The Security of Critical Infrastructure Act 2018, significantly amended in 2021 and 2022, establishes a comprehensive regime for protecting Australia's critical infrastructure from security threats. The Act covers eleven critical infrastructure sectors and imposes escalating obligations based on asset classification. For organisations operating in these sectors, understanding SOCI obligations is essential - non-compliance can result in civil penalties, and the Act provides government with unprecedented intervention powers when critical assets face serious threats. This article explains which organisations are covered by SOCI, what obligations apply, and how organisations should approach compliance.
Which Organisations Are Covered
The SOCI Act covers eleven critical infrastructure sectors: communications, data storage and processing, defence, energy, financial services and markets, food and grocery, health and medical, higher education and research, space technology, transport, and water and sewerage. Within these sectors, specific asset types are designated as critical infrastructure assets based on detailed definitions in the Act and associated rules. Responsible entities - organisations that own, operate, or have operational control over critical infrastructure assets - have obligations under the Act. The responsible entity is not always obvious, particularly for complex ownership structures or outsourced operations. Organisations should determine definitively whether they are responsible entities and for which assets. Beyond responsible entities, the Act creates obligations for some entities in the supply chain of critical infrastructure and for operators of Systems of National Significance (SoNS) - a subset of critical infrastructure assets with additional requirements due to their particular importance to Australia.
Positive Security Obligations
All responsible entities for critical infrastructure assets have positive security obligations (PSOs) that require them to adopt and maintain a critical infrastructure risk management program (CIRMP). The CIRMP must address four hazard vectors: cyber and information security, personnel security, supply chain security, and physical security. The CIRMP requirements are principles-based rather than prescriptive. The program must identify material risks to the asset arising from each hazard vector, minimise or eliminate those risks so far as reasonably practicable, and mitigate the impact of realised risks. Annual reporting to the relevant regulator is required, including board or equivalent approval of the report. For cyber and information security specifically, the CIRMP must adopt one or more recognised frameworks such as AESCSF, the ACSC Essential Eight, ISO 27001, or NIST CSF. The framework choice should be appropriate to the asset and organisation. Energy sector organisations typically align with AESCSF; other sectors may find Essential Eight or ISO 27001 more suitable.
Systems of National Significance
Systems of National Significance (SoNS) are critical infrastructure assets identified by the Minister as being of such importance that disruption could have cascading consequences across sectors or significant impacts on national security or the economy. SoNS declaration triggers enhanced obligations beyond standard PSO requirements. SoNS-specific obligations include requirements to provide information to the ACSC about cyber security, undertake specified vulnerability assessments, report system information that could assist with identifying threats, and develop and maintain cyber security incident response plans. The Act also provides government with intervention powers for SoNS-related incidents. When a significant cyber security incident is occurring or imminent, the government can direct the entity to take specified actions, or in extreme circumstances, authorise agencies to take actions directly on the entity's systems. These powers are intended as a last resort, but their existence creates additional incentive for SoNS operators to maintain strong cyber security posture.
Incident Reporting Requirements
The SOCI Act imposes mandatory incident reporting requirements for cyber security incidents affecting critical infrastructure assets. Reportable incidents must be notified to the ACSC within specified timeframes: critical incidents within 12 hours, and other reportable incidents within 72 hours. A cyber security incident is reportable if it has had, or could reasonably have, a relevant impact on the critical infrastructure asset's availability, integrity, reliability, or confidentiality. The definition is intentionally broad - when in doubt, report. The ACSC provides secure channels for incident reporting, and early engagement is encouraged even when incident details are incomplete. Establishing clear internal procedures for incident classification and reporting is essential for SOCI compliance. Organisations should not wait until an incident occurs to determine who is authorised to report, what channels to use, or how to classify incidents. These procedures should be documented, tested, and understood by relevant personnel before they are needed.
Relationship to AESCSF and Other Frameworks
For energy sector organisations, the AESCSF provides a natural framework for SOCI compliance. AEMO and the ACSC have positioned AESCSF as the recommended approach for addressing cyber and information security hazards under CIRMP requirements. Organisations implementing AESCSF comprehensively will satisfy the cyber security elements of their SOCI obligations. However, SOCI requirements extend beyond cyber security. Personnel security, supply chain security, and physical security hazards also require risk management programs. Organisations should not assume that cyber security frameworks alone satisfy CIRMP requirements - a comprehensive program must address all four hazard vectors. The interaction between SOCI, AESCSF, and other frameworks like the Essential Eight creates complexity but also opportunity for efficiency. A well-designed security program can satisfy multiple framework requirements through unified controls and governance, rather than treating each framework as a separate compliance exercise.
Conclusion
The SOCI Act creates significant obligations for critical infrastructure operators, with requirements escalating based on asset classification. Responsible entities must implement risk management programs addressing cyber, personnel, supply chain, and physical security hazards. Systems of National Significance face additional requirements and potential government intervention powers. Incident reporting obligations require preparation before incidents occur. Organisations in covered sectors should assess their SOCI obligations, implement compliant risk management programs, and prepare incident response and reporting procedures. The penalties for non-compliance and the potential for government intervention make SOCI compliance a board-level priority for affected organisations.
