Act.

A “critical telecommunications asset” will be defined as a telecommunications network that is owned or operated by a carrier or a carriage service provider and used to supply a carriage service or any other asset that is owned or operated by a carrier or a carriage service provider and used in connection with the supply of a carriage service.[12] These assets will not necessarily be confined to the telecommunications sector, but may also span industries from space technology to electricity, defence, freight and more – e.g., satellites, submarine cables or data storage or processing assets.

Enhanced security obligations for critical telecommunications assets will be found in new Part 2D of the SOCI Act. However, these heightened obligations will not apply as a matter of course, but will only apply to certain critical telecommunications assets prescribed by new Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2024 (TSRMP Rules). The TSRMP Rules are currently being developed and  have been foreshadowed for early 2025.[13] The TSRMP Rules are also expected to mandate bespoke requirements for CIRMPs for a prescribed sub-set of critical telecommunications assets, reflecting telecommunications-specific risks.

Key provisions in new Part 2D include:

• Section 30EB: For the purposes of security and protection from hazards with a material risk of a relevant impact on the asset, a responsible entity must protect the asset so far as reasonably practicable to ensure the confidentiality of communications carried on and information contained on the asset, as well as the asset’s availability and integrity. This includes (but is not limited to) complying with the entity’s CIRMP and maintaining competent supervision of, and effective control over, the asset. Failure to comply will attract a civil penalty of up to 1,500 units (currently, $495,000). The draft TSRMP Rules currently envisage applying this obligation to a critical telecommunications asset that is (a) owned or operated by a carrier; or (b) owned or operated by a carriage service provider if used (i) in connection the supply of at least 20,000 active carriage services of prescribed types; or (ii) in connection with carriage services supplied to a Commonwealth entity.
• Section 30EC: A responsible entity must give written notification to the Secretary of the Department of Home Affairs, as soon as reasonably practicable upon becoming aware, of any change or proposed change by them to a telecommunications service or system that is likely to have a material adverse effect on their capacity to comply with their protection obligations under s 30EB. Guidance as to relevant changes is set out in s 30EE. Failure to comply will attract a civil penalty of up to 300 units (currently, $99,000). The Secretary may also request further information to assess risks to the asset prejudicial to security. Notably, the privilege against self-incrimination will not apply in responding to such information requests, but some protections are offered in the case of subsequent proceedings against an individual. The draft TSRMP Rules currently envisage applying this obligation only to a critical telecommunications asset that is owned or operated by a carrier.
• Section 30EF: Where a responsible entity proposes to use or supply, or indeed uses or supplies, carriage service(s) that the Minister for Home Affairs considers would be prejudicial to security, the Minister may give the entity a written direction not to use or supply, or to cease using or supplying, the carriage service(s). This is only intended to apply to a carriage service generally and not service provision to particular persons. An adverse security assessment must have been conducted prior to issuing such a direction. Failure to comply with a direction will attract a civil penalty of up to 2,000 penalty units (currently, $660,000). Immunities from civil liability are provided for acts done or omitted in good faith in compliance with directions given under this section. Per new s 30EF, this section applies to any critical telecommunications asset.

Timeframe: These amendments will commence on the earlier of the date yet to be fixed by proclamation and 30 November 2025,[14] following finalisation of the TSRMP Rules and related amendments to the Application Rules applicable to the SOCI Act.

(6) Streamlining of Notifications for Systems of National Significance (SoNS)

Currently, under Part 6A of the SOCI Act, the Minister for Home Affairs may privately declare a critical infrastructure asset to be a SoNS, which enlivens notification obligations to and from reporting entities.

“Reporting entities” for an asset include both the responsible entity and direct interest holders (i.e., those holding an interest of at least 10% in the asset (alone or with associates), or an interest putting them in a position to directly or indirectly influence or control the asset).

The amendments will see these notification obligations applying only to the responsible entity and not reporting entities (i.e., not direct interest holders). For example, the Minister need only notify the responsible entity for an asset that is declared a SoNS under revised s 52B, and not any direct interest holder. Under revised s 52D, the responsible entity need only notify the Secretary of the Department for Home Affairs of its ceasing to be the responsible entity for a declared SoNS asset – requirements for notification by direct interest holders, or notifications regarding changes to direct interest holders by the responsible entity, have been removed.

The rationale for these changes is that the tracking and reporting of changes to interest holders is considered an unreasonably onerous responsibility for a responsible entity.[15] Government oversight of interests in critical infrastructure assets, including any perceived risks arising from foreign holdings, is preserved by the continued requirement for reporting under Part 2 of the SOCI Act for the purposes of the Register of Critical Infrastructure Assets.

Timeframe: These amendments commenced on 20 December 2024.

Observations

The amendments reflect a heightened threat environment for critical infrastructure, stemming from both cyber and non-cyber incidents.

Large-scale incidents impacting critical infrastructure (including the Optus and Medibank hacks) have highlighted gaps within the framework provided by the SOCI Act, including the need to extend the regulatory framework to secondary assets (such as data storage systems) which support primary asset functions and to uplift security in the telecommunications sector.[16]

Responsible entities for critical infrastructure assets should now take active steps to assess the impact of these changes on their existing obligations under the SOCI Act and make any required updates to their compliance, risk, security and data management frameworks. Entities would be prudent to:

• Assess whether they own or operate any data storage systems storing or processing business critical data in connection with their critical infrastructure assets (and meeting the other criteria set out in new s 9(7)) – if they do, all obligations under the SOCI Act in relation to their primary critical infrastructure assets will also extend to such data storage systems.
• Get up to speed with the revised secrecy and disclosure regime, including the newly defined information types, harms-based test and authorisations. Policies, procedures and systems for the management of protected information and relevant information should be updated accordingly.
• Assess whether their CIRMP could be considered to suffer from any serious deficiencies (those posing a material risk to national security, the defence of Australia, or the social or economic stability of Australia or its people) – if it does, take proactive steps to redress such deficiencies.
• To the extent that entities own or operate critical telecommunications assets (which may span industries from communications to space technology, electricity, defence, freight and more), continue to monitor and assess whether enhanced obligations, including the security obligations in Part 2D of the SOCI Act, will be applied to them by the upcoming TSRMP Rules (currently in the draft stage), and update their compliance and security frameworks and systems accordingly.

[1] Department of Home Affairs, Cyber and Infrastructure Security Centre’s Critical Infrastructure Annual Risk Review (2nd ed, November 2024).

[2] Revised Explanatory Memorandum at [19].

[3] Revised Explanatory Memorandum at [21].

[4] Revised Explanatory Memorandum at [34].

[5] “Confidential commercial information” as newly defined in s 5.

[6] Revised Explanatory Memorandum at [142].

[7] New s 42AA of the SOCI Act.

[8] New s 42AA of the SOCI Act.

[9] New s 43F of the SOCI Act.

[10] New ss 35AB(9A) and (9B) of the SOCI Act.

[11] Revised Explanatory Memorandum at [42].

[12] New s 5(b) of the SOCI Act, with “carriage service”, “carriage service provider” and “carrier” having the same meanings as in the Telecommunications Act.

[13] Revised Explanatory Memorandum at 4.

[14] Various related amendments made to the Australian Security Intelligence Organisation Act 1979 (Cth) have commenced with effect from 30 November 2024.

[15] Revised Explanatory Memorandum at [558].

[16] Revised Explanatory Memorandum at 2-3, 113, 117-118.