GadgetAccess Cyber Security Advisory
1800 928 982 Book a Diagnostic
Sectors Critical Infrastructure
Critical Infrastructure Security Advisory

The SOCI Act is now in force.
Is your risk management programme ready?

The Security of Critical Infrastructure Act has fundamentally changed the obligations of Australian organisations operating critical infrastructure assets. Mandatory risk management programmes, 12-hour incident notification requirements and potential government step-in powers are now law. For operators of energy, water, transport, communications and data infrastructure — the question is no longer whether SOCI Act obligations apply, but whether your current programme meets them.

Book a Critical Infrastructure Briefing SOCI Act Advisory

Key Obligations

SOCI ActRisk management programme & registration
12-Hour NotificationCritical incident notification to ASD
Sector Security PlansSector-specific security planning
ASD Essential EightWhere applicable to IT systems
OT Security StandardsIEC 62443, NIST SP 800-82
Privacy Act & NDBWhere personal data is held
The SOCI Act Reality

The definition of critical infrastructure
is broader than most operators realise

The Security of Critical Infrastructure Act 2018 has been significantly expanded since its original enactment. The 2021-22 amendments added eight new sectors to the original three — bringing data storage and processing, financial market infrastructure, defence industry, higher education and research, space technology and food and grocery distribution all within scope.

Many organisations that did not consider themselves critical infrastructure operators before 2022 are now subject to SOCI Act obligations — including mandatory asset registration, risk management programme requirements and incident notification obligations. The consequences of non-compliance include civil penalties, directed remediation and, in the most serious cases, government powers to intervene directly in an operator's systems.

The risk management programme requirements under the SOCI Act are not aspirational guidelines. They require operators to identify and manage risks to their critical infrastructure assets on a continuous basis — and to demonstrate that management to the Australian Cyber Security Centre on request.

  • Determine whether your assets qualify as critical infrastructure under the expanded SOCI Act definition
  • Register applicable assets on the Critical Infrastructure Asset Register
  • Design and implement a risk management programme that meets CIRMP Rules requirements
  • Establish a 12-hour incident notification capability that can function under incident conditions
  • Develop sector security plans aligned to your sector's specific obligations

The 11 Critical Infrastructure Sectors Under SOCI Act

Energy
💧 Water & Sewerage
🚢 Transport
📡 Communications
🏦 Financial Services & Markets
🏥 Health Care & Medical
🍎 Food & Grocery New
🖥️ Data Storage & Processing New
🛡️ Defence Industry New
🎓 Higher Education & Research New
🚀 Space Technology New
⚠️
Government Step-In Powers

Under the SOCI Act, the Australian Government has powers to intervene directly in critical infrastructure systems where an operator is unwilling or unable to respond to a significant cyber attack. This is not theoretical — the powers have been exercised. Having a functioning risk management programme is the primary protection against government intervention.

OT / IT Convergence

Operational technology and IT security
require fundamentally different approaches

The convergence of operational technology (OT) and information technology (IT) networks is creating attack surfaces that traditional IT security frameworks were not designed to address — and OT security approaches that assume air-gap protection are no longer adequate. We bridge both disciplines.

🔗

Convergence Creates New Attack Paths

As OT systems connect to corporate IT networks for monitoring, management and data analysis, they inherit the vulnerabilities of IT environments — while retaining the operational constraints of OT. A ransomware attack that enters via corporate email can propagate to industrial control systems and cause physical process disruption.

🏭

OT Systems Cannot Be Patched Like IT Systems

Operational technology systems often run for 15–25 years. Patching requires vendor validation, scheduled maintenance windows and in some cases physical access to remote sites. Standard IT patch management timelines are incompatible with OT operational realities — requiring compensating controls designed specifically for the OT environment.

⚠️

Security Incidents Have Physical Consequences

A security incident in an OT environment is not a data or financial problem first — it is an operational and potentially safety problem. Disruption to energy distribution, water treatment or transport management systems has immediate physical consequences for communities that no data breach can match.

Why standard IT security approaches don't translate to OT environments

Dimension IT Environment OT Environment
Primary priority Confidentiality, then integrity, then availability Availability, then safety, then integrity
System lifecycle 3–5 years — regular refresh cycles 15–25 years — vendor-dependent and costly to replace
Patching Monthly patch cycles — automated deployment feasible Requires vendor validation, maintenance windows, physical access
Availability requirement High — planned downtime acceptable for maintenance Continuous — unplanned downtime can have safety consequences
Network visibility Comprehensive — standard monitoring tools apply Limited — many OT protocols not supported by standard tools
Incident consequence Data, financial and reputational impact Operational disruption, safety risk and community impact
Security testing Regular penetration testing and vulnerability scanning feasible Testing must be non-disruptive — active scanning can cause process failures
SOCI Act Obligations

What the SOCI Act requires
of critical infrastructure operators

The SOCI Act's obligations are structured around four core requirements. Each has specific implementation standards set out in the Critical Infrastructure Risk Management Programme Rules — and each will be subject to increasing ASD supervisory attention as the Act matures.

1

Asset Registration

Responsible entities for critical infrastructure assets must register those assets on the Register of Critical Infrastructure Assets maintained by the Australian Cyber Security Centre. Registration requires identification of the asset, its owners and operators, and the sector it belongs to. Failure to register is a civil penalty offence.

2

Critical Infrastructure Risk Management Programme

Responsible entities must adopt and maintain a CIRMP that identifies material risks to their critical infrastructure assets — across physical, personnel, cyber and supply chain risk categories — and sets out the steps taken to minimise or eliminate those risks. The CIRMP must be reviewed and updated at least annually, with a board-level attestation submitted to the ACSC.

3

Incident Notification — 12-Hour Obligation

Responsible entities must notify the Australian Cyber Security Centre within 12 hours of becoming aware of a cyber security incident that has had, or is having, a significant impact on the availability of a critical infrastructure asset. A 30-day notification obligation also applies for incidents with less significant impact. Both require a documented, tested notification process.

4

Government Assistance & Step-In Powers

The Act gives the Australian Government powers to issue directions to critical infrastructure entities and, in the most serious circumstances, to intervene directly in the operations of a critical infrastructure system. These powers are reserved for situations where an entity is unwilling or unable to respond to a significant cyber attack — but they are real, and maintaining a functioning CIRMP is the primary protection against their exercise.

5

Sector-Specific Security Planning

Each of the 11 SOCI Act sectors has sector-specific security requirements set out in sector security plans. These plans identify the assets, risks and mitigation requirements specific to each sector's operational context — and responsible entities must demonstrate alignment with their sector's security plan in their CIRMP.

The 12-Hour Notification — Are You Ready?

The 12-hour incident notification obligation is the most operationally challenging requirement under the SOCI Act. In a significant cyber incident, your security team is simultaneously managing containment, forensic investigation and stakeholder communications — while a clock is running toward a regulatory deadline.

Most organisations that have not specifically designed and tested their notification capability will not meet the 12-hour deadline under actual incident conditions. We design notification frameworks that work under incident pressure — not just on paper.

0–2 hrs

Incident detected. Incident response plan activated. Initial triage determines whether SOCI Act threshold is likely to be met.

2–6 hrs

Containment actions underway. Impact assessment on critical asset availability being conducted. Notification decision framework activated.

6–10 hrs

Notification decision made. ACSC notification form being prepared. Legal and executive briefing underway.

12 hrs

Notification deadline. ACSC notification submitted. Clock stops. Non-notification is a civil penalty offence.

Services for Critical Infrastructure

What we deliver to energy, utilities,
transport and infrastructure operators

Our critical infrastructure advisory is built around the specific regulatory obligations, OT security challenges and operational constraints that infrastructure operators face. We understand that security recommendations must account for operational continuity — unplanned downtime is not an acceptable side effect of a security control.

📋

SOCI Act CIRMP Design

Design and implementation of a Critical Infrastructure Risk Management Programme that meets the CIRMP Rules requirements — covering cyber, physical, personnel and supply chain risk categories. Includes the annual board attestation documentation and ASD engagement support.

View Compliance Service ↗
🏭

OT / IT Security Assessment

A structured assessment of your OT and IT security posture — covering network segmentation between OT and corporate IT, OT-specific vulnerability management constraints, industrial protocol visibility and the compensating controls required where standard patching is not feasible.

View Gap Analysis ↗
🔔

Incident Notification Framework

Design, documentation and testing of your 12-hour and 30-day SOCI Act notification capability — including decision frameworks, notification templates, ASD engagement procedures and tabletop exercises that simulate the notification process under actual incident pressure.

View Compliance Service ↗
🔍

Security Gap Analysis

A comprehensive security posture assessment aligned to SOCI Act obligations, relevant sector security plans and the OT-specific security standards applicable to your asset class — delivered with a prioritised remediation roadmap that accounts for OT operational constraints.

View Gap Analysis ↗
🛡️

Threat Intelligence — State Actor Focus

Critical infrastructure faces the most sophisticated threat actors in the Australian landscape — state-sponsored adversaries with specific interest in pre-positioning for disruption. We operationalise threat intelligence relevant to your sector's adversary profile across your SIEM and OT monitoring platforms.

View Detection Service ↗
🧭

vCISO Advisory

Strategic security leadership for infrastructure operators building their security capability. Our critical infrastructure vCISOs have direct experience in regulated infrastructure environments and understand the board governance, ASD engagement and regulatory reporting requirements under the SOCI Act.

View vCISO Service ↗
Case Study — Critical Infrastructure

Energy operator achieves SOCI Act CIRMP compliance and closes critical OT detection gaps in 90 days

An Australian energy distribution operator with assets across two states engaged GadgetAccess after determining that their existing security programme did not meet the SOCI Act CIRMP Rules requirements — and that their OT network lacked the visibility needed to detect adversary activity in their industrial control systems.

We delivered a complete CIRMP, OT security assessment, network segmentation uplift and a 12-hour notification capability — all within the 90-day timeline required before the operator's next ASD engagement. The CIRMP was accepted by the ACSC on first submission.

Discuss a Similar Engagement →
90days
Complete CIRMP, OT assessment, network segmentation uplift and notification framework — all delivered within the operator's regulatory timeline.
1stsubmission
CIRMP accepted by the ACSC on first submission — no resubmission or remediation direction required.
12 hrcapable
Notification framework designed, documented and tested — verified capable of meeting the 12-hour SOCI Act deadline under simulated incident conditions.

We had 90 days to go from non-compliant to ACSC-accepted. GadgetAccess understood both the OT constraints we were working with and the regulatory expectations we had to meet. That combination is genuinely rare — most advisors are strong on one or the other, not both.

— Head of Operational Technology Security, Australian Energy Distributor
Other Sectors

We also work with

🏦

Financial Services

APRA CPS 234 · ASD Essential Eight 🏛️

Government & Defence

IRAP · Essential Eight · PSPF 🏥

Healthcare & Life Sciences

Privacy Act · SOCI Act · NDB ⚖️

Professional Services

ISO 27001 · Privacy Act · Client SLAs
Critical Infrastructure Advisory

SOCI Act compliant.
OT security capable. Operationally aware.

Our critical infrastructure advisors understand both the regulatory requirements of the SOCI Act and the operational realities of OT environments. Book a briefing scoped to your sector, asset class and current programme maturity.

Book a Critical Infrastructure Briefing SOCI Act Advisory Service

All engagements scoped to your sector obligations and OT environment. Typical first response within one business day.