skip to Main Content
The Federal Critical Infrastructure Bill: The Bottom Line

The Federal Critical Infrastructure Bill: The Bottom Line

Why should I care?

  • The Federal Government is changing the MTOFSA, which regulates maritime security.
  • It’s part of wider action to protect Australia’s Critical Infrastructure.
  • You may be required to change your Maritime Security Plans if you are deemed to be a critical participant at the end of the process.
  • It could also increase your reporting requirements.

What’s changing?

The Transport Security Amendment (Critical Infrastructure) Bill 2022 (TSACI Bill) proposes to:

  • Expand the definition of ‘unlawful interference’.
  • Add safeguarding against ‘operational interference’ to capture ‘all hazards’ in a risk management framework beyond the existing risks covered under unlawful interference.
  • Establish mandatory reporting of cyber security incidents for all industry participants. This means any Port or Port Facility that has an MSP.
  • Establish powers to declare some industry participants as ‘critical’.
  • Introducing new – and amending existing – security risk assessments as part of Security Programs/Plans. As a Port/Port Facility, you already do this as part of your MSP. This part of the Bill mainly affects Aviation – so you can pretty much gloss over this section.

So what is ‘unlawful interference’?

Unlawful interference currently refers to any act – or attempt – to interfere with the physical safety of:

  • goods
  • people
  • infrastructure.
  • and now, the new Bill explicitly adds cyber security threats.

Once the Bill comes into operation, mandatory cyber incident reporting applies to all industry participants regulated under the MTOFSA (i.e. anyone with an MSP).

What is ‘operational interference’?

Operational interference covers any hazard or event that may impact the operations of a ‘critical’ business. These critical businesses must identify and mitigate against ‘all hazards’.

While the detail is yet to be finalised, it is likely to expand the range of risk events to be assessed during the risk assessment process for critical facilities.

Who is ‘critical’?

The Cyber and Infrastructure Security Centre (CISC) currently defines a ‘critical operation’ as one that:

  • handles large volumes of passengers
  • handles large volumes of cargo or any volume of ‘critical’ cargo
  • provides specialist services such as process sensitive financial, legal or market info.

Criteria for who will be deemed critical will be finalised in partnership with industry. These criteria will then become part of the Aviation and Maritime Security Regulations.

  • The CISC is considering the role of Port Facility Operators (PFOs) in addition to that of Port Operators. It is proposed that where a PFO is identified as critical, the Port Operator will also be declared critical. (This is important!)

CISC? Who is CISC?

The Cyber and Infrastructure Security Centre (CISC) is the new name for the Department of Home Affairs Aviation and Maritime Security Division (AMS), which was the rebadged Office of Transport Security (OTS).

What do I have to do?

Just stand by for now. But be ready to review your operations and plans. The bill is currently going through Parliament and the detailed regulatory requirements are being developed through a ‘regulatory co-design’ process.
If you have any questions or require assistance and advice email info@isafesms.com.au and Tony or Joe will be happy to help.