Home Affairs Minister Clare O’Neil on Tuesday will unveil the Critical Infrastructure Risk Management Program, aimed at preventing a repeat of last year’s Optus and Medibank hacking incidents and shielding frontline services from cyber and insider attacks.

Ms O’Neil will also launch a new Critical Infrastructure Resilience Strategy, which will set out regulatory frameworks for baseline risk management across sectors and specific critical infrastructure assets. It responds to threats posed by cyber, physical, supply chain and insider attacks from malicious actors seeking to “disrupt our essential services, weaken our economy and exploit victims for profit”.

The strategy, last updated in 2015, focuses on new and emerging threats that have become increasingly complex amid unprecedented geostrategic competition and technology advances. The Albanese government’s tougher critical infrastructure regimen will affect companies and governments operating assets in energy, resources, telecommunications, finance, data storage, hospital, food and grocery, water, freight and broadcasting.

While companies that do not comply with the new regimen face civil penalties equating to $10,500 a day, the “best practice” system is intended to strengthen collaboration between federal government agencies and the private sector. The government can also order performance injunctions or enforceable undertakings for non-compliant companies.

Under the new rules, boards, councils and other governing bodies overseeing critical infrastructure assets must approve annual risk management reports to commonwealth regulators, including the Department of Home Affairs.

Financial services companies regulated by the Australian Prudential Regulation Authority, including banks, superannuation funds and insurance firms, face additional operational risk requirements under new prudential standards designed to thwart information breaches.

Cyber attacks on critical infrastructure soared during the pandemic and have continued to escalate, with state-based actors and criminal gangs targeting Australian aged-care facilities, water providers, hospitals, food wholesalers, education institutions, telcos, government departments and parliaments, health providers and transport operators.

The Australian Cyber Security Centre, which operates under the Australian Signals Directorate, previously said one-quarter of reported cyber security incidents involved essential services.

Ms O’Neil said the country must ensure “critical infrastructure security arrangements keep pace with the evolving threat environment and continue to deliver the essential services we all rely on”.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” she told The Australian. “The best way to protect our critical infrastructure is through close co-operation between business and government – an alliance that leverages the expertise of all parties and reflects the complex and evolving nature of the threat.”

The critical infrastructure risk management rules, which come months after the Optus and Medibank hacks compromised the personal details of millions of Australians, require operators to identify, prevent and mitigate risks to data, supply chains and operations. The critical infrastructure regimen, overseen by the Department of Home Affairs Cyber and Infrastructure Security Centre, requires companies to establish, maintain and comply with written risk management programs that manage the impact of “hazards”.

Operators must adopt an “all-hazards approach” when identifying threats that may affect the availability, integrity, reliability and confidentiality of their critical infrastructure asset.

Risk management plans must tackle material risks, including stoppages, loss of access to or interference with an asset, and relevant impacts that compromise availability, integrity, reliability and confidentiality of information and computer data. Primary hazards include physical security, natural disasters, insider risk posed by critical workers who can disrupt assets, cyber threats to digital systems, computers, datasets and networks, and disruption to critical supply chains.

The government’s updated critical infrastructure resilience strategy, separate to the new cyber security strategy headed by former Telstra boss Andy Penn, supports stronger collaboration between governments and the private sector.

The Australian Institute of Company Directors and Cyber Security Cooperative Research Centre in October released new governance principles to help companies strengthen cyber security risk management strategies. The governance principles for boards, prepared in consultation with government, industry experts and company directors, were identified as “roles and responsibilities, cyber strategy development and evolution, incorporating cyber into risk management, building a cyber resilient culture and preparing and responding to a significant cyber incident”.

Red flags included cyber risk strategies not featuring on board agendas, directors lacking adequate understanding of cyber risks, companies having no clear lines of management responsibility for cyber security and failure to externally review cyber risk strategies.

More Coverage

Don’t mess with our democracy, O’Neil warns

SIMON BENSON

Social media ‘targets teens with booze ads’

Joanna Panagopoulos

Labor’s backflip on super tax breaks

PATRICK COMMINS

More related stories

Nation

King weighs in on ‘unmistakeable’ climate change

The King has intervened in Australia’s climate change debate, saying the nation was ‘particularly vulnerable’ from rising temperatures and backing the Albanese government’s rollout of renewables.

Read more

Education

Top universities to slash 1000 jobs

The job cuts at the University of Canberra are part of a $50m cost-cutting needed by the end of this year.

Read more