The implementation of Australia’s critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors, has been released by Home Affairs Minister Karen Andrews.
Multiple industry assets are classified as critical under the Security of Critical Infrastructure 2018 Act.
Telcos and internet service providers are among them, as are fuel companies, data storage and processing firms, freight forwarders, banking, insurance, and finance firms, as well as food and grocery assets.
Domain name systems are deemed crucial for addressing consumer queries of links to internet protocol addresses.
The law exempts four sugar mills in Queensland by name.
The ACSC states that critical cyber security incidents that have a significant impact on the availability of assets covered by the act be reported within 12 hours of discovery by the operators.
According to the government, verbal reports to the ACSC must be accompanied by written notifications within 84 hours.
Significant impact is defined as an infrastructure incident has materially disrupted the availability of essential goods and services.
Other incidents affecting industrial assets must be reported to the ACSC within 72 hours.