AGL Energy has asked the government to bear at least part of the cost of any “last resort” intervention or directive from the Australian Signals Directorate (ASD) if it were subjected to a serious cyber attack.
The utility made the comments in response to legislation before parliament that, if passed, will enable Australia’s cyber spooks to insert themselves into incident response when “critical infrastructure” is attacked.
AGL, which is already subject to existing cyber security rules for critical infrastructure, is worried the ASD could order costly cyber security enhancements and then leave.
It noted that the costs would ultimately be borne by energy consumers.
“AGL queries the difference in liabilities and immunities in the event of a cyber event or attack; specifically, the absence of any liability for the authorised agency (Australian Signals Directorate or its officers), for unintended negative consequences arising from a government assistance, and the lack of redress or cost recovery for the impacted entity,” AGL’s general manager for energy market regulation Elizabeth Molyneux said in a submission [pdf] published late Friday.
“If an affected entity is directed by the government to undertaken certain actions, there should be a cost recovery mechanism in the legislation to allow the affected entity to recover costs for responding to those directions, especially as the directions are aimed at protecting the broader Australian community while the costs of the directions will be borne directly by the impacted entity and its customers.”
In addition, AGL said it was worried that ASD personnel suddenly deployed by the government may not meet site safety standards.
“In the event that authorised personnel are required to attend an AGL site to perform actions ... then it would be prudent to ensure that the authorised agency comply with the occupational health and safety requirements of that site,” the utility said.
“The owner or operator of that site has a responsibility for all those who enter the site, and the personnel of the authorised agency under the Act would come under that responsibility and it would be prudent for the personnel to follow the guidelines of the owner/operator to ensure no harm is caused while on site.”
Update, 16/2: AGL Energy provided additional information to iTnews after publication of this story, stating that it is advocating for "a 'cost recovery mechanism' that appropriately apportions cost between industry and government for “last resort interventions”, rather than for the government to bear the full costs.
The story has been updated to reflect this position.
