Strengthening the resilience of critical infrastructure is a shared responsibility. Rob Turk looks at how this is done from an Australian perspective.
In Australia, this responsibility is shared between the owners and operators of critical infrastructure assets (mainly private companies), and all three levels of government (federal, state, and, in some cases, local).
The critical infrastructure regulatory environment has recently changed due to a new piece of federal legislation that came into force on 11 July 2018, the Security of Critical Infrastructure Act (2018) (the Act). It focuses on improving the government’s capacity to manage national security risks to critical infrastructure (defined as espionage, sabotage and coercion) and has three key elements:
- National critical infrastructure register – this will include information on ownership and control for assets.
- Information gathering power – this allows the federal government to obtain detailed information about assets.
- Ministerial directions power – this allows the federal government to direct the owner and/or operator to do, or not do, certain things to mitigate risks.
The aim of the Act is to improve government visibility, and ultimately reduce the exposure, of critical infrastructure assets to national security risks. The Critical Infrastructure Centre, established in 2017 by the Australian Department of Homes Affairs, co-ordinates the register and undertakes risk assessments.
This approach is narrower in focus than the all-hazards approach usually taken to manage risks to critical infrastructure. Rather than focus on a specific threat, the all-hazards approach focuses on the consequences of asset (and broader system) failure, and how to mitigate them. The all-hazards approach is aligned with one of Council of Australian Government’s (COAG) (representative body of the Australian federal and state government leaders) principles for best practice regulation “government action should be effective and proportional to the issue being addressed”. Considering all-hazards concurrently allows the most effective actions to be taken, rather than those that focus on mitigating the risks arising from one specific threat.
National security risk is a familiar concept for most, front of mind due to the recent UK/US joint statement regarding Russia and/or the latest action blockbuster (i.e. Bain taking over Gotham City via the sewer network in Batman). As a tangible and seemingly imminent risk, there is unsurprisingly more effort put into managing this threat. It is however one of many potential shock or stress events that may threaten the critical infrastructure system, and subsequently, human life and welfare.
In the Resilience Shift’s recent report Critical Infrastructure Resilience: Understanding the Landscape , the most critical risks identified were: ageing infrastructure, flooding, poor planning and governance, and climate change. Terrorism and malicious attacks were considered less important. This finding aligns with The Global Risk Report 2018 (World Economic Forum, 2018) that highlights natural risks are far more likely to occur and have a greater impact than others.
The narrow focus of the Act does not accord with the COAG principles. Legislating to mandate an all-hazards approach to critical infrastructure resilience would ensure action is not disproportionately focused on one potential threat and duly recognises both human induced and natural hazards.
Patchwork regulatory environment
While the limited focus of the Act on national security is not the most effective way to strengthen resilience of critical infrastructure, it is however aligned with jurisdictional responsibilities as defined in the Australian Constitution. In Australia, state governments are responsible for most critical infrastructure sectors, transport, water, food, electricity, gas and ports, while the federal government is responsible for national security, aviation and banking. At the state government level there however is significant variance in the use of regulation to address threats to the critical infrastructure system.
Victoria is the only state that has legislation related to critical infrastructure resilience. It ranks the state’s critical infrastructure assets into three categories – vital, major and normal. Vital critical infrastructure must follow the annual ‘resilience improvement cycle’, a risk management process that must be revised if requested by the Minister. The other states play a collaboration and support role in building critical infrastructure resilience, with NSW being committed to a ‘non-regulatory’ approach.
There is no question that critical infrastructure owners and operators are best placed to manage risks to their individual assets and operations. However, resilience of the whole critical infrastructure system would be most improved with a coherent and comprehensive regulatory environment, where state and federal legislation is complementary, efficient and effective.
The Act raises many questions around the role of legislation, and the government more broadly, in strengthening critical infrastructure resilience:
- Will the Act provide a pathway for a broader, all-hazards approach to managing critical infrastructure?
- Does the Act set a precedent for legislative approaches in this space?
- What is the perspective of owners and operators about the new requirements, particularly private operators?
- What are the next steps to build upon the momentum created by the Act?
- How can complementary state and federal legislation be developed?
- How ‘safe’ is the data gathered on critical infrastructure given recent high profile data management challenges faced by the federal government?
- Should government’s role in critical infrastructure be centrally managed (say by the Critical Infrastructure Centre) or de-centralised?
As a Resilience Shift blog reader, what’s your take on The Act? Will it affect your work? We’d love to hear from you (please comment below or email us).
Thanks to Amy Cox, Consultant, Arup, for her input to this blog.