How the Security of Critical Infrastructure (SOCI) Act is strengthening Australia’s critical infrastructure cybersecurity posture
Posted: Thursday, May 16

i 3 Table of Contents

How the Security of Critical Infrastructure (SOCI) Act is strengthening Australia’s critical infrastructure cybersecurity posture

Critical infrastructure – including healthcare, financial infrastructure, telecommunications, energy infrastructure, water assets and more – are vital to Australia’s national growth, underpinning social and economic prosperity. Unsurprisingly, they have become attractive targets for cyber criminals seeking financial gain intent on hampering essential services by stealing sensitive data or impeding operational availability. 

The consequences of such attacks could be catastrophic for national security. Disruption of an electricity grid could cause loss of power, which could in turn cripple essential services like hospitals, payments and public transport. Compromised communications networks could mean millions can’t reach loved ones or access emergency services.

Between 2022–23, the Australian Signals Directorate (ASD) responded to 143 incidents reported by critical infrastructure entities. This is an increase from 95 incidents reported in 2021–22 – while a majority were classified as low-level malicious attacks or isolated compromises, there is an urgent need to address risks and strengthen Australia’s critical infrastructure cybersecurity posture.

The Australian Security Intelligence Organisation (ASIO) also revealed that the nation’s critical infrastructure has come under increased threat by cyber adversaries, to both disrupt and sabotage essential services in the country. This has in turn raised the stakes for critical infrastructure providers to a new level. 

Why government legislation is key to protecting Australia’s critical infrastructure

There is no universal approach to securing critical infrastructure as every organisation is unique and requires risk management solutions tailored to its specific needs. However, government reform can play a vital role in strengthening overall cyber threat resilience. The federal government has implemented an expansive program for greater visibility and control over critical infrastructure assets, which is driving operators to refocus on regular and more robust assessments of infrastructure, application and API vulnerabilities alike. 

The Security of Critical Infrastructure (SOCI) Act provides a baseline for enterprise and public sector organisations to protect their digital channels and safeguard citizens. It applies to 11 wide-ranging critical infrastructure sectors – communications, financial services and markets, data storage and processing, defence, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage.

While the SOCI Act is a robust regulatory framework, it needs to continuously evolve to encompass new vulnerabilities and requirements to adequately protect digital channels. Even though the obligations and regulations apply to listed industry sectors (and those specific enterprises within these industries designated as critical infrastructure providers), SOCI offers more prescriptive advice for any organisation looking to improve its security posture. 

This is also a good starting point for Australian organisations not covered by the SOCI Act to strengthen cyber resilience by adopting as many guidelines as possible, including security hygiene, evolving cyber trends, as well overall structural improvements. Organisations also stand to benefit from showing commitment and accountability to security best practices to external customers, investors and internal stakeholders.

Of course, there is a significant onus on leadership to ‘buy in’ and secure their assets. Best practice is now increasingly commonplace – directors of organisations, senior leadership and CIOs pushing to develop their own working understanding of regulatory stipulations, the threat landscape to their organisations, and respective risk levels. Equally, the industries must continue to actively share and discuss relevant issues and interpret the direction that the regulations are taking. A good example is financial services where there’s a strong community built around understanding legislation, risk mitigation and best practices to stay ahead. 

Expanding the SOCI Act

There is potential to expand SOCI to bring other vital industries under its remit – for example, manufacturing, which is listed on the US critical infrastructure list. It encompasses a wide range of areas – from automotive to aerospace – and is essential to economic growth. Adding manufacturing to the SOCI Act could help address security risks to industrial control systems, supply chain production processes, as well as protection of critical manufacturing IP or intellectual property from cyber threats and disruption. Research and Development (R&D) institutions would also do well to comply with SOCI given the breadth of technological innovation, scientific knowledge and new technologies they are exposed to every day. 

Efficient movement of goods, materials and supplies across the country and border is vital for national and international trade. We have witnessed how international supply chains were badly affected following disruptions in the Red Sea. By addressing cybersecurity risks for logistics and supply chains at a national and international level, there is an opportunity to look at threats that could impact transportation networks and logistics infrastructure, and ensure the resilience of the local and global supply chain for Australia.

The need for cyber resilience

In a rapidly evolving digital world, organisations across the board must continue actively prioritising cyber resilience initiatives. Security fundamentals like multi-factor authentication, vulnerability assessment and patching, data encryption, and asset visibility are all non-negotiable in critical industries. In many instances, legacy or IoT technologies could be more susceptible to threats and attacks, requiring new containment strategies such as network microsegmentation to be implemented.

It is also essential to have continuous monitoring and analysis to identify suspicious activity for early threat containment. This improved cyber hygiene will strengthen data security, minimise operational vulnerabilities and improve overall security posture. It will also bolster the public confidence in the continuity, as well as the resilience of Australia’s essential services.

James Richmond
James Richmond is the Regional Director for Australia and New Zealand (ANZ) at Akamai Technologies, the cloud company that powers and protects life online. James leads Akamai's growth momentum and expansion in the region, guiding and enabling the local ANZ team to best represent Akamai’s cloud computing, security and delivery solutions to partners and customers. Prior to this role, James led Akamai’s Australian and New Zealand relationship teams engaging with Financial Services organisations & Public Sector agencies. Having joined Akamai in 2014, James is focused on helping organisations in highly regulated sectors improve their security and compliance postures while leveraging cloud technology to deliver exceptional digital experiences. James is a veteran in Australia’s tech sector with over two decades of experience in helping many of Australia’s largest organisations leverage technological innovation and closely integrated relationships to achieve successful business outcomes and manage risk. He has also previously worked with Computershare and First Data (now Fiserv). James holds a Bachelor of Economics and Commerce Management from Monash University in Melbourne and a Diploma in Financial Management at FINSIA. James is based in Melbourne, Australia.
Share This