(1) Each of the following is a relevant impact of a hazard on a critical infrastructure asset:
(a) the impact (whether direct or indirect) of the hazard on the availability of the asset;
(b) the impact (whether direct or indirect) of the hazard on the integrity of the asset;
(c) the impact (whether direct or indirect) of the hazard on the reliability of the asset;
(d) the impact (whether direct or indirect) of the hazard on the confidentiality of:
(i) information about the asset; or
(ii) if information is stored in the asset--the information; or
(iii) if the asset is computer data--the computer data.
(2) Each of the following is a relevant impact of an incident (including a cyber security incident) on a critical infrastructure asset:
(a) the impact (whether direct or indirect) of the incident on the availability of the asset;
(b) the impact (whether direct or indirect) of the incident on the integrity of the asset;
(c) the impact (whether direct or indirect) of the incident on the reliability of the asset;
(d) the impact (whether direct or indirect) of the incident on the confidentiality of:
(i) information about the asset; or
(ii) if information is stored in the asset--the information; or
(iii) if the asset is computer data--the computer data.
(3) Each of the following is a relevant impact of an incident (including a cyber security incident) on a system of national significance:
(a) the impact (whether direct or indirect) of the incident on the availability of the system;
(b) the impact (whether direct or indirect) of the incident on the integrity of the system;
(c) the impact (whether direct or indirect) of the incident on the reliability of the system;
(d) the impact (whether direct or indirect) of the incident on the confidentiality of:
(i) information about the system; or
(ii) if information is stored in the system--the information; or
(iii) if the system is computer data--the computer data.