SOCI Act: Strengthening Australia’s Critical Infrastructure Security 

Cyber threats are becoming increasingly sophisticated and frequent, and the protection of critical infrastructure has never been more important. Australia has taken a proactive stance in addressing this challenge with the Security of Critical Infrastructure (SOCI) Act 2018.  

What Is SOCI? 

The Security of Critical Infrastructure Act 2018 is a landmark piece of legislation designed to enhance the security and resilience of Australia’s critical infrastructure. The SOCI Act applies to a wide range of organizations that own or operate critical infrastructure assets in Australia. This includes: 

• Energy providers (electricity, gas, liquid fuels) 
• Water and sewerage services 
• Food and grocery suppliers 
• Transport operators (aviation, maritime, road, rail) 
• Data storage and processing facilities 
• Defense industry entities 
• Space technology operators

The Act has undergone significant amendments in recent years to address evolving threats and expand its scope. The latest version of the SOCI Act features: 

• Expanded Scope: The Act now covers 11 sectors, including energy, communications, financial services, healthcare, and more. 
• Positive Security Obligations: Entities must adopt risk management programs and report on cyber incidents. 
• Enhanced Cyber Security Obligations: Additional requirements for systems of national significance. 
• Government Assistance: Provisions for government intervention in severe cyber incidents.

Operational Technology (OT) systems are at the heart of these critical infrastructure sectors. The SOCI Act recognizes the unique challenges and vulnerabilities associated with OT environments: 

• Interconnected Systems: OT networks are increasingly connected to IT networks, expanding the attack surface. 
• Legacy Systems: Many OT systems were not designed with cyber security in mind, making them vulnerable to modern threats. 
• Potential for Physical Impact: Compromised OT systems can lead to real-world consequences, including safety risks and service disruptions. 
• Supply Chain Risks: The Act acknowledges the importance of securing the entire supply chain, including OT components.

Domains of the SOCI Act 

The SOCI Act addresses several critical domains to ensure comprehensive protection of critical infrastructure: 

• Risk Management: Implementing robust risk assessment and mitigation strategies. 
• Cyber Security: Enhancing defenses against cyber threats and incidents. 
• Physical Security: Protecting physical assets from unauthorized access or damage. 
• Personnel Security: Ensuring trustworthy individuals have access to critical systems. 
• Supply Chain Security: Mitigating risks associated with third-party suppliers and components. 
• Information Sharing: Facilitating the exchange of threat intelligence and best practices. 
• Incident Response: Developing and testing plans for responding to security incidents. 
• Governance: Establishing clear roles, responsibilities, and accountability for security.

How Dragos and NP-View Help Meet SOCI Act Requirements 

Dragos and NP-View offer simple and comprehensive solutions to help organizations comply with the SOCI Act and enhance their OT security posture. 

Dragos Platform

• Asset Visibility: Provides comprehensive inventory and visibility of OT assets, supporting risk management efforts. 
• Threat Detection: Utilizes advanced analytics to identify cyber threats in OT environments, addressing cyber security requirements. 
• Vulnerability Management: Helps identify and prioritize vulnerabilities in OT systems. 
• Incident Response: Offers playbooks and tools for effective incident response in OT environments.

Dragos WorldView

• Threat Intelligence: Provides OT-specific threat intelligence, enhancing situational awareness and supporting information sharing obligations. 
• Risk Analysis: Offers insights into emerging threats and vulnerabilities, aiding in risk assessment and management.

Dragos NP-View 

• Network Segmentation Analysis: Helps ensure proper segmentation between IT and OT networks, reducing the attack surface. 
• Policy Verification: Validates network security policies, supporting compliance with security governance requirements. 
• Visualization: Provides clear visualizations of network architecture, aiding in risk assessment and management.

Enhanced Cyber Security Requirements for SOCI SoNS in Australia 

Australia’s Systems of National Significance (SoNS) are critical infrastructure assets identified for their vital role in national security and economic stability. These assets span 11 essential sectors, including finance, defence, energy, and healthcare. Qualification as a SoNS requires rigorous assessment, considering factors such as interdependence with other infrastructure, potential impact on national stability, and ministerial approval. 

SoNS are subject to Enhanced Cyber Security Obligations (ECSO), a framework designed to strengthen their cyber security resilience. The ECSO framework consists of four key components: 

• Cyber Security Incident Response Plans: Organizations must develop, maintain, and regularly review response protocols aligned with business continuity strategies. 
• Cyber Security Exercises: Regular testing of response capabilities through simulations, with reports submitted within 30 days. 
• Vulnerability Assessments: Systematic identification of security weaknesses through various assessment methods, with remediation plans required. 
• System Information Provision: Real-time threat monitoring, mandatory reporting, and potential use of government-provided software for information sharing.

The ECSO framework is tailored to each SoNS based on compliance costs and existing regulations, ensuring a robust cyber security posture for Australia’s most critical assets. 

In Conclusion 

The SOCI Act represents a significant step forward in protecting Australia’s critical infrastructure. For organizations operating in the OT space, compliance with the Act is not just a legal requirement but a crucial aspect of ensuring the resilience and security of essential services.