I, Clare O’Neil, Minister for Home Affairs, make this instrument under section 61 of the Security of Critical Infrastructure Act 2018 (the Act).
Dated 31 January 2023
Clare O’Neil
Minister for Home Affairs
I, Clare O’Neil, Minister for Home Affairs, make this instrument under section 61 of the Security of Critical Infrastructure Act 2018 (the Act).
Dated 31 January 2023
Clare O’Neil
Minister for Home Affairs
This instrument is the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.
This instrument commences on the later of:
(a) immediately after the AusCheck Legislation Amendment (Critical Infrastructure Background Check) Regulations 2023 commence; and
(b) the day after registration.
Note A number of phrases used in this instrument are defined in the Act, including:
(a) critical component;
(b) critical infrastructure asset;
(c) critical hospital;
(d) critical worker;
(d) relevant impact;
(e) responsible entity;
(f) security.
In this instrument:
AusCheck Act means the AusCheck Act 2007.
AusCheck Regulations means the AusCheck Regulations 2017.
background check means a background check under the AusCheck Act.
CI asset means a critical infrastructure asset.
CIRMP is short for critical infrastructure risk management program.
CIRMP criminal record has the same meaning as defined in the AusCheck Regulations.
criminal history criteria means the assessment of:
(a) whether the person has a CIRMP criminal record; and
(b) the nature of the offence.
cyber and information security hazard includes where a person, whether authorised or not:
(a) improperly accesses or misuses information or computer systems about or related to the CI asset; or
(b) uses a computer system to obtain unauthorised control of, or access to the CI asset that might impair its proper functioning.
designated hospital means a critical hospital mentioned in Schedule 1.
major supplier means any vendor that by nature of the product or service they offer, has a significant influence over the security of a responsible entity’s CI asset.
natural hazard includes fire, flood, cyclone, storm, heatwave, earthquake, tsunami, space weather or biological health hazard (such as a pandemic).
personnel hazard includes where a critical worker acts, through malice or negligence:
(a) to compromise the proper function of the asset; or
(b) to cause significant damage to the asset.
physical security hazard includes the unauthorised access to, interference with, or control of CI assets, to compromise the proper function of the asset or cause significant damage to the asset.
Secretary has the same meaning as defined in the AusCheck Act.
supply chain hazard includes malicious people both internal and external exploiting, misusing, accessing or disrupting the supply chain and over-reliance on particular suppliers.
4 Application of Part 2A of the Act
(1) For paragraph 30AB(1)(a) of the Act, each of the following is specified:
(a) a critical broadcasting asset;
(b) a critical domain name system;
(c) a critical data storage or processing asset;
(d) a critical electricity asset;
(e) a critical energy market operator asset;
(f) a critical gas asset;
(g) a designated hospital;
(h) a critical food and grocery asset;
(i) a critical freight infrastructure asset;
(j) a critical freight services asset;
(k) a critical liquid fuel asset;
(l) a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act;
(m) a critical water asset.
(2) For subsection 30AB(3) of the Act, Part 2A of the Act does not apply to a CI asset mentioned in subsection 4(1) during the period beginning when the asset became a CI asset and ending the later of:
(a) 6 months after the commencement of this instrument; and
(b) 6 months after the asset became a CI asset.
(3) The requirements specified in this instrument for paragraph 30AH(1)(c), and subsections 30AKA(1), (3) and (5) of the Act, apply to a CI asset:
(a) that is:
(i) specified in subsection 4(1); and
(ii) not specified in another instrument for paragraph 30AB(1)(a) of the Act; or
(b) referred to in paragraph 30AB(1)(b) of the Act.
5 Relevant Commonwealth regulator
For subparagraph (b)(ii) of the definition of relevant Commonwealth regulator in section 5 of the Act, the Reserve Bank of Australia is specified for a critical financial market infrastructure asset mentioned in paragraph 12D(1)(i) of the Act.
Part 2 Requirements for a critical infrastructure risk management program
For subsection 30AH(8) of the Act, material risk includes:
(a) a stoppage or major slowdown of the CI asset’s function for an unmanageable period;
(b) a substantive loss of access to, or deliberate or accidental manipulation of, a critical component of the CI asset;
Example The position, navigation and timing systems affecting provision of service or functioning of the asset.
(c) an interference with the CI asset’s operational technology or information communication technology essential to the functioning of the asset;
Example A Supervisory Control and Data Acquisition (SCADA) system.
(d) the storage, transmission or processing of sensitive operational information outside Australia, which includes:
(i) layout diagrams;
(ii) schematics;
(iii) geospatial information;
(iv) configuration information;
(v) operational constraints or tolerances information;
(vi) data that a reasonable person would consider to be confidential or sensitive about the asset;
(e) remote access to operational control or operational monitoring systems of the CI asset.
(1) For paragraph 30AH(1)(c) of the Act, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:
(a) to identify the operational context of the CI asset; and
(b) to identify the material risks to the CI asset; and
(c) as far as it is reasonably practicable to do so:
(i) to minimise or eliminate the material risks, which may include those mentioned in section 6; and
(ii) to mitigate the relevant impact of each hazard on the CI asset; and
(d) to review the CIRMP to ensure compliance with section 30AE of the Act; and
(e) to keep the CIRMP current to ensure it complies with section 30AF of the Act.
(2) For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard to whether the entity’s CIRMP:
(a) describes the outcome of the process or system mentioned in paragraph (1)(a);
(b) describes interdependencies between the entity’s CI asset and other CI assets;
(c) identifies each position within the entity:
(i) that is responsible for developing and implementing the CIRMP; and
(ii) for the processes mentioned in paragraph (1)(d)—that is responsible for reviewing the CIRMP or keeping the CIRMP up to date;
(d) contains the contact details for the positions described under paragraph (c);
(e) contains a risk management methodology;
(f) describes the circumstances in which the entity will review the CIRMP.
8 Cyber and information security hazards
(1) For paragraph 30AH(1)(c) of the Act, subsections (2) and (3) specify requirements for cyber and information security hazards.
(2) A responsible entity must establish and maintain a process or system in the CIRMP to—as far as it is reasonably practicable to do so:
(a) minimise or eliminate any material risk of a cyber and information security hazard occurring; and
(b) mitigate the relevant impact of a cyber and information security hazard on the CI asset.
(3) Within 12 months after the end of the applicable period mentioned in subsection 4(2), a responsible entity must comply with subsection (4) or (5).
(4) A responsible entity must establish and maintain a process or system in the CIRMP to:
(a) comply with a framework contained in a document mentioned in the following table as in force from time to time; and
(b) meet any conditions mentioned in the table for the document.
Item | Document | Condition |
1 | Australian Standard AS ISO/IEC 27001:2015 |
|
2 | Essential Eight Maturity Model published by the Australian Signals Directorate | Meet maturity level one as indicated in the document |
3 | Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology of the United States of America |
|
4 | Cybersecurity Capability Maturity Model published by the Department of Energy of the United States of America | Meet Maturity Indicator Level 1 as indicated in the document |
5 | The 2020‑21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327) | Meet Security Profile 1 as indicated in the document |
Note Sections 30AN and 30ANA of the Act provide for the incorporation of the documents mentioned in this subsection as in force from time to time.
(5) A responsible entity must establish and maintain a process or system in the entity’s CIRMP to comply with a framework that is equivalent to a framework in a document mentioned in subsection (4), including any conditions.
(6) For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard to whether the entity’s CIRMP describes the cyber and information security hazards that could have a relevant impact on the asset.
(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:
(a) to identify the entity’s critical workers; and
(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and
(c) as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:
(i) arising from malicious or negligent employees or contractors; and
(ii) arising from the off-boarding process for outgoing employees and contractors.
(2) For paragraph (1)(b) and paragraph 30AH(4)(a) of the Act, the process or system for assessing the suitability of a critical worker may be a background check conducted under the AusCheck scheme.
Note Responsible entities are not required to use the AusCheck scheme to assess the suitability of critical workers. It is open for responsible entities to use other measures to assess the suitability of critical workers. That process or system must be included in the CIRMP.
(3) If a CIRMP permits a background check to be conducted under subsection (2), the background check must include assessment of information relating to the matters mentioned in paragraphs 5(a), (b), (c) and (d) of the AusCheck Act; and
(a) for paragraph 30AH(4)(c) of the Act—the criteria against which the information must be assessed are the criminal history criteria; and
(b) for paragraph 30AH(4)(d) of the Act—the assessment must consist of both an electronic identity verification check and an in person identity verification check.
(4) A responsible entity must notify the Secretary if a background check is no longer required for a critical worker.
(5) In making a suitability assessment mentioned in paragraph (1)(b), a responsible entity must consider the following:
(a) any advice from the Secretary under the following provisions of the AusCheck Regulations:
(i) paragraph 21DA(2)(a);
(ii) paragraph 21DA(2)(b);
(iii) subsection 21DA(4);
(iv) subsection 21DA(5); and
(b) whether permitting a critical worker to have access to critical components of the CI asset would be prejudicial to security; and
(c) any other information that may affect the person’s suitability to have access to the critical components of the CI asset.
Note A responsible entity may be required to inform the Secretary of a decision to grant or revoke access to a critical infrastructure asset, in certain circumstances—see AusCheck Regulations, section 21ZA.
(6) For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard:
(a) to whether the CIRMP lists the entity’s critical workers; and
(b) to whether the CIRMP describes the personnel risks, the occurrence of which could have a relevant impact on the asset.
(1) For paragraph 30AH(1)(c) of the Act, for supply chain hazards, a responsible entity must establish and maintain in the entity’s CIRMP a process or system to:
(a) as far as it is reasonably practicable to do so—minimise or eliminate the following material risks:
(i) unauthorised access, interference or exploitation of the asset’s supply chain; and
(ii) misuse of privileged access to the asset by any provider in the supply chain; and
(iii) disruption of the asset due to an issue in the supply chain; and
(iv) arising from threats to people, assets, equipment, products, services, distribution and intellectual property within supply chains; and
(v) arising from major suppliers; and
(vi) any failure or lowered capacity of other assets and entities in the entity’s supply chain; and
(b) as far as it is reasonably practicable to do so—mitigate the relevant impact of a supply chain hazard on the asset.
(2) For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard:
(a) to whether the CIRMP lists the entity’s major suppliers; and
(b) to whether the CIRMP describes the supply chain hazards, which could have a relevant impact on the asset.
11 Physical security hazards and natural hazards
(1) For paragraph 30AH(1)(c) of the Act, for physical security hazards and natural hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:
(a) to identify the physical critical components of the CI asset; and
(b) as far as it is reasonably practicable to do so—to minimise or eliminate a material risk, and mitigate a relevant impact, of:
(i) a physical security hazard on a physical critical component; and
(ii) a natural hazard on the CI asset; and
(c) to respond to incidents where unauthorised access to a physical critical component occurs; and
(d) to control access to physical critical components, including restricting access to only those individuals who are critical workers or accompanied visitors; and
(e) to test that security arrangements for the asset are effective and appropriate to detect, delay, deter, respond to and recover from a breach in the arrangements.
(2) For subsections 30AKA(1), (3) and (5) of the Act, a responsible entity must have regard to whether:
(a) the asset’s critical components are described in the CIRMP; and
(b) the physical security hazards, the occurrence of which could have a relevant impact on a physical critical component, are described in the CIRMP; and
(c) the security arrangements for the asset are described in the CIRMP; and
(d) the CIRMP describes the natural hazards, the occurrence of which could have a relevant impact on the physical critical component.
Schedule 1 Designated hospitals
(section 3)
A designated hospital means a critical hospital mentioned in an item in the following table located in the State or Territory mentioned in the item.
Item | Hospital | State or Territory |
1 | Bankstown-Lidcombe Hospital Blacktown Hospital Calvary Mater Newcastle Campbelltown Hospital Children's Hospital Westmead Coffs Harbour Health Campus Concord Repatriation General Hospital Dubbo Base Hospital Gosford Hospital Hornsby Ku-Ring-Gai Hospital John Hunter Hospital Lake Macquarie Private Hospital Lismore Base Hospital Liverpool Hospital Nepean Hospital Northern Beaches Hospital Northern Beaches Hospital Orange Base Hospital Port Macquarie Base Hospital Prince of Wales Hospital Royal North Shore Hospital Royal Prince Alfred Hospital St George Hospital St Vincent's Hospital (Darlinghurst) Sydney Children's Hospital Tamworth Hospital The Sutherland Hospital The Tweed Hospital Wagga Wagga Base Hospital Westmead Hospital Wollongong Hospital | New South Wales |
2 | Austin Hospital – Austin Health Box Hill Hospital – Eastern Health Cabrini Malvern Dandenong Hospital – Monash Health Frankston Hospital – Peninsula Health Knox Private Hospital Monash Children’s Hospital – Monash Health Monash Medical Centre (Clayton) – Monash Health Northern Hospital – Northern Health Royal Melbourne Hospital – Melbourne Health St Vincent’s Hospital (Melbourne) Limited The Alfred – Alfred Health The Royal Children's Hospital The Royal Women's Hospital University Hospital (Geelong) – Barwon Health | Victoria |
3 | Bundaberg Base Hospital Caboolture Hospital Cairns Base Hospital Gold Coast University Hospital Greenslopes Private Hospital Hervey Bay Hospital Ipswich Hospital Logan Hospital Mackay Base Hospital Mater Adult Hospital Mater Hospital Brisbane Princess Alexandra Hospital Queen Elizabeth II Jubilee Hospital Queensland Children's Hospital Redcliffe Hospital Robina Hospital Rockhampton Hospital Royal Brisbane & Women's Hospital Sunshine Coast Public University Hospital The Prince Charles Hospital The Wesley Hospital Toowoomba Hospital Townsville University Hospital | Queensland |
4 | Armadale Hospital Bunbury Regional Hospital Fiona Stanley Hospital Hollywood Private Hospital Joondalup Health Campus Joondalup Health Campus King Edward Memorial Hospital Perth's Children’s Hospital Rockingham General Hospital Royal Perth Hospital Sir Charles Gairdner Hospital St John of God Midland Public Hospital | Western Australia |
5 | Calvary Hospital Adelaide Flinders Medical Centre Lyell McEwin Hospital Royal Adelaide Hospital The Queen Elizabeth Hospital Women's and Children's Hospital | South Australia |
6 | Launceston General Hospital Royal Hobart Hospital | Tasmania |
7 | Canberra Hospital | Australian Capital Territory |
8 | Alice Springs Hospital Royal Darwin Hospital | Northern Territory |