Security Legislation Amendment (Critical Infrastructure) Act 2021 (124 of 2021)

Schedule 1   Security of critical infrastructure

Part 1   General amendments

Security of Critical Infrastructure Act 2018

21   After section 8C

Insert:

8D Meaning of critical infrastructure sector

Each of the following sectors of the Australian economy is a critical infrastructure sector :

(a) the communications sector;

(b) the data storage or processing sector;

(c) the financial services and markets sector;

(d) the water and sewerage sector;

(e) the energy sector;

(f) the health care and medical sector;

(g) the higher education and research sector;

(h) the food and grocery sector;

(i) the transport sector;

(j) the space technology sector;

(k) the defence industry sector.

8E Meaning of critical infrastructure sector asset

(1) An asset is a critical infrastructure sector asset if it is an asset that relates to a critical infrastructure sector.

Deeming - when asset relates to a sector

(2) For the purposes of this Act, each of the following assets is taken to relate to the communications sector:

(a) a critical telecommunications asset;

(b) a critical broadcasting asset;

(c) a critical domain name system.

(3) For the purposes of this Act, a critical data storage or processing asset is taken to relate to the data storage or processing sector.

(4) For the purposes of this Act, each of the following assets is taken to relate to the financial services and markets sector:

(a) a critical banking asset;

(b) a critical superannuation asset;

(c) a critical insurance asset;

(d) a critical financial market infrastructure asset.

(5) For the purposes of this Act, a critical water asset is taken to relate to the water and sewerage sector.

(6) For the purposes of this Act, each of the following assets is taken to relate to the energy sector:

(a) a critical electricity asset;

(b) a critical gas asset;

(c) a critical energy market operator asset;

(d) a critical liquid fuel asset.

(7) For the purposes of this Act, a critical hospital is taken to relate to the health care and medical sector.

(8) For the purposes of this Act, a critical education asset is taken to relate to the higher education and research sector.

(9) For the purposes of this Act, a critical food and grocery asset is taken to relate to the food and grocery sector.

(10) For the purposes of this Act, each of the following assets is taken to relate to the transport sector:

(a) a critical port;

(b) a critical freight infrastructure asset;

(c) a critical freight services asset;

(d) a critical public transport asset;

(e) a critical aviation asset.

(11) For the purposes of this Act, a critical defence industry asset is taken to relate to the defence industry sector.

8F Critical infrastructure sector for a critical infrastructure asset

For the purposes of this Act, the critical infrastructure sector for a critical infrastructure asset is the critical infrastructure sector to which the asset relates.

8G Meaning of relevant impact

(1) Each of the following is a relevant impact of a hazard on a critical infrastructure asset:

(a) the impact (whether direct or indirect) of the hazard on the availability of the asset;

(b) the impact (whether direct or indirect) of the hazard on the integrity of the asset;

(c) the impact (whether direct or indirect) of the hazard on the reliability of the asset;

(d) the impact (whether direct or indirect) of the hazard on the confidentiality of:

(i) information about the asset; or

(ii) if information is stored in the asset - the information; or

(iii) if the asset is computer data - the computer data.

(2) Each of the following is a relevant impact of a cyber security incident on a critical infrastructure asset:

(a) the impact (whether direct or indirect) of the incident on the availability of the asset;

(b) the impact (whether direct or indirect) of the incident on the integrity of the asset;

(c) the impact (whether direct or indirect) of the incident on the reliability of the asset;

(d) the impact (whether direct or indirect) of the incident on the confidentiality of:

(i) information about the asset; or

(ii) if information is stored in the asset - the information; or

(iii) if the asset is computer data - the computer data.