The threat of cyberattack on Australia’s critical infrastructure is growing. These assets and systems keep essential services running, directly affecting the well-being of millions of Australians. When it comes to water, energy, transportation, healthcare and communication, a security breach could cause major disruption and damage.
In recognition of this, the Federal Government introduced the Security of Critical Infrastructure Act (SOCI Act) in 2018.
The SOCI Act was an important step to strengthen the security of Australia’s national infrastructure. But major security incidents have continued to escalate, which shows that there is more to do. Federal parliament, Channel Nine, Eastern Health and Western Australia’s parliament were all subject to cyber-attacks in 2021, followed by the Optus data breach in 2022.
As a result, we now have the Amended Security of Critical Infrastructure Act (SOCI Act). While the steps to protect critical infrastructure have not materially changed, the amended Act now covers more sectors, introduces stricter reporting rules, and mandates more information sharing. The government also has more power to intervene during a major incident.
In light of the SOCI Act amendments, let’s look at 5 simple steps to protect Australia’s national (or critical) infrastructure.
- Map critical processes and identify key assets. The original SOCI Act required critical infrastructure organisations to map out system architecture, critical processes and data. But often, this isn’t enough.
The amended SOCI Act now requires organisations to register key assets (e.g., electricity plants, water treatment centres) and enforce tighter controls around critical processes. This allows decision-makers to pinpoint vulnerabilities and potential single points of failure, which is vital for designing tailored security measures and prioritising resources. Any changes must be updated for inclusion in the Critical Infrastructure Assets (Register).
- Adopt security frameworks. Well-established security frameworks provide organisations with a structured approach to managing and mitigating risks. A robust framework addresses all aspects of security, from prevention to detection and response.
The amended SOCI Act includes Risk Management Program rules, as part of the Act’s Positive Security Obligations. The rules specifically address cyber and information security hazards, both natural and man-made.
Organisations must adopt the program and take reasonable steps to ensure that it is up to date. They have 18 months to show compliance with at least one of the security frameworks named in the program.
- Share information. Stopping attacks from spreading across an industry relies on co-operation. Timely reporting of cyber incidents and knowledge sharing is critical to reducing risk for everyone. If one business succumbs to a major attack, the entire industry could be affected.
The amended SOCI Act now requires an organisation to report a cyber incident within 72 hours of becoming aware of it. The incident must directly or indirectly impact a critical infrastructure asset’s availability, integrity or reliability.
This period is reduced to 12 hours if the incident is disrupting essential goods or services. The government now has the power to intervene and give specific direction where it can facilitate a practical and effective response to the incident.
- Take personnel back to school. An organisation’s first line of defence is a well-informed, educated workforce. Security awareness and training is essential not just for employees but for partners and third parties, as supply chains are often vulnerable to attack.
Every major security framework under the Risk Management Program rules emphasises the importance of security training. Under the Enhanced Security Obligations of SOCI, further upskilling is recommended, such as conducting cyber security exercises which test how an entity responds to an incident. - Monitor and respond. As threats evolve in sophistication and scale, prompt identification of suspicious activity backed by a rapid response is key to containment and recovery. Combined with information sharing, this minimises impact to not only the affected entity but also similar critical services across Australia.
The Enhanced Security Obligations under SOCI call out the need for entities to proactively check for threats and respond quickly. This includes incident response planning, vulnerability assessments, periodic or event-based reporting, and sending system information directly to the Australian Signals Directorate (ASD).
Ultimately, security monitoring and response strengthens not only the resilience of individual organisations but also the collective security of critical infrastructure. Vital systems can remain reliable and secure in the face of ever-present threats.
Protecting our critical infrastructure is vital for the safety, security and prosperity of Australia. This multifaceted process involves comprehensive risk assessment and robust cyber security and physical security measures, in addition to continuous training and awareness.
The collective approach to defence — helped by sharing information across sectors — is essential for success. Through vigilance in these areas, we can ensure the safe, continued provision of essential services and maintain our way of life.
At DXC Technology, we’re proud to be a founding member of the CI-ISAC. The Australian C-ISAC was launched in March 2023 as the only cyber intelligence sharing community focused on owners and operations of Australia’s critical infrastructure and material suppliers. Its mission is to support organisations to share information and protect Australia against malicious cyber acts.
About the author
Pierre Tagle, Ph.D is the Head of Security Advisory & Professional Services in Australia and New Zealand for DXC Technology’s Security offering. He has 20+ years of experience in ICT and cyber security across consulting, executive and operation fields. Pierre has a Ph.D in Computer Science at La Trobe University.