The urban water industry was represented by Greg Ryan, WSAA and Luke Sawtell, Urban Utilities and Chair of the Water Services Sector Group at The Parliamentary Joint Committee on Intelligence and Security public hearing this month.
The Parliamentary Joint Committee on Intelligence and Security has commenced reviews into the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and the operation, effectiveness and implications of the Security of Critical Infrastructure Act 2018.
The hearing focused primarily on cyber security and was an opportunity for companies and industries affected by the proposed framework under the Bill, to ensure that serious cyber security risks can be met effectively with the lowest possible regulatory burden and cost to their customers. It was attended by other sectors including ports, airlines, freight, electricity and gas.
During the hearing the industries discussed a preference for a risk based, outcomes focused approach to the sector specific requirements that are currently being developed. The group also requested a longer timeline for the legislation, and the Chair of the Senate Committee suggested that the sector specific requirements and the revised Security of Critical Infrastructure Act should be finalised together to ensure consistency.
Consultation rounds held with telecommunications and other sectors has indicated that the Parliamentary Joint Committee on Intelligence and Security and the Department of Home Affairs viewed current approaches to managing cyber security risk by most critical infrastructure entities as inadequate.
The Review aims to enhance security and resilience of critical infrastructure assets and systems of national significance. Expansion of the concepts to include systems of national significance is intended to widen the regime to address threats such as natural disasters and cyber-attacks.
The Bill seeks to achieve this expansion by amending the Act to:
- identify critical infrastructure assets across 11 industry sectors (increased from the current 4 sectors),
- establish positive security obligations for critical infrastructure assets, including to adopt and maintain a critical infrastructure risk management program (to be delivered through sector-specific requirements) and mandatory cyber incident reporting,
- introduce enhanced cyber security obligations to ensure Government and industry can work collaboratively to strengthen the cyber preparedness and resilience of entities that operate assets of the highest criticality to Australia's national interests (defined as systems of national significance), and
- provide Government with the necessary and proportionate powers to be exercised as a last resort in circumstances where a cyber security incident has, is, or is likely to impact a critical infrastructure asset and Australia's national interest.
The Department of Home Affairs is progressing the development of sector-specific requirements for the water sector, with the first co-design workshop held on the 20 July. WSAA has worked with the Water Services Sector Group Executive and a leadership group from each of the members covered by the Security of Critical Infrastructure Act, in conjunction with subject matter experts in cyber security to develop a sector position paper. It has been circulated to all key WSAA Networks, and is available on request, to inform and underpin the sector’s response to the workshops with Home Affairs. The water sector workshops will continue until the end of August.
For more information, please contact Greg Ryan.