The Australian Security of Critical Infrastructure Act 2018 (SOCI) is the cornerstone of the government’s strategy to manage risks to critical infrastructure. Its objectives are to confirm operators of essential infrastructure assets take appropriate security measures and to give government the information and powers to respond to threats.
Originally targeting just four sectors (electricity, gas, water, and ports), SOCI has since been expanded to cover 11 sectors across the economy. The act aims to keep critical infrastructure assets and services across these 11 sectors protected and resilient against disruptions to Australia’s security, economy, and society.
To achieve this, the Act imposes obligations on critical-asset owners, via the form of Positive Security Obligations (PSOs), Enhanced Cyber Security Obligations (ECSOs), and Government Assistance Measures.
For example, responsible entities must register asset details and maybe required to report cyber incidents to the Australian Cyber Security Centre (ACSC) and maintain a formal risk management program known as a Critical Infrastructure Risk Management Program (CIRMP). Assets deemedSystems of National Significance could face even stricter requirements, including, for example, mandatory incident response plans, cyber exercises, and vulnerability assessments. SOCI essentially codifies what was once considered industry best practice into enforceable law.
Two camps of impact: Legacy Sectors vs. Newer Entrants
The originally regulated sectors likely view SOCI as an extension of existing frameworks. For decades, energy and utilities have operated under rigorous reliability and security standards (such as NEM codes or water safety laws), so the formalisation of these practices within SOCI may feel like a continuation of existing governance.
By contrast, organisations in the more recently added sectors, such as communications, data storage and processing, healthcare, higher education and transport, are navigating new regulatory territory. These industries often lack the legacy of infrastructure regulation, meaning SOCI compliance requires building many processes from the ground up. This includes establishing asset registers, drafting CIRMPs, implementing controls, and training teams in incident reporting procedures.
For example, a university or hospital network may now find themselves classified as operators of critical infrastructure, requiring them to identify covered assets, assess dependencies, and implement a compliant CIRMP.
This often involves building formal security governance from the ground up – aligning to frameworks such as the ASD Essential Eight, ISO 27001, or the NIST Cybersecurity Framework – and establishing mechanisms for timely incident detection, response, and reporting to the ACSC.
By contrast, operators in traditionally regulated sectors may already have mature risk programs in place and can adapt existing controls to meet SOCI’s requirements. Regardless of sector, all organisations must now integrate cyber risk management into core business processes, not treat it as a parallel or isolated activity.
OT and the IT Convergence Challenge
A significant challenge presented by SOCI lies in securing Operational Technology (OT) environments: the industrial control systems that underpin many critical assets. OT brings its own set of risks.
Many devices were never designed with cybersecurity in mind. They often run outdated operating systems or firmware that cannot be easily patched and use proprietary or legacy protocols, such as Modbus, DNP3 or Profibus, that lack basic authentication and encryption.
Concurrently, the convergence of IT and OT networks has expanded the attack surface. Previously isolated environments are now increasingly connected to enterprise IT systems and the internet to enable remote monitoring, analytics, and automation. This creates new pathways for attackers to move laterally between environments and introduces the risk of operational disruption from cyberattacks.
Industrial operators must strike a balance between system availability and cyber protection. Taking systems offline for updates or segmentation may interfere with operations, but leaving them exposed increases risk.
SOCI encourages organisations to adopt OT-specific strategies. These may include strict network segmentation, least-privilege access, out-of-band monitoring, and fail-safe designs to secure these environments.
Data Service Providers and Notification Duties
One of the lesser-discussed but critically important elements of SOCI is the responsibility to notify data service providers. If a third party stores or processes business-critical data related to your regulated asset, you are obligated to inform them that SOCI applies. This verifies that your service providers understand their role in protecting critical data and are prepared to support you during an incident or audit.
In addition, incident notification is a central requirement of SOCI. A cyber security incident that has a significant or relevant impact on your essential services must be reported to the ACSC within strict timeframes. If the impact is significant, notification must occur within 12 hours. For relevant but lower-severity incidents, notification is required within 72 hours.
This is not a best-effort or voluntary activity. It is a legal obligation. Timely reporting gives ACSC visibility into threats to national systems, allowing it to coordinate timely and effective responses. It also reinforces the principle that critical infrastructure protection is a shared responsibility between industry and government.
Beyond Prevention: The True Meaning of Resilience
Many organisations still interpret resilience as the ability to block or prevent threats. But true resilience goes beyond prevention. It is the ability to absorb shocks, recover quickly and continue operating, even under adverse conditions. SOCI pushes organisations to embrace this broader definition.
Resilience means having tested recovery plans, reliable offline backups, redundant systems, and a playbook for returning to service during or after an incident. It also means continuous improvement, learning from each event, adapting defences, and closing gaps before the next attack.
This is especially important given recent trends. Reports from the Australian Signals Directorate (ASD) and other government bodies show that cyber incidents impacting sectors like water, energy, and transport are increasing.
Even relatively minor events can cause ripple effects across interdependent systems, affecting supply chains, public safety, and essential services. These trends highlight the urgency of a recovery-focused approach.
CISOs must lead the charge in making cyber resilience more than a checkbox. That means treating resilience as a dynamic, end-to-end capability that involves people, processes, and technology working in concert.
A Regulatory Shift with Strategic Upside
SOCI has represented a significant shift in Australia’s approach to cyber regulation. It moves beyond fragmented, voluntary approaches and creates a cohesive national framework for protecting critical infrastructure. While it certainly has introduced new complexity, reporting burdens, and compliance costs, it also provides an opportunity for organisations to elevate their security maturity and embed resilience at the core of their operations.
Rather than viewing SOCI as merely a compliance task, forward-thinking CISOs can treat it as a strategic catalyst. It provides board-level backing for investment, formalises risk practices, and improves alignment between business and security. The inclusion of government assistance measures and threat-sharing mechanisms further positions SOCI as a collaborative tool, not just a mandate.
As threats evolve and digital infrastructure becomes more embedded in national life, resilience must be the priority. SOCI sets the stage. Now it’s up to us to act.
Read more about what your obligations are in A Guide to the SOCI Act.