Skip to main content
Critical Infrastructure · SOCI Act Compliance

SOCI Act for
energy and critical
infrastructure:
what compliance
actually requires.

Australia's Security of Critical Infrastructure Act is not a guidelines document. It is legislation with mandatory obligations, reporting clocks, civil penalties, and government intervention powers. Energy sector operators, from generators to transmission networks to fuel storage, are squarely in scope. And the regulatory environment has tightened considerably since the Act was first passed in 2018.

Most content about SOCI compliance repeats the same surface-level summary: eleven sectors, report incidents, write a risk management program. That is not enough. Energy operators face specific challenges around operational technology environments, vendor-heavy supply chains, and the tension between safety systems and cyber security controls. This guide covers what the legislation actually requires, where energy organisations consistently fall short, and what genuine compliance looks like in practice.

Written by practitioners who hold ISO 27001 certification and advise critical infrastructure operators on security governance and SOCI compliance.

Book Lighthouse Assessment → Security Governance Services
CC
Cliffside Cybersecurity ISO 27001 Certified · Critical Infrastructure Practitioners · Sydney · Est. 2014
Updated March 2026
On this page
01 / What the SOCI Act is

The Security of Critical Infrastructure Act 2018 is Australia's primary legislation for protecting nationally significant assets. It is not optional.

The Security of Critical Infrastructure Act 2018 (SOCI Act) was originally a narrower piece of legislation focused on foreign ownership and control of critical assets. The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 transformed it into a comprehensive cybersecurity and risk management framework covering eleven sectors of the Australian economy.

The Act creates three tiers of obligation. All responsible entities operating critical infrastructure assets must comply with mandatory incident reporting (Part 2B). A subset of entities must adopt a Critical Infrastructure Risk Management Program (CIRMP) under Part 2A. And a further subset, those operating assets declared as Systems of National Significance (SoNS), face enhanced obligations directed by the Australian Signals Directorate.

The Cyber and Infrastructure Security Centre (CISC), within the Department of Home Affairs, is the primary regulator. The Australian Signals Directorate (ASD) handles cyber security incident reporting and leads the enhanced obligations for Systems of National Significance.

Why 2025 and 2026 matter: The first round of CIRMP annual reports landed in September 2024, and the regulator now has baseline data on how seriously operators are treating their obligations. The Cyber Security Act 2024, which commenced in stages from late 2024, added mandatory ransomware payment reporting and strengthened the government's ability to respond to significant cyber incidents. Energy operators who treated SOCI as a paperwork exercise now face a regulator with enforcement data and additional legislative tools.

The eleven critical infrastructure sectors

The SOCI Act defines critical infrastructure across eleven sectors. Energy is one of the most heavily regulated, given the direct connection between energy availability and national security.

Communications
Data storage or processing
Defence industry
Education
Energy
Financial services
Food and grocery
Health care and medical
Space technology
Transport
Water and sewerage
02 / Energy sector scope

Which energy assets are in scope, and what that means for operators running complex OT environments.

The SOCI Act defines critical energy assets across the electricity, gas, and liquid fuel supply chains. The Security of Critical Infrastructure (Definitions) Rules set the specific thresholds.

Electricity assets in scope include generation facilities above certain capacity thresholds, transmission networks, distribution networks, and electricity market operators. Gas assets include processing facilities, transmission pipelines, and distribution networks. Liquid fuel assets cover storage facilities above defined capacity thresholds.

For energy operators, the practical challenge is not identifying whether you are in scope. Most operators of any scale know they are. The challenge is that energy environments combine IT systems, operational technology (OT), industrial control systems (ICS), and SCADA networks in ways that make clean security boundaries difficult to draw.

The OT complication: Most cybersecurity frameworks were designed for IT environments. Energy operators must apply SOCI obligations across environments where patching can cause outages, where legacy protocols lack authentication, and where safety instrumented systems must remain operational regardless of the cyber threat. A CIRMP that only covers the corporate IT network is not compliant. A CIRMP that disrupts safety systems is dangerous. Getting this balance right is the core challenge for energy sector SOCI compliance.

The Register of Critical Infrastructure Assets, maintained by CISC, records each asset along with its responsible entity, direct interest holders, and operational details. Responsible entities must keep this register current and notify CISC of changes in ownership, control, or operational status within prescribed timeframes.

03 / The CIRMP obligation

A Critical Infrastructure Risk Management Program is not a policy document. It is a board-approved, annually reported, evidence-backed risk management framework.

Part 2A of the SOCI Act requires responsible entities of specified critical infrastructure assets to adopt and maintain a written Critical Infrastructure Risk Management Program. The CIRMP Rules 2023 set out the detail.

The CIRMP must identify each type of hazard that could have a relevant impact on the asset, meaning an impact on the availability, integrity, reliability, or confidentiality of the asset. It must describe the material risks of each hazard occurring. And it must set out how the responsible entity will minimise or eliminate those risks, or otherwise mitigate the impact.

The Rules require the CIRMP to address four hazard categories:

1
Cyber and Information Security
The CIRMP must address cyber and information security hazards using one or more specified frameworks as a baseline. The Rules list acceptable frameworks including the Australian Signals Directorate's Essential Eight, ISO/IEC 27001:2022, NIST Cybersecurity Framework, and sector-specific frameworks such as the AESCSF for energy. The entity must identify how the chosen framework applies to the specific asset and what controls are in place. For energy operators, this is where OT and ICS environments must be explicitly addressed, not just the corporate IT estate.
2
Personnel
Personnel hazards include insider threats, inadequate screening, and access by individuals who should not have access to critical systems. The CIRMP must address minimum background checks for critical workers, processes for managing access when personnel change roles or leave, and awareness of indicators of insider risk. Energy operators must consider both permanent staff and the contractors, integrators, and vendor technicians who routinely access OT environments.
3
Supply Chain
Supply chain hazards cover risks arising from dependencies on third parties, whether for technology, services, or physical components. The CIRMP must identify critical suppliers and dependencies, assess the risks they introduce, and describe mitigations. For energy operators, this means mapping not just IT vendors but OT system integrators, control system vendors, remote monitoring services, and any third party with logical or physical access to critical systems.
4
Physical Security
Physical security hazards include unauthorised access to facilities, natural hazards, and physical damage to infrastructure. Energy assets are inherently distributed, with generation facilities, substations, pipeline infrastructure, and storage sites across wide geographies. The CIRMP must address the physical security of each location where the critical infrastructure asset operates, not just the head office or primary data centre.

Board approval and annual reporting

The CIRMP must be approved by the board (or equivalent governing body) of the responsible entity. This is not a delegation to the CISO or the risk team. The board must be satisfied that the program is fit for purpose.

Responsible entities must submit an annual report to CISC confirming that the CIRMP was in effect during the reporting period, describing any hazards that materialised, and providing an updated risk assessment. The first reports were due by 28 September 2024. The quality of these reports will shape the regulator's enforcement priorities going forward.

What the annual report reveals: The annual report is not a compliance checkbox. It is an evidence trail. It tells the regulator whether your board genuinely oversees the program, whether hazards are identified and managed in practice, and whether incidents were handled appropriately. A thin annual report invites scrutiny. A credible one demonstrates that governance is functioning.

04 / Incident reporting obligations

Reporting clocks start when you become aware of the incident, not when you finish investigating it.

Part 2B of the SOCI Act imposes mandatory cyber security incident reporting on all responsible entities, regardless of whether they are subject to CIRMP obligations. The reporting obligations apply to any cyber security incident that has had, is having, or is likely to have a relevant impact on the critical infrastructure asset.

12h
Critical incidents
Critical Cyber Security Incident
Report to ASD within 12 hours of becoming aware. A critical incident is one that has had, or is having, a significant impact on the availability of the asset. For energy operators, this means incidents affecting generation capacity, transmission reliability, distribution to customers, or safety system integrity.
72h
Other reportable incidents
Other Cyber Security Incident
Report to ASD within 72 hours of becoming aware. This covers incidents that have had, are having, or are likely to have a relevant impact on the availability, integrity, reliability, or confidentiality of the critical infrastructure asset. The threshold is lower than most operators expect.

Three things determine whether your organisation can meet these clocks:

  1. Detection capability. You cannot report what you cannot see. If your monitoring covers the corporate network but not the OT environment, you have a blind spot that could delay awareness by days or weeks.
  2. Decision authority. Someone must have the authority to classify an incident and trigger a report. If that decision requires a committee meeting, you will miss the 12-hour window.
  3. Pre-prepared reporting processes. The report itself requires specific information about the incident, the asset affected, and the impact. Organisations that build reporting templates and practise the process before an incident respond faster than those working it out under pressure.

The Cyber Security Act 2024 adds another clock: From 2025, the Cyber Security Act 2024 requires entities that make ransomware payments to report them within 72 hours. This is a separate obligation with separate reporting channels. Energy operators must now track SOCI incident reporting, potential Privacy Act notification obligations, and ransomware payment reporting as distinct but overlapping requirements.

05 / Systems of National Significance

If your asset is declared a System of National Significance, the government's expectations step up significantly.

Part 2C of the SOCI Act allows the Minister to declare a critical infrastructure asset as a System of National Significance (SoNS). These declarations are not made public. An operator may be notified that their asset has been declared, and that notification itself may be classified.

SoNS operators face enhanced obligations that go well beyond standard CIRMP and reporting requirements:

1
Cyber Security Exercises
The Secretary of Home Affairs can require the operator to participate in cyber security exercises designed to test the entity's preparedness and response capability. These are not optional tabletop discussions. They are structured exercises with defined scenarios and measurable outcomes.
2
Vulnerability Assessments
The Secretary can direct the operator to undertake vulnerability assessments of the asset's critical systems. The scope, methodology, and reporting requirements may be specified by the government, not chosen by the operator.
3
System Information Provision
Operators may be required to provide system information to ASD, including network architecture, security configurations, and vulnerability data. This enables ASD to build a picture of the asset's security posture and provide threat-specific guidance.
4
Incident Response Planning
ASD can require the operator to develop and maintain incident response plans that meet specified standards. This may include requirements for specific detection capabilities, escalation procedures, and recovery objectives.

The SOCI Act also provides for government assistance measures as a last resort, applicable to all critical infrastructure assets, not just SoNS. These range from information gathering directions to action directions (requiring the entity to do or stop doing something) to intervention requests (allowing ASD to take direct action on the entity's systems). These powers are designed as a backstop, but their existence signals the seriousness with which the government treats critical infrastructure protection.

06 / Where energy operators consistently fall short

The failures are not surprising. They are predictable, and most of them stem from treating SOCI as a compliance exercise rather than an operational risk program.

Having worked with critical infrastructure operators on security governance and SOCI readiness, the same patterns appear consistently. They are worth naming directly because awareness alone does not fix them.

CIRMPs that cover IT but not OT

The most common gap. The CIRMP describes cyber security controls for the corporate environment, email, endpoints, cloud services, but barely mentions the operational technology that actually runs the critical infrastructure asset. The SOCI Act does not distinguish between IT and OT. The CIRMP must cover the systems that, if compromised, would have a relevant impact on the asset. For most energy operators, those are the SCADA systems, PLCs, RTUs, and engineering workstations, not the email server.

Board approval without board understanding

The Rules require board approval of the CIRMP. In practice, some boards are approving documents they do not genuinely understand, because the security team presents the CIRMP in technical language that does not translate to business risk. A board that has approved a CIRMP it cannot explain is a board that has accepted risk it does not comprehend. That is a governance failure, and it is visible in the annual report.

Supply chain coverage that stops at IT vendors

The CIRMP must address supply chain hazards. Most energy operators identify their IT vendors and cloud providers. Fewer map the OT system integrators, control system vendors, remote access providers, and specialist maintenance contractors who have privileged access to the systems that matter most. Third-party risk management in energy requires mapping the full chain, not just the familiar vendors.

Incident classification that cannot meet reporting clocks

The 12-hour clock for critical incidents requires rapid classification. Many energy operators have incident response procedures that work for routine IT incidents but are not designed for the speed the SOCI Act demands. Classification criteria are ambiguous. Escalation paths are unclear. The person who can authorise a report is not available outside business hours. These are structural problems, not training problems.

Monitoring gaps between IT and OT

Effective detection requires visibility across both IT and OT networks. Many energy operators have invested in SIEM and SOC capabilities for their corporate environment but have limited or no monitoring of OT network traffic. An attacker who gains access to the corporate network and pivots into the OT environment may not be detected until the impact is physical, which is exactly the scenario the SOCI Act is designed to prevent.

Recovery assumptions that have never been tested

Backups exist. Recovery procedures are documented. But when was the last time anyone actually tested a full recovery of a critical OT system from backup? For many energy operators, the answer is never, or not in the current configuration. Breach simulation and recovery testing are the only way to know whether your recovery time objectives are realistic or aspirational.

07 / What genuine SOCI compliance looks like

Compliance that survives regulatory scrutiny is built on evidence, ownership, and tested capability, not documentation volume.

The difference between organisations that are genuinely SOCI-compliant and those that have ticked a box is visible in their evidence, their decision-making speed, and their ability to explain their risk position clearly.

An evidence pack that leadership can defend

If the regulator asks to see your CIRMP and supporting evidence, what do you produce? The organisations that are well positioned have a structured evidence pack that connects obligations to controls and controls to evidence.

  • Board-approved CIRMP with documented approval records and review history
  • Hazard register covering all four categories with named owners for each material risk
  • Framework alignment mapping (Essential Eight, ISO 27001, AESCSF, or NIST) with evidence of control implementation across IT and OT
  • Supply chain risk register with critical supplier assessments and documented mitigations
  • Personnel screening records for critical workers with access to critical systems
  • Incident response procedures aligned to SOCI reporting timeframes, with evidence of testing
  • Recovery test results showing actual recovery times against stated objectives
  • Annual report with substantive content, not template-filled compliance language

Decision-making that matches the reporting clocks

The 12-hour reporting window for critical incidents is not generous. Organisations that meet it consistently have three things in place: clear classification criteria that front-line responders can apply without waiting for senior approval, pre-delegated authority to submit initial reports, and a communication chain that works at 2am on a Sunday, not just during business hours.

Building this capability requires practice. Tabletop exercises that simulate SOCI-reportable incidents, with the clock running, reveal whether your classification criteria are clear enough and whether your escalation paths actually work.

OT security that is integrated, not siloed

Good practice means treating IT and OT security as parts of a single governance framework, even if the technical controls differ significantly. The CIRMP should describe how the organisation manages cyber security hazards across the full technology estate, with honest acknowledgement of where OT constraints limit what is achievable and what compensating controls are in place.

This does not mean applying IT security controls directly to OT environments. It means having a single risk view that covers both, with appropriate controls for each context and clear documentation of where residual risk has been accepted and by whom.

Vendor and supply chain governance that covers the real risk

Effective supply chain hazard management for energy operators means knowing which third parties have access to which systems, under what conditions, with what monitoring. It means contractual requirements that are enforceable and checked, not boilerplate clauses that were never tested. And it means having a view of concentration risk: where multiple critical systems depend on the same vendor or the same remote access pathway.

A 90-day improvement plan for teams that need progress now

If your SOCI compliance has gaps, a structured 90-day plan delivers measurable progress without trying to solve everything at once.

Days 1 to 30: Review your existing CIRMP against the four hazard categories. Identify where OT coverage is missing. Map your critical suppliers and their access to critical systems. Test your incident classification criteria against three realistic scenarios and measure whether you can classify within the first hour.

Days 31 to 60: Close the worst OT coverage gaps in your CIRMP. Run a tabletop exercise simulating a SOCI-reportable incident with the 12-hour clock running. Review your board reporting to ensure it gives directors enough information to genuinely oversee the program. Assess your detection and monitoring capability across IT and OT boundaries.

Days 61 to 90: Update the CIRMP with substantive improvements and take it back to the board. Build the evidence pack that supports your next annual report. Establish a quarterly review cadence for hazard registers and supply chain risk. Test at least one critical system recovery from backup to validate your recovery time objectives.

08 / How Cliffside helps

We help critical infrastructure operators build SOCI compliance that works under pressure, not just under audit.

Cliffside works with energy and critical infrastructure operators on the governance, testing, and evidence challenges that SOCI compliance creates. We do not sell compliance templates. We help build the capability that makes compliance a byproduct of good security practice.

Our work typically covers security governance design and CIRMP development, incident response testing aligned to SOCI reporting timeframes, technical assurance across IT and OT boundaries, and supply chain risk assessment for critical vendors.

If you are an energy or critical infrastructure operator working through SOCI obligations, start with an honest conversation about where you stand and what needs to happen next.

Book a Lighthouse Assessment or call our team on (02) 8916 6389.

Need SOCI Compliance Guidance?

Our consultants help critical infrastructure operators build security governance that satisfies SOCI obligations and genuinely protects operations. Start with an honest conversation.

Book a Lighthouse Assessment →

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment