Skip to main content

Understanding changes to The Security of Critical Infrastructure Act 2018 (SoCI)

hero banner for desktop hero banner for mobile

Keeping critical infrastructure safe – what do changes to the law mean for you?

Transport. Energy. Communications. Defence. These are just some of Australia’s most important industries. So keeping them safe is key to protecting our country. The good news is that recent changes to The Security of Critical Infrastructure Act 2018 (SoCI) provide a clear way to do precisely that.

Find out what you can do to stay compliant and protect your infrastructure.

SoCI, in simple terms

SoCI is a framework for regulating and managing the risks relating to critical infrastructure assets in Australia. Established in 2018, SoCI was designed to protect critical infrastructure – physical facilities, communication networks and supply chains – from the impacts of cyber attacks. These impacts can range from the destruction, degradation or temporary disabling of critical infrastructure.

Recent changes to the Act have broadened its scope to help protect critical infrastructure from physical security hazards, poor personnel management and support, and supply chain disruptions. 

As legacy industries like resources and energy increasingly digitise, cyber threats continue to increase in number and scale. The Australian Signals Directorate (ASD) released its Annual Cyber Threat Report in 2021, revealing how cyber threats have escalated in severity and frequency to a rate of one attack every 8 minutes. It’s also been flagged that a quarter of cyber incidents from 2020-21 targeted Australia’s critical infrastructure or essential services.

SoCI has been strengthened with new amendments introduced in February 2023, with an emphasis on mandatory reporting. Those entities responsible for critical infrastructure must report cyber incidents affecting their assets to the Australian Cyber Security centre (ACSC).

The security changes you need to be across

If you’re responsible for Critical Infrastructure Assets (CIA), you must implement a Critical Infrastructure Risk Management Program (CIRMP). In short, this is a written document that outlines all your potential risks, and it needs to be annually reviewed, reported on and finally signed off by your board.

Note: There is a 6-month grace period from when you need to submit your first CIRMP. You have until 17 August 2023 to meet your requirements. 

Core to the announced changes is that SoCI has been expanded to reach 11 sectors, revealing the large range of assets that are increasingly vulnerable to attack as technology advances. Previously, only four sectors fell under the Act (these being electricity, gas, water and ports).

Now, the following are critical infrastructure sectors:

  • Communications
  • Financial services and markets
  • Data storage and processing
  • Defence industry
  • Higher education and research
  • Energy
  • Food and grocery
  • Health care and medical
  • Space technology
  • Transport
  • Water and sewage

Your key responsibilities to protect your assets

If you operate within one of these 11 sectors, then you must complete a CIRMP. It details your processes or systems and needs to:

  • Identify any hazard that may impact the availability, reliability, integrity, or confidentiality of your critical infrastructure.
  • Minimise the risk and fallout of ongoing damage.

Your CIRMP should be holistic in nature, accounting for four main areas:

  • Cyber and information security hazards
  • Personnel hazards
  • Supply chain hazards
  • Physical security hazards and natural hazards

The bottom line? It’s about applying big-picture thinking.

Changes to the Act are intended to better protect Australian infrastructure from challenges like supply chain disruptions, insider threats, dangerous or disruptive physical security hazards and, of course, growing risks to infrastructure from cyber-attacks.

Keeping track of your requirements

You need to tick the following three boxes to meet your positive security obligations:

  1. Your CIRMP must be signed off by your board, council or other governing body (if you have one) and must be regularly reviewed and updated.
  2. You must submit an annual report in approved form within 90 days after the end of the Australian financial year.
  3. Your first annual report is due within 90 days after 30 June 2024 (end of 2023-24 financial year).

Important point: 

Mandatory reporting makes up part of your CIRMP requirements. You also need to be prepared for mandatory information sharing with Government agencies.

If you fail to do so, you could be penalised by the Department of Home Affairs.

The penalties you face for failing to comply with SoCI

Following the new SoCI rules is important. Doing so will ensure we can keep our systems, data and country safe. Notably, there are penalties in place for anyone who doesn’t comply. For instance, each non-conformance attracts 200 penalty units. As a guide, this equates to a fine of $222,000 for the corporation, with differing penalties depending on the entity type. You can avoid this by being diligent and staying on top of your critical infrastructure responsibilities.

How to get started

If you want to protect your operation from one of the four key hazard areas identified by CIRMP – physical and natural security hazards – then Wilson Security can help. 

Our Risk & Resilience team can:

  • Educate you and your teams on the SoCI reforms and how the changes might impact your operations.
  • Help you develop the required processes and systems to reduce physical security hazards and natural hazards to a level that is As Low As Reasonably Practicable (ALARP).
  • Deliver a Physical Security Risk Review report outlining all potential vulnerabilities to physical assets and clear recommendations to plug these gaps.
  • Produce other documents, such as a Physical Security Policy, to help you address critical elements such as security systems, access control, key control and visitor/contractor management.

Through the above steps, we can help you meet compliance requirements under the new Positive Security Obligations.

With Wilson Security’s support, you can tighten your critical infrastructure security, protect yourself from disruptions and attacks, and ensure growth for your business in the future.

Find out more about our capabilities by getting in touch with Wilson Security.

Written by Jaime Kendler-Arnold