Australia's Security of Critical Infrastructure (SOCI) Act imposes new cybersecurity responsibilities on owners and operators of critical infrastructure. Ariel Egber, cybersecurity specialist at Enzen Australia, explains what this means for the country's utilities sector, and how Enzen can navigate your organisation through the journey.
The SOCI Act mandates organisations take reasonable, proportionate measures to protect critical infrastructure assets from cyber threats.
Its key obligations include:
- identifying critical assets and interdependencies with other sectors
- conducting ongoing risk assessments to understand cyber vulnerabilities
- developing and executing targeted cybersecurity programmes
- implementing essential mitigation measures like multi-factor authentication, patch management, and logging
- establishing cyber incident response plans and exercising them through drills
- notifying government agencies of significant cyber incidents.
The act's requirements change based on the 'criticality tier' assigned to assets. For example:
- Tier One contains the highest criticality assets such as power grids, water treatment plants, financial exchanges, telecom networks, and gas pipelines. These must be fully compliant to Australia's cybersecurity guidelines, requiring organisations to implement comprehensive controls which cover all aspects of cybersecurity management.
- Tier Two includes infrastructures such as chemical facilities, cargo ports, subway systems, natural gas pipelines, data centres, and hospitals. They must implement significant cybersecurity improvements by orchestrating major investment that enhances cybersecurity sustainability beyond its current state.
- Tier Three comprises assets like undersea communications cables, railways, emergency services, waste treatment plants, stadiums, and commercial buildings. These only require foundational cybersecurity precautions, meaning organisations need to implement cybersecurity basics like patching, antivirus, authentication, logging etc.
Benchmarking performance
To understand your utility's obligations under the SOCI Act, organisations should thoroughly evaluate their infrastructure criticality tiers using Australia's designation criteria. From there, entities can benchmark their current security policies, technologies and processes against requirements for their assigned tiers. Gaps must be addressed through cybersecurity programme enhancements. Executing these upgrades will demand resources and dedication.
While achieving total security is not feasible, the SOCI Act pushes organisations to demonstrate their cyber due diligence is appropriate for their criticality scale. By understanding and acting upon their obligations, companies can avoid regulatory actions and, more importantly, cyber disruptions to the everyday services Australians rely upon.
Integrating cybersecurity into your culture
Navigating the new regulatory landscape under the SOCI Act may seem daunting. However, by partnering with experienced Enzen cybersecurity professionals, critical infrastructure entities can overcome challenges and implement robust cyber protections.
Our company helps guide organisations through comprehensive cybersecurity upgrades tailored to your unique environment. We assess your existing posture and provide roadmaps to meet baseline SOCI Act obligations. Our services span from IT and OT security, from addressing gaps in asset management to incident response.
Leveraging threat intelligence and leading standards like AESCSF/ISO/NIST, we help clients build, monitor, and continuously refine holistic cyber programs. With deep expertise across sectors like energy, renewables, water, and gas, we enable entities to integrate cybersecurity into their operations and culture.
Building long-term resilience
By leveraging our advisory services, critical infrastructure organisations can benchmark their cybersecurity against leading practices and security profiles. We empower companies to meet their SOCI Act responsibilities while building resilience against evolving digital threats.
Assess where your organisation stands today relative to the cybersecurity uplift mandated by the SOCI Act. Contact us today to proactively strengthen your cyber defences.
Don't wait for an incident or crisis to drive change. Act now.
If you’d like to discuss the issues raised in this article, contact Ariel at ariel.egber@enzen.com.
For more about Enzen's cybersecurity solutions, visit: Cybersecurity: protecting your critical infrastructure in a changing world
About the author
Ariel Egber has more than ten years of experience in developing best practice solutions for the energy, finance, and healthcare sectors, specialising in cybersecurity and cloud architecture. As Principal Cybersecurity Architect and Advisory OT/ICS at Enzen Australia, he is responsible for deploying his award-winning expertise to support customers in safeguarding their critical infrastructure, both strategically and operationally.