Critical infrastructure protection explained
The Security of Critical Infrastructure Act 2018 (SOCI Act) is a framework for managing critical infrastructure security in Australia.
Designed to uplift Australia’s critical infrastructure protection, successive changes to the SOCI Act put requirements on responsible entities across 11 critical sectors.
Drawing on experience across legal, risk, cyber, supply chain, asset management and infrastructure, KPMG offers comprehensive support to help you navigate the interconnected complexities of SOCI compliance, stay on top of evolving risks, and strengthen your organisation’s security and resilience culture.
Cyber security for critical infrastructure protection
Need help complying with SOCI's cyber requirements before the 17 August 2024 deadline?
SOCI Act: insights and facts
Critical infrastructure cyber security, risk management and government assistance measures
Between the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) that came into effect in December 2021, and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP) that came into effect in April 2022, the Australian Government has expanded the SOCI Act to promote improved preparedness and resilience of critical infrastructure assets in Australia.
The SOCI framework includes:
- Positive Security Obligations (PSO)
- Government assistance measures
- Enhanced Cyber Security Obligations (ECSO)
With requirements differing across sectors and entities, there is no cookie-cutter approach to SOCI compliance. Genuinely delivering on the SOCI Act’s intent involves adapting and bringing common concepts and services together in a new way.
Drawing on our experience and cross-sector capabilities, we provide practical advice to help organisations along their SOCI journeys, meeting them where they are.
Find out more in our FAQs and via our video explainers.
FAQs: critical infrastructure act
What is the purpose of SOCI?
SOCI aims to ensure critical infrastructure assets and services across 11 sectors are protected and resilient to disruptions that would severely impact Australia’s society, economy, and security. The SOCI Act reflects how important critical infrastructure is to Australia, the potential for cascading consequences, and the public’s expectation that the government will be able to respond to emergencies.
What sectors does the SOCI Act apply to?
SOCI applies to 22 asset classes across 11 sectors of the economy:
- communications
- data storage and processing
- defence industry
- higher education and research
- energy
- financial services and markets
- food and grocery
- healthcare and medical
- space technology
- transport
- water and sewerage.
Not all obligations have been ‘switched on’ for every sector, so it is important to make sure you check the relevant obligations for your asset class.
What does the SOCI Act do?
The SOCI Act is aimed at bolstering security, particularly cyber security, across 11 critical infrastructure sectors in Australia. It does this through a framework with the following components:
Positive Security Obligations (PSO)
- Register of Critical Infrastructure Assets
- Mandatory Cyber Incident Reporting
- Critical Infrastructure Risk Management Program
Government assistance measures
- Information gathering directions
- Action directions
- Intervention request
Enhanced Cyber Security Obligations (ECSO) for Systems of National Significance
- Incident Response Plans
- Cyber Security Exercises
- Vulnerability Assessments
- Provision of System Information
What is a CIRMP?
Under the SOCI Positive Security Obligation, responsible entities in 13 asset classes from page 2 of: CISC Fact Sheet – Overview of SOCI Obligations (PDF 560KB) must have a Critical Infrastructure Risk Management Program (CIRMP) that outlines and maintains their processes and systems to identify hazards and mitigate potential risks. A CIRMP needs to take an ‘all hazards’ approach across 4 key vectors: physical security and natural hazards; personnel hazards; supply chain hazards; and cyber security and information security hazards.
What are the penalties for non-compliance with SOCI?
Non-compliance with critical infrastructure security legislation can result in legal proceedings, significant penalties and reputational damage.
Failing to comply can expose responsible entities to cyber security incidents with major impacts on their organisation and national security.
SOCI Act: Key compliance dates
Earlier
Grace periods have ended for reporting cyber incidents, registering ownership and operational information and meeting CIRMP obligations. These are now mandatory.
17 August 2024
Conclusion of the grace period for achieving cyber security requirements against a recognised framework (AESCSF, NIST, ISO 2700X, E8) or equivalent.
28 September 2024
The first annual report is due (within 90 days of 30 June 2024).
How KPMG can help you achieve resilient infrastructure
Understand
Monitor your obligations and
master the basics
- Assess your cyber maturity and identify risk scenarios
- Provide actionable strategies to address the fundamentals
- Brief your board
- Establish annual reporting processes
Act
Uplift to meet SOCI requirements
- Implement, review and/or update your CIRMP
- Provide advice on your approach
- Build incident response and asset upgrade plans
- Assess your security and physical risk posture and
- Meet SoNS requirements
Transform
Leverage critical infrastructure protection
- Embed a security culture across your organisation
- Integrate critical infrastructure requirements into your wider control environment and transformation activities
- Use SOCI alignment for a competitive edge
Are you an operator of critical infrastructure?
Download our factsheet to explore six facts about SOCI.
Watch: SOCI Act video explainer
Meet KPMG's SOCI Act specialists
KPMG’s SOCI team includes leaders who helped shape and drive the SOCI reforms.
With firsthand knowledge of the SOCI Act and its intent, we help responsible entities across critical infrastructure sectors meet their obligations.
