Critical infrastructure delivers the essential services for our daily lives such as communications, financial services and markets, data storage and processing, healthcare, and many others.
Cyber-attacks can rapidly impact multiple critical infrastructure sectors, and therefore robust cyber security is essential to protect the community.
Established on 1 September 2021 and sitting within the Department of Home Affairs, the Cyber and Infrastructure Security Centre (CISC) partners with governments, industry and the community to assist critical infrastructure providers to manage risks and protect Australians.
This article explores the key functions of the CISC as outlined on its website.
CISC regulatory functions
The CISC regulatory functions are governed under the Security of Critical Infrastructure Act 2018, the Telecommunications Act 1997 , as amended by the Telecommunications and Other Legislation Amendment Act 2017, Aviation Transport Security Act 2004 , the Maritime Transport and Offshore Facilities Security Act 2003 and the AusCheck Act 2007 .
The CISC’s functions include:
- Industry partnerships, collaboration, engagement and best practice advice.
- Identification and mitigation of all hazard risks.
- Critical infrastructure modelling.
- Standards, accreditation and regulatory reform policy.
- Support for industry and government capabilities.
- Compliance and regulatory functions that prioritise education and partnerships ahead of enforcement and compliance outcomes.
- A background checking service that includes implementing reforms to use criminal intelligence to treat trusted-insider risks in the aviation and maritime sectors, as well as issuing body reforms.
Which critical infrastructure sectors does the CISC support?
The CISC helps to enhance the security and resilience of the following critical infrastructure sectors:
- Communications.
- Financial services and markets.
- Data storage or processing.
- Defence industry.
- Higher education and research.
- Energy.
- Food and grocery.
- Health care and medical.
- Space technology.
- Transport, including aviation and maritime assets.
- Water and sewerage.
What are the risks?
Threats to critical infrastructure can come from from inside or outside an organisation and range from hostile or criminal activity, foreign interference, terrorism and natural disasters through to poor physical, personnel and cyber security practices.
Cybercrime targeting essential services such as the health care, food distribution and energy sectors has demonstrated the vulnerability of critical infrastructure. For example, In September 2019, a ransomware attack forced some major regional hospitals in Victoria to go offline, affecting their booking systems and ability to manage services.
As Australia’s critical infrastructure is increasingly interconnected, malicious targeting may have serious consequences for its economy and national security.
Obligations of critical infrastructure providers
Recent legislative reforms to the Security of Critical Infrastructure Act 2018 provide Australia with a critical infrastructure preventative and post-incident response framework.
Under the amended Act, owners and operators of critical infrastructure assets can be obliged to implement the following preventative measures:
- Provide ownership and operational information to Australia’s Register of Critical Infrastructure Assets .
- Report cyber security incidents to the Australian Cyber Security Centre (ACSC).
- Establish, maintain and comply with a Risk Management Program to identify and mitigate “material risks” to a critical infrastructure asset’s availability, reliability and integrity.
In the event of a cyber incident, the government has the power to compel critical infrastructure providers to provide specific information or to implement enhanced cyber security measures.
Key takeaways
The Cyber and Infrastructure Security Centre (CISC) was established in September 2021 to protect the critical infrastructure and essential services that Australians rely on, with a key focus on cyber security. It is important for critical infrastructure providers to be aware of the risks, and to comply with their obligations under the Security of Critical Infrastructure Act 2018.