About Us

Critical Infrastructure Centre frequently asked questions

What is the role of the Centre?

  • Critical infrastructure provides services that are essential for everyday life such as energy, food, water, transport, communications, health and banking and finance.
  • Secure and resilient infrastructure supports productivity, and helps to drive the business activity that underpins economic growth.
  • A disruption to critical infrastructure could have serious implications for business, governments and the community, impacting supply security and service continuity.
  • The Centre helps owners and operators to better understand and manage risk, and build resilience.
  • The Centre does this by conducting risk assessments and providing mitigation advice to reduce the potential for malicious actors to gain access to and control of Australia’s critical infrastructure through ownership, offshoring, outsourcing and supply chain arrangements.
  • It does this across all eight critical infrastructure sectors: energy; communications; water; transport; health; food and grocery; banking and finance; and Commonwealth government.
  • The Centre is currently developing best practice guidance for owners and operators of critical infrastructure in Australia.
    • The aim of this guidance is to lift industry security practices to address specific national security risks associated with critical infrastructure.

Why was the Centre established?

  • The Australian Government established the Critical Infrastructure Centre in January 2017 to safeguard Australia’s critical infrastructure from the increasingly complex national security risks of sabotage, espionage and coercion.
  • The Centre’s establishment was necessary because the risk from foreign interference, including espionage, pre-positioning for sabotage and coercion, is not as well understood by government or business and therefore not factored into risk management practices.
  • This is due to a number of factors including:
    • the Government’s historic understanding of the extent of foreign access and control of critical infrastructure networks has been limited,
    • security agencies have been limited in what threat information can be provided, and   
    • the impact of espionage and coercion, in particular are less tangible to industry.

Does the establishment of the Centre signify a shift away from the traditional all-hazards approach?

  • While the Centre and the Security of Critical Infrastructure Act 2018 focuses specifically on foreign involvement, the Government remains committed to an all-hazards approach to protecting critical infrastructure as specified in the national Critical Infrastructure ResilienceStrategy, and the work of the Trusted Information Sharing Network (TISN).

Why does the Centre focus on foreign involvement and not just foreign investment?    

  • Existing Australian Government frameworks, such as the Foreign Investment Review Board, are primarily concerned with ensuring that foreign investment is not contrary to the national interest.
  • There are, however, other vectors, including outsourcing and offshoring of supply chain arrangements that create the potential for Australia’s critical infrastructure to be exposed to sabotage, espionage and coercion.
  • Foreign involvement includes ownership, offshoring, outsourcing and supply chain arrangements.
  • These vectors create vulnerabilities that provide access to, and control of:
    • operational control systems,
    • critical physical components,
    • sensitive information about customers, the systems’ operation, and connectivity and use of the services by other critical infrastructure, government agencies or defence.

How does the Centre interact with the Foreign Investment Review Board (FIRB) process?           

  • The Centre complements the FIRB by providing clear, consolidated and early national security advice to inform the Treasurer’s national interest decision on foreign investment proposals.
  • Neither the Centre nor the Security of Critical Infrastructure Act 2018 affects the FIRB process.

Does the Centre advocate against foreign involvement in critical infrastructure?

  • No, the Security of Critical Infrastructure Act 2018 is not investor or country-specific. It does not discriminate between foreign and domestic owners/operators.
  • Foreign involvement in Australia’s critical infrastructure is vital to Australia’s prosperity and the Government is committed to ensuring Australia remains an attractive place to invest and do business.
  • However, with increased foreign involvement through ownership, offshoring, outsourcing and supply chain arrangements, Australia’s critical infrastructure is more exposed than ever to sabotage, espionage and coercion.

What other mechanisms exist to manage risks in critical infrastructure?

  • There are a range of existing mechanisms, both non-regulatory and regulatory, that can be used to manage foreign interference risks.
  • This includes the Trusted Information Sharing Network (TISN), engagement through the Australian Security Intelligence Organisations (ASIO) Business and Government Liaison Unit (BGLU) as well as the FIRB and the Telecommunications Sector Security Reforms (TSSR), which will commence on 18 September 2018.
  • This Act will supplement those mechanisms and provide mechanisms to address gaps in our understanding of the risks and ability to take action to address risks if necessary.

Security of Critical Infrastructure Act 2018

What is the purpose of the Security of Critical Infrastructure Act 2018?

  • The Act ensures the Government has access to information necessary to conduct risk assessments and the power to enforce mitigations if they are not implemented through collaboration. 
  • It is the Government’s intention to continue to work with critical investment owners and operators through a business-government partnership approach.
  • The Act applies to approximately 165 assets in the electricity, gas, water and ports sectors.

When will the Security of Critical Infrastructure Act 2018 come into force?

  • The Act will come into force on 11 July 2018.

Why does the legislation target foreign involvement?

  • The Government welcomes foreign involvement in the economy and in Australia’s infrastructure because it plays an important and beneficial role in supporting economic growth, creating employment opportunities, improving consumer choice, and promoting healthy competition, while increasing Australia’s competitiveness in global markets.
  • Foreign involvement can also increase an asset’s resilience, for example when investment improves an old asset, or when new operators with greater experience take control.
  • However, we also know that foreign involvement increases a malicious actor’s ability to access and control Australia’s critical infrastructure, in a way that can have subtle effects on the continuity of services to citizens, but extreme consequences for other dependant infrastructure or defence assets.
  • These can be much more difficult to detect or attribute, particularly where industry has a limited understanding or awareness of foreign involvement risks.

Does the Security of Critical Infrastructure Act 2018 target investment or involvement from specific countries?

  • No, the Act is not investor or country-specific.  It does not discriminate between foreign and domestic owners/operators.

How will the Centre monitor compliance?

  • The Centre will monitor compliance with register obligations through auditing practices. Where appropriate, it may use the information gathering power to ensure that information provided is accurate and up to date. 

What penalties are imposed for non-compliance with the register’s obligations?

  • Where a reporting entity fails to comply with the obligations to provide information for the register, it will be liable to a civil penalty up to 50 civil penalty units (section 23 of the Security of Critical Infrastructure Act 2018).
  • This penalty equates to $10,500 per day of contravention.
  • The Government may also seek a performance injunction to compel the entity to register its information; or propose an enforceable undertaking with the entity.

What penalties are imposed for non-compliance with a Minister’s direction?

  • Non-compliance with the Minister for Home Affair’s direction will attract a pecuniary penalty of 250 civil penalty units for each day of non-compliance.
  • This equates to $52,500 per day of non-compliance.
  • Enforceable undertakings and injunctions are also available as enforcement measures to compel compliance with a direction under this Act.

What protection does the Security of Critical Infrastructure Act 2018 provide for reporting entities that cannot fulfil their reporting obligations?

  • Under Section 25 of the Act, reporting entities are protected from penalties (imposed by Sections 23 and 24) after taking all reasonable steps to provide accurate information if:
    • the person uses the person’s best endeavours to obtain the information; and
    • the person is not able to obtain the information.
  • If an entity relies on this protection in proceedings for a civil penalty, the entity bears an evidential burden in relation to the matter.

What safeguards have been put in place to ensure that the Security of Critical Infrastructure Act 2018 is operating as intended?

  • Section 60A of the Security of Critical Infrastructure Act 2018 states:
    • the Parliamentary Joint Committee on Intelligence and Security must:
      • review the operation, effectiveness and implications of this Act; and
      • without limiting paragraph (a), consider whether it would be appropriate to have a unified scheme that covers all infrastructure assets (including telecommunication assets) that are critical to:
        • the social or economic stability of Australia or its people; or
        • the defence of Australia; or
        • national security; and
        • review the circumstances in which any declarations have been made under Part 6 of this Act (declarations of assets by the Minister); and
        • report the Committee’s comments and recommendations to each House of the Parliament.
    • The Committee must begin the review before the end of 3 years after this Act receives the Royal Assent (11 April 2018).

Is the Government creating a ‘blacklist’ of assets?

  • No. The register is designed to improve knowledge so that the Government can proactively assess national security risks related to an asset, and mitigations can be put in place where necessary.

Is the new approach consistent with Australia’s free trade agreement obligations?

  • Yes. The new approach has been developed taking Australia’s international trade law obligations into account.
  • The obligations in the Security of Critical Infrastructure Act 2018 will apply to all owners, regardless of nationality.
  • The Government is mindful of its free trade agreement obligations and will obtain legal advice before using the ministerial directions power to ensure that any use of the power is consistent with such obligations.
  • The legislation does however provide guidance to investors as to the types of assets that if sold would be likely to attract greater national security scrutiny.

Why have moneylenders been exempted?

  • A moneylender that acquires an interest in a critical infrastructure asset in its ordinary course of business is not considered to be a direct interest holder.
  • However, the moneylender is considered a direct interest holder if the moneylender is able to directly or indirectly influence or control the asset.
  • A moneylender holding an interest in its ordinary course of business, would not be in a position to directly or indirectly influence the asset, and therefore should not be required to report.

Critical Infrastructure Assets Register

What is the purpose of the Register?

  • The Register of Critical Infrastructure Assets will address gaps in the Government’s understanding of who owns and controls critical infrastructure assets.
  • The Register will collect this information which is currently not available to Government outside the foreign investment review process.
  • This information is crucial in assessing the potential risks of sabotage, espionage and coercion in Australia’s critical infrastructure assets and will allow the Centre to better target where more detailed risk assessments should be conducted.

Who is required to provide information to the register?

  • Two types of entities are required to provide information for the register, a responsible entity and a direct interest holder.
  • A responsible entity for an asset is the entity with oversight of operational responsibility for the asset, i.e. the entity that holds the license or approval to operate the asset (defined in section 5 of Security of Critical Infrastructure Act 2018) .
  • The definition of responsible entity has sector specific meanings and effectively applies to:   
    • a critical electricity or gas asset or water asset, the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset
    • a critical port, the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of the port.
  • A direct interest holder is:
    • any entity, together with an associate or associates, that jointly holds an interest of at least 10 per cent in a critical infrastructure asset; or
    • an entity that holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset (defined in section 8 of the Security of Critical Infrastructure Act 2018).
  • Direct interest holders are required to report information on intermediate and ultimate holding entities (these entities are not considered direct interest holders).
  • The definition ensures that the obligation to report ownership information sits with the entities best placed to report that information and all relevant influence or control details are reported.

Why doesn’t the Government leverage information on existing registers

  • Existing registers at both the state and territory, and Commonwealth levels do not capture the sort of ownership and operational information required by the Government to clearly understand who has control and influence over a critical infrastructure asset.
  • Existing registers are also built on varying definitions of critical infrastructure, and may not be updated as required for the purposes of Security of Critical Infrastructure Act 2018.
  • However, in accordance with recommendation two in the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Act, the Department of Home Affairs will consider options to streamline the provision of information required for the Act where that information is already provided by industry to Government for other purposes.

What information will be provided to the register?

  • Responsible entities are required to report ‘Operational information’, including the location of the asset; a description of the area the asset services; the name, address, domestic/foreign incorporation details of the responsible entity, and the above information for each entity that operates the asset, or part of the asset on behalf of the responsible entity.
  • Direct interest holders are required to report ‘interest and control information’, including the entity’s legal name, address and ABN (or other similar business number); the type and level of interest held in the asset; information about the influence or control the entity has in relation to the asset, and information about the influence or control an entity has in relation to another entity that has influence or control.
  • Given the Centre is interested in any entity that is ultimately in a position to influence or control the asset, the definition of ‘interest and control information’ also includes the above details in relation to any other entity that is able to influence or control the direct interest holder.
  • This information will assist the Government to identify the degree of foreign control or operation of critical infrastructure assets, including any outsourcing and/or offshoring arrangements.

What penalties are imposed for non-compliance with the register’s obligations?

  • Where a reporting entity fails to comply with the obligations to provide information for the register, it will be liable to a civil penalty up to 50 civil penalty units (section 23 of the Security of Critical Infrastructure Act 2018).
  • This penalty equates to $10,500 per day of contravention.
  • The Government may also seek a performance injunction to compel the entity to register its information; or propose an enforceable undertaking with the entity.

Ministerial Directions Power

What is the purpose of the directions power?

  • The Security of Critical Infrastructure Act 2018 provides the Minister for Home Affairs with the power to issue a direction to an owner or operator of a critical infrastructure asset to mitigate national security risks.
  • While the Government will always look to work collaboratively with state and territory governments and owners and operators to implement any necessary risk mitigations, there may be circumstances where those mitigations are not implemented.
  • This may include:
    • Disagreement over the risk or proposed mitigations, or
    • A lack of regulatory power at the state or territory level.
  • In these cases, it is essential that the Australian Government has the power to take steps to manage that risk.

What safeguards apply to the use of the directions power?

  • The directions power is supported by a number of safeguards to ensure a direction is only used as a power of last resort.
  • Specifically, the Minister for Home Affairs will not be able to issue a direction unless:
    • an ASIO adverse security assessment (ASA) has been issued
    • ‘good faith’ negotiations have occurred with the owner or operator
    • the direction is proportionate to the risk that exists
    • existing regulatory mechanisms cannot be used to address the risk
  • In considering whether to issue a direction, the Minister is also required to consider:
    • the recommendations in the adverse security assessment
    • the costs likely to be incurred by the entity
    • the consequences for competition, and
    • the consequences for customers.
  • Finally, the Minister is also required to consult directly with the affected entity and the relevant First Minister and state or territory minister and take any representations made into account in making the final decision.
  • There are also review rights built in.
    • the ASA will be subject to merits review, and
    • any direction issued by the Minister will be subject to judicial review.
  • These safeguards reinforce the Government’s intention to promote a collaborative approach to managing national security risks from foreign involvement in critical infrastructure assets and confirm that the directions power is truly a measure of last resort.

When can a direction be issued?

  • A direction will only be able to be issued where:
    • the issues are related to the operation of a critical infrastructure asset or the delivery of a service by a critical infrastructure asset
    • there is a risk of an act or omission
    • that risk would be prejudicial to security (within the meaning of the ASIO Act 1979).
  • In these circumstances, the Minister for Home Affairs will be able to issue a formal written direction to a reporting entity or operator to do, or refrain from doing, an act or thing within a period of time specified in the direction.

What penalties are imposed for non-compliance with a Minister’s direction?

  • Non-compliance with the Minister for Home Affair’s direction will attract a pecuniary penalty of 250 civil penalty units for each day of non-compliance.
  • This equates to $52,500 per day of non-compliance.
  • Enforceable undertakings and injunctions are also available as enforcement measures to compel compliance with a direction under this Act.

Who will bear the costs of complying with a direction?

  • The entity to which the direction relates will bear the cost of compliance.
  • However, Government recognises the possible impacts on the business which is why it is a legislative requirement for:
    • the Minister for Home Affairs to consider the likely costs of the direction before using the power
    • any direction issued to be proportionate to the risk identified.
  • In practice, the Government will have worked closely with owners and operators throughout the process (including through the good faith and formal consultation processes) to design the mitigations in a way that has the least possible impact on an entity’s operations.
  • This will by its very nature involve detailed discussion and consideration of costs at each interval.
  • Additionally, the risks that the Government is seeking to address go to the integrity and continuity of the services being delivered, and therefore critical infrastructure operators have a reasonable responsibility to address these risks when they are identified.

How will the Ministerial directions power interact with state-based regulatory regimes?

  • The directions power is designed to supplement and not override existing regulatory mechanisms.
  • The Security of Critical Infrastructure Act 2018 explicitly limits the use of a directions power to circumstances where it is demonstrated that an existing regulatory regime of a state or territory cannot be used to eliminate or reduce the risk.

Information Gathering Power

What is the information gathering power?

  • The Security of Critical Infrastructure Act 2018 provides the Department of Home Affairs’ (Home Affairs) Secretary with an information-gathering power which compels the provision of information or documents.
  • Specifically, this will enable the Home Affairs Secretary to request information from owners and operators to:
    • inform risk assessments conducted by the Centre
    • rectify any information gaps on the Register
    • assist with determining whether a Ministerial direction should be made to mitigate a national security risk.

Why is the information gathering power needed?

  • An assessment of national security risks requires a detailed understanding of an asset, its operations and vulnerabilities.
  • While the Government works closely with owners, operators and investors to obtain the information required to conduct these assessments, some stakeholders may be reluctant or restrained from providing this information.

Who will be subject to the information gathering power?

  • The information gathering power will be able to be exercised against reporting entities and operators of critical infrastructure assets.
  • These entities are best placed to provide information to assist the Government to understand and manage national security risks relating to critical infrastructure.

What safeguards apply to the use of the information gathering power?

  • There are a range of safeguards that apply to ensure this power is exercised appropriately and that information obtained is appropriately protected.
  • Before giving a notice, the Home Affairs Secretary must have:
    • reason to believe the information is necessary to exercise of a power under the Security of Critical Infrastructure Act 2018
    • regard to the costs likely to be incurred in complying with the notice.
  • Additionally, it would be the Home Affairs’ intention to only use this power if the information cannot be obtained through collaboration.
  • Any information that is obtained using this power would then be protected in line with the protections that apply to any other information obtained under the legislation.

Minister’s Declaration Power

What is the Minister’s declaration power?

  • The Security of Critical Infrastructure Act 2018 provides the ability for the Minister for Home Affairs to privately declare an asset to be a critical infrastructure asset for the purposes of the legislation.

Why is the declaration power necessary?

  • The Security of Critical Infrastructure Act 2018 was designed to ensure the Government has information and powers to protect Australia’s most critical infrastructure, while also providing clarity as to which assets, and therefore which owners and operators, have obligations under the Act.
  • In some circumstances, it may not be appropriate to publicly identify some critical assets, where those assets are critical for national security purposes.
  • However, it is still necessary to obtain information and have the directions powers available for those assets.
  • The Minister’s declaration power is necessary to ensure that the legislation can apply to those assets:
    • that do not meet the thresholds in the legislation
    • are critical for national security purposes
    • where there would be significant national security implications if that link was known publicly.
  • For example, an electricity asset, such as a generator, could be supplying electricity to an asset that is essential for a national security purpose, but that asset’s connection to a national security purpose is not known publicly.
  • In these circumstances, it is important that the legislation applies to the asset so that the interest and control information and operational information is captured on the Register and the directions and information-gathering powers are able to be used.
  • However, the private declaration process will ensure there is no public visibility of the link between the critical infrastructure asset and national security.

What are the obligations for a ‘declared asset’?

  • Where an asset has been declared, they are subject to the Security of Critical Infrastructure Act 2018 in the same way as all other assets captured by the legislation.
  • The Act requires the Minister for Home Affairs to notify each reporting entity for the declared asset in writing, ensuring they are aware of their obligations.

What steps have been taken to ensure the use of the declarations power is transparent and that there is a sufficient level of accountability?

  • There are a range of provisions in the Security of Critical Infrastructure Act 2018 which ensure this provision is used only where necessary with appropriate oversight and accountability.
  • The Act provides clear and transparent criteria for when the Minister for Home Affairs may consider declaring an asset as a critical infrastructure asset.
  • The declarations power is limited to those assets in the sectors covered by the legislation but which do not meet the thresholds and where there would be risks to national security if it were publicly known that the asset is connected with national security.
  • When declaring an asset, the Minister for Home Affairs must also take steps to notify the appropriate stakeholders of the declared asset.
  • This includes informing the entity with ultimate responsibility for the asset and specifying their obligations under the Act.
  • The Minister for Home Affairs must also notify the Premier or Chief Minister of the jurisdiction in which the declared critical infrastructure asset is located.
  • This ensures the state or territory government has visibility of declared critical infrastructure assets in their jurisdiction.
  • The annual report to Parliament affords greater oversight by providing the number of assets declared by the Minister.
  • This allows Parliament to determine if the power is being used appropriately by ensuring the number of assets declared as critical infrastructure remains at an appropriate level.

Protection of Information

How is information obtained under the legislation protected?

  • The Security of Critical Infrastructure Act 2018 makes it an offence to disclose any information obtained under the Act, including information provided on the Register, or information obtained using the information gathering powers.
  • This recognises the likely sensitive nature or commercial in confidence nature of information obtained under the Act.

Who can information be shared with?

  • The Department of Home Affairs’ Secretary has the discretion to disclose information to particular Commonwealth and state ministers and officials for certain specified purposes, including national security, foreign investment, taxation, industry, promoting investment, defence and sector responsibilities.
  • This is important as the information obtained may be relevant for broader purposes.
  • Any information shared under the legislation can only be used for the purpose for which it was shared.
  • In accordance with recommendation six in the Parliamentary Joint Committee on Intelligence and Security’s Advisory report, further clarity is provided in the explanatory memorandum to ensure that the Secretary will consider whether any disclosure of protected information is consistent with the objects of Security of Critical Infrastructure Act 2018 and proportionate to the sensitivity of the information disclosed.