Understanding the SOCI Act: What It Means for Cyber Businesses and Critical Infrastructure

Decorative dot pattern
News
POSTED ON 20-February-25

The Security of Critical Infrastructure (SOCI) Act 2018 is key to Australia's national security strategy, ensuring that critical infrastructure assets remain protected against cyber threats, foreign interference and operational disruptions. As cyber businesses play a key role in protecting these essential services, understanding and complying with the Act is crucial. 

 

As we know, the cyber threat landscape is changing fast – becoming increasingly sophisticated with the rise of technology. As a result, the SOCI Act has undergone amendments over time, expanding its reach beyond traditional sectors like electricity, water and transport to include industries such as communications, data storage and financial services. The implementation of this act recognises the importance of cyber security across critical sectors that have economic and societal impacts.

 

Recent Updates to the SOCI Act

In late 2024, the Australian Government introduced amendments to the SOCI Act under the Enhanced Response and Prevention Bill 2024. These updates include new provisions for secondary assets holding business-critical data, expanded information-sharing powers, and strengthened obligations for critical infrastructure entities. While these changes reinforce existing requirements, they further highlight the need for cyber businesses to stay ahead of compliance obligations and evolving threats.

 

What does the SOCI Act means for critical infrastructure?

The Canberra Cyber Hub recently hosted an event focused on the Security of Critical Infrastructure (SOCI) Act and its implications for critical infrastructure.

 

Hamish Hansford, Deputy Secretary of Cyber and Infrastructure Security at the Department of Home Affairs, delivered a keynote address covering key insights, including: 

  • Managing security spend – the challenge of securing legacy systems in Critical Infrastructure versus adopting secure-by-design technologies. 
  • Securing supply chains – simplifying processes to enhance supply chain security. 
  • Sovereignty in a contested future – managing national security concerns. 
  • Resilience and personnel – ensuring cyber uplift includes both technology and workforce readiness. 
  • Integrating physical and cyber security – recognising that physical attacks remain one of the easiest ways to compromise systems. 

 

A panel discussion followed, bringing together industry experts: Frank den Hartog, Cisco Research Chair in Critical Infrastructure at the University of Canberra; Vikram Sharma, Founder and CEO of QuintessenceLabs; Kersti Eesmaa, Board Director at the Australian Cyber Collaboration Centre; and Adam Halls, Group Manager Cyber Security at ActewAGL.

 

The panel examined: 

  • Lessons from Europe, particularly Estonia, in securing critical infrastructure. 
  • The evolving threat landscape and the risks posed by emerging technologies. 
  • The complexity of “supply webs” and securing interconnected infrastructure. 
  • The growing security challenges of IoT device interconnectivity. 

 

The event offered a deep dive into the evolving cyber landscape, providing attendees with practical insights to navigate the challenges and opportunities presented by the SOCI Act.

 

How the SOCI Act applies to Critical Infrastructure

To mitigate cyber risks, critical infrastructure companies should:

  1. Assess Vulnerabilities – Conduct a thorough risk assessment of all digital assets and infrastructure connected to critical industries. 
  2. Develop a CIRMP – Establish a robust risk management framework tailored to specific infrastructure risks. 
  3. Enhance Threat Detection – Invest in real-time monitoring and incident response capabilities to detect and manage cyber threats effectively. 
  4. Stay Informed on Regulatory Changes – Given the changing nature of cyber security legislation, businesses should continuously review updates to the SOCI Act and other relevant laws. 

 

Opportunities for Cyber Businesses 

The SOCI Act also presents significant growth opportunities for cyber security firms: 

  • Increased Demand for Security Services – As critical infrastructure entities seek to comply with SOCI regulations, demand for cyber risk assessments, security audits and compliance consulting is expected to rise. 
  • Strategic Partnerships – Cyber security businesses can position themselves as essential partners for critical infrastructure providers looking to improve their cyber security stance. 
  • Innovation in Cyber Resilience – Businesses that develop cutting-edge security solutions, such as AI-driven threat detection and automated compliance tools, will find themselves in high demand. 

 

Looking Ahead: The Future of Critical Infrastructure Security

As cyber security threats become more sophisticated, it is more important than ever that we protect our critical infrastructure. The SOCI Act presents an opportunity to shape the future of Australia’s critical infrastructure protection.

 

“Securing critical infrastructure is about technology, process and people. Collaboration and a coordinated response are necessary for securing critical infrastructure and ensuring Australia becomes a secure nation.”

 

For more information on upcoming Canberra Cyber Hub events subscribe to our newsletter

Hasmish Hansford presenting at Securing Critical Infrastructure Unpacked event