SOCI 101: Understanding the Security of Critical Infrastructure Act

The Security of Critical Infrastructure Act (SOCI), introduced in 2018, is a legislative framework in Australia designed to enhance the security and resilience of critical infrastructure. Its main goals are to protect important infrastructure assets from threats, both physical and cyber. The act aims to safeguard 11 key sectors, which are essential for the nation’s security, public safety, and economic well-being, and verify that organisations within these sectors have strong risk management programs.

Defining Critical Infrastructure

Critical infrastructure, as defined by SOCI, includes assets, systems, and networks that are essential for the functioning of the nation and the well-being of its people. These assets are considered critical because their disruption or destruction could have severe impacts on public safety, economic activity, and national security. The 11 sectors regulated by SOCI are:

• Energy
• Water and sewerage
• Telecommunications
• Banking and finance
• Food and grocery
• Transport
• Healthcare and medical
• Data storage and processing
• Defense industry
• Space industry
• Civil aviation

SOCI Compliance and Rules

The key compliance obligations under SOCI can be summarised as the Positive Security Obligations. Organisations must take proactive steps to protect their critical infrastructure from risks, and for most, this is done by:

• Registration of Critical Infrastructure Assets: Identifying and registering their critical infrastructure assets with the Cyber and Critical Infrastructure Centre.
• Critical Infrastructure Risk Management Program: Establishing, maintaining, and reporting annually on their program to manage “hazards,” including cyberattacks.
• Mandatory Cyber Incident Reporting: Reporting cyber incidents to the Australian Cyber Security Centre.

Organisations deemed by the government as Systems of National Significance may also be required to comply with Enhanced Cyber Security Obligations, which may include:

• Developing and maintaining a comprehensive cyber security incident response plan.
• Conducting cybersecurity exercises to test and validate incident response processes and capabilities.
• Performing vulnerability assessments to identify weaknesses or gaps.
• Providing relevant system information to the government.

How Commvault Supports SOCI Compliance

Commvault supports organisations in achieving and maintaining SOCI compliance by providing a comprehensive cyber resilience strategy. Commvault also can help you:

• Understand your data assets and reduce risk by automating your risk monitoring.
• Detect threats and anomalies to your environment with real-time anomaly and threat detection.
• Implement and test your CIRMP in a secure, isolated environment for continuous business operations.

SOCI plays a crucial role in safeguarding Australia’s essential assets and systems. By defining critical infrastructure and outlining clear compliance rules, organisations in key sectors are well-prepared to manage and mitigate security risks.

Commvault’s comprehensive cyber resilience solutions provide the necessary tools and support to help you meet these requirements and build your CIRMP. Strengthen your cyber resilience with best practices and tools – such as air-gapped copies of critical data, the ability to automatically spin up a cleanroom to test recovery plans, identify clean points, and recover to a clean environment – which enable a return to business faster following an attack, outage, or disruption, and maintain continuous business.

Learn more about partnering with Commvault on SOCI compliance: https://www.commvault.com/gc/soci-cyber-resilience