Australia releases comprehensive guide on critical infrastructure asset class definition

The Australian Cyber and Infrastructure Security Centre (CISC) published Friday its critical infrastructure asset class definition guidance, which is applicable to all relevant infrastructural sectors. The outline simplifies obligations for critical infrastructure responsible entities and direct interest holders helping improve operational resilience and reduce complexity.

The class definition document provides guidance on critical infrastructure asset classes. Critical Infrastructure Assets are either specifically defined in the Security of Critical Infrastructure Act 2018 (SOCI Act), or prescribed in the SOCI Definitions Rules (LIN 21/039)(Definitions Rules). It calls upon asset owners and operators to refer to the SOCI Act and the Definitions Rules when determining whether a critical infrastructure asset definition applies to their assets.

Across ten categories, the document covers 22 critical infrastructure sectors. Some of these categories include the communications sector made up of broadcasting, domain name system, and telecommunications; the energy sector made up of electricity, energy market operator, gas and liquid fuel; and the transport sector made up of aviation, freight infrastructure, freight services, port and public transport. Some of the other critical sectors that made up individual categories include water and sewage sector, defense industry sector, healthcare and medical sector, and food and grocery sector. 

In the case of the electricity sector, as part of the asset definition guidance, the CISC document asks an entity whether the asset is a critical electricity asset. Then it moves on to whether the asset is located in Australia. Subsequently, the document addresses if the asset is not owned by the Commonwealth or a Commonwealth body, other than a government business enterprise. 

In case, the answer to both these questions is ‘yes,’ the next issue that the asset definition guidance addresses is whether the asset meets any of the below definitions. Here, there are two options. The first one is whether a network, system, or interconnector, that transmits or distributes electricity to over 100,000 customers. If ‘yes,’ then the asset guidance document defines the asset as a critical electricity asset located in the energy sector. 

The second option is whether an electricity generation station is critical to ensuring the security and reliability of electricity networks or electricity systems in a state or territory, which gets further broken down into two parts – an electricity generator in the state or territory that has an installed capacity over 30 megawatts and connected to a wholesale electricity market, or owned or operated by an entity that is contracted to provide a system restart ancillary service in the state or territory. 

The asset class definition guidance defines a system restart ancillary service is provided if it can start without an external power supply and connect and provide energy to an electrical network or an electricity system for the transmission or distribution of electricity. If ‘yes,’ then the asset guidance document defines the asset as a critical electricity asset located in the energy sector. 

For the energy sector, the next thing that the asset definition guidance addresses is whether the entity is a reporting entity for a critical electricity asset. The entity must choose what best describes its relationship with the critical electricity asset. Here, there are three options. First, ‘I am the entity which holds the licence, approval or authorisation to operate the critical electricity asset and provide the services to be delivered.’ If ‘yes,’ then the entity is recognized as a responsible entity for a critical electricity asset.

The other two options are ‘I, together with associates, hold an interest of ≥ 10% in the critical electricity asset, including any joint interests,’ and ‘I hold an interest in the critical electricity asset such that I am in a position to directly or indirectly control the asset.’ Here, if ‘yes’ to either of these, then the entity is a direct interest holder for a critical electricity asset.

The CISC asset definition guidance said that if ‘No,’ then the entity is not a reporting entity for a critical electricity asset.

In February, the Australian government published a 2023 Critical Infrastructure Resilience Strategy that provides a national framework to guide Australia to enhance critical infrastructure security and resilience. The document provides a framework for how industry, state and territory governments, and the government will work together to mature the security and resilience of critical infrastructure and to anticipate, prevent, prepare for, respond to, and recover from all-hazards. It builds upon the 2015 Critical Infrastructure Resilience Strategy.

Last month, the Australian government released a discussion paper seeking aviation and maritime stakeholder views on a strategic reform agenda and new regulatory model. The document identifies five key areas of high impact in response to the recommendations that may be implemented soon. These include removing prescriptions in security programs, delivering outcomes and risk-based security management approach, the Department of Home Affairs’ regulatory relationship with screening providers, screened and unscreened air services, and industry engagement and education to support performance and compliance.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.