Australia's Security of Critical Infrastructure Act 2018, as significantly expanded in 2021 and 2022, represents the most substantial legislative intervention in Australian critical infrastructure risk management in a generation. The obligations it creates — particularly the requirement for a Critical Infrastructure Risk Management Program — are not optional, not aspirational, and not well understood by many of the organisations they apply to.
What SOCI Covers and Who It Applies To
The SOCI Act applies to critical infrastructure assets across eleven sectors: communications, financial services and markets, data storage and processing, defence industry, energy, food and grocery, health care and medical, higher education and research, space technology, transport, and water and sewerage. The definition of "responsible entity" — the party that bears the obligations — is specific and requires careful analysis. It is not always the owner of the asset. It may be the operator, the lessee, or another party with effective control.
Organisations that assumed they were not covered by SOCI because they were not a utility or a bank need to revisit that assumption. The 2021 amendments extended the regime substantially. Many organisations in logistics, data hosting, food manufacturing, and professional services now have obligations they did not have three years ago.
The CIRMP Obligation
The Critical Infrastructure Risk Management Program requirement is the centrepiece of the SOCI obligations for most affected entities. The CIRMP must address four hazard categories: physical and natural hazards, cyber and information security hazards, supply chain hazards, and personnel hazards. It must be in place within specified timeframes, reviewed and updated regularly, and — critically — attested to by the board or governing body.
That board attestation is significant. It places personal accountability on directors. A board that attests to a CIRMP it has not reviewed, or that has been developed at an operational level without board engagement, is in a problematic position. The attestation is not a formality. It is a governance instrument with real consequences.
What a CIRMP Actually Requires
The CIRMP rules are prescriptive on structure but require genuine analytical content. A document that describes good intentions and references existing policies is not a CIRMP. A CIRMP requires identification of the critical assets and critical components of the organisation's infrastructure, an assessment of the material risks to those assets across the four hazard categories, documentation of the controls in place or to be implemented, and a process for ongoing monitoring and review.
Physical and natural hazards include threats to the physical integrity of the asset — natural disaster, sabotage, physical attack, and accidental damage. The assessment must consider the specific vulnerabilities of the asset, not just generic hazard categories. An energy asset in a flood-prone area has different physical risks than one in an arid region. A transport asset with high public visibility has different sabotage risk than one in a restricted area.
Cyber and information security hazards require the CIRMP to address the digital attack surface of the asset — including operational technology, industrial control systems, and the interfaces between IT and OT environments. For many critical infrastructure operators, this is the hazard category that is least well understood. Legacy OT environments with limited patching capability and extensive connectivity to corporate IT networks present a risk profile that is significantly more complex than a standard IT security assessment captures.
Supply chain hazards require consideration of the third parties, vendors, and service providers whose compromise or failure could affect the critical infrastructure asset. This is not just about cyber supply chain — it includes physical suppliers, specialist service providers, and logistics dependencies. The 2021 SolarWinds supply chain attack and numerous subsequent incidents have demonstrated that supply chain is a primary attack vector for sophisticated threat actors. CIRMPs that treat supply chain as a secondary consideration are not addressing the current threat environment.
Personnel hazards include insider threat — whether malicious or inadvertent — and the workforce risks that affect the organisation's ability to operate the asset. Background screening, access control, and the management of third-party access to sensitive systems are core components of the personnel hazard response.
Common Compliance Gaps
In reviewing CIRMP frameworks for critical infrastructure operators, the most common gaps are: failure to identify all critical components and their interdependencies; treatment of cyber risk at an IT level without adequate engagement with OT and ICS environments; supply chain risk assessments that cover Tier 1 suppliers but do not follow the chain through to Tier 2 and Tier 3; and board attestation processes that are not supported by genuine board engagement with the CIRMP content.
There is also a significant gap between the CIRMP as a document and the CIRMP as an operational reality. The document may be complete. The organisation may not have tested the controls, exercised the incident response procedures, or verified that the third parties in the supply chain have adequate security postures. Compliance with the documentation requirement is not the same as operational resilience.
The Enforcement Environment
The Australian Signals Directorate has powers under the SOCI Act that include the ability to give directions to responsible entities and, in some circumstances, to step in and manage critical infrastructure assets in response to a significant cyber attack. The Act creates a mandatory reporting obligation for significant cyber incidents. The Home Affairs portfolio actively monitors compliance.
Organisations that treat SOCI compliance as a document exercise rather than an operational programme are underestimating the regulatory environment. The direction of travel is toward increased scrutiny, not less.
Tony Ridley provides SOCI Act and CIRMP advisory services for critical infrastructure operators. Contact us to discuss your compliance programme.