Attacks and Vulnerabilities
Critical infrastructure
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Vulnerabilities

Australia passes SLACIP Act to build security, resilience of nation’s critical infrastructure sector

March 31, 2022
Australia passes SLACIP Act to build security, resilience of nation’s critical infrastructure sector

The Australian government passed the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 on Thursday. The SLACIP Act will boost the security and resilience of the nation’s critical infrastructure framework to safeguard the essential services that Australian citizens rely on from physical, supply chain, cyber, and personnel threats.

The reforms in the SLACIP Act intend to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets. They also seek to improve information exchange between industry and government to build a more comprehensive understanding of threats.

The amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) will commence the day after the Governor-General gives the Royal Assent to the SLACIP Act. These changes will bring in a new obligation for responsible entities to create and maintain a critical infrastructure risk management program and a new framework for enhanced cybersecurity obligations required for operators of systems of national significance or critical infrastructure assets. The Australian Department of Home Affairs said its web page would be updated when the commencement date is confirmed. 

The SLACIP Act is the second tranche of reforms to the SOCI Act. Having identified the need for an enhanced regulatory framework, the Australian government enacted the first tranche of reforms through the Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act), building on existing requirements under the SOCI Act. The SLACI Act commenced from Dec. 2, 2021. 

“These reforms are a key action item under Australia’s Cyber Security Strategy 2020 and are part of the Morrison Government’s work to strengthen our management and response to security risks across critical infrastructure sectors,” Karen Andrews, Minister for Home Affairs, said in a media statement on Thursday. “The Bill builds on the Morrison Government’s strong support for our national security agencies announced in Tuesday’s Federal Budget, to make Australia stronger and keep Australians safe in an increasingly uncertain world.”

“Throughout the pandemic, Australia’s critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and the essential services we all rely on,” according to Andrews.

“We’re investing $9.9 billion to boost cyber and intelligence capability, and an extra $280 million to boost law enforcement capability,” Andrews said. “Following Russia’s aggression against Ukraine, it is a sad reality that there is a heightened cyber threat environment globally, and the risk of cyberattacks has increased on Australian networks, either directly or inadvertently,” she added.

The risk management program within the SLACIP Act requires critical infrastructure owners and operators to manage the risk of hazards that affect the delivery of essential services, designed with industry and building on existing regulatory frameworks, where possible. The program is intended to uplift core security practices related to the management of critical infrastructure assets. In addition, it aims to ensure responsible entities take a holistic and proactive approach toward identifying, preventing and mitigating risks from all hazards. 

The amendments also deliver the ability to declare systems of national significance across the most interconnected and interdependent critical infrastructure assets. These critical infrastructure assets are crucial to the nation by their interdependencies across sectors and potential cascading consequences of disruption to other critical infrastructure assets and sectors if disrupted. 

They also deliver enhanced cybersecurity obligations for owners and operators of assets most critical to the nation, primarily centered around a strengthened relationship with the government. It also offers improved information sharing provisions to make it easier for regulated entities and governments to share information to comply with their obligations. 

The SLACIP Act comes after extensive public consultation, ongoing engagement with critical infrastructure providers, and examination by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The Australian Department of Home Affairs recognizes that engagement and education will be crucial to the success of these reforms and is committed to working with entities to ensure these reforms are understood and can be practically implemented. 

The reforms are said to build on the coalition government’s actions to spearhead several significant cybersecurity improvements, such as supporting industries to grow online by launching the National Plan to Combat Cybercrime. The government also sought to crack down on the cybercriminals by funding a dedicated AFP-led cybercrime center and working on making Australians safer through the passage of critical legislation to revolutionize the way Australian agencies investigate and prosecute cybercrime.

The Australian Cyber Security Centre (ACSC) revealed in September that the agency received over 67,500 cybercrime reports, rising nearly 13 percent from the previous financial year. The report said that all sectors of the Australian economy were affected by the impacts of cybercrime and other malicious cyber activity in the latest financial year. 

The changes also help ensure that law enforcement agencies have much-needed powers to combat crime on the dark web and the ability to crack down and protect Australians from ransomware through the Ransomware Action Plan. It also facilitates the exchange of digital information with U.S. authorities by signing the CLOUD Act Agreement with the country and launching a public information campaign to increase Australia’s cybersecurity.

Last month, the Australian government had proposed changes in its Ransomware Action Plan to include a provision that deals with ‘aggravated offences’ targeting its critical infrastructure sectors. These offenses will now face an imprisonment term of 25 years and apply to cybercriminals who commit a computer offense that targets critical infrastructure assets. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape