SOCI Act Investigation Management

The Security of Critical Infrastructure Act: Australia’s Expanded Protection Framework

The Security of Critical Infrastructure Act 2018 (SOCI Act) was originally a relatively narrow piece of legislation focused on foreign ownership and control of critical infrastructure assets. The threat landscape changed that.

Following the 2020 cyber attacks on Australian organisations — attributed to a state-based actor and publicly addressed by Prime Minister Morrison — the Australian Government undertook a fundamental expansion of the SOCI Act through two amendment packages:

• Security Legislation Amendment (Critical Infrastructure) Act 2021 — expanded the definition of critical infrastructure from 4 to 11 sectors, introduced mandatory cyber incident reporting, and established government assistance powers
• Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 — introduced the Critical Infrastructure Risk Management Program (CIRMP) framework, enhanced cyber security obligations, and created sector-specific rules

The result is a comprehensive critical infrastructure protection regime that imposes investigation, risk management, and reporting obligations on a dramatically expanded set of Australian organisations.

The 11 Critical Infrastructure Sectors

The SOCI Act now covers critical infrastructure assets across 11 sectors. If your organisation operates in any of these sectors, you are likely subject to SOCI Act obligations:

1. Communications — Telecommunications networks, broadcasting, and domain name systems
2. Data storage or processing — Data centres and cloud services meeting asset thresholds
3. Defence industry — Entities within the defence industrial base, including suppliers to the Department of Defence
4. Energy — Electricity generation, transmission, and distribution; gas production and pipelines; liquid fuel refining, storage, and distribution
5. Financial services and markets — Banks, superannuation, financial market infrastructure, and insurance
6. Food and grocery — Major food and grocery supply chain entities, including processing, distribution, and retail above specified thresholds
7. Health care and medical — Hospitals meeting bed thresholds, and entities critical to pharmaceutical supply chains
8. Higher education and research — Universities meeting student enrolment or research income thresholds
9. Space technology — Satellite and space-related systems and services
10. Transport — Aviation, maritime, and freight infrastructure, including ports, airports, and freight services
11. Water and sewerage — Water treatment, distribution, and sewerage systems

The breadth of coverage is significant. Organisations that previously had no critical infrastructure obligations — universities, food distributors, data centres — now face regulatory requirements that demand structured investigation and risk management capability.

Critical Infrastructure Risk Management Programs (CIRMPs)

From August 2024, responsible entities for specified critical infrastructure assets must have an operational CIRMP. The CIRMP framework requires organisations to identify, manage, and mitigate risks across four hazard domains:

Personnel Hazards

Personnel hazards include insider threats, workforce vulnerability, and the risk that individuals with access to critical infrastructure may cause harm through malicious action, coercion, or negligence. CIRMP obligations require organisations to:

• Conduct background checking of personnel with access to critical assets
• Identify and manage personnel-related risks, including those arising from foreign influence or coercion
• Investigate personnel security incidents and potential insider threats
• Maintain records of personnel risk assessments and investigations

Physical Security Hazards

Physical security hazards encompass unauthorised access, sabotage, natural disasters, and physical disruption to critical infrastructure assets. Organisations must:

• Assess physical security risks to critical assets
• Implement proportionate physical security controls
• Investigate physical security incidents and near-misses
• Maintain evidence of physical security risk management

Cyber Security Hazards

Cyber security hazards represent the risk domain that drove the SOCI Act’s expansion. Organisations must:

• Implement cyber security measures proportionate to the criticality of their assets
• Detect, respond to, and investigate cyber security incidents
• Report significant cyber security incidents to the Australian Signals Directorate (ASD) within prescribed timeframes
• Align cyber security practices with recognised frameworks, particularly the Australian Government’s Essential Eight and the Information Security Manual (ISM)

Supply Chain Hazards

Supply chain hazards recognise that critical infrastructure depends on complex supplier networks, and that a vulnerability in a supplier can compromise the critical asset itself. Organisations must:

• Map and assess supply chain risks to critical assets
• Identify critical suppliers and assess their security posture
• Investigate supply chain incidents that may affect critical infrastructure
• Maintain records of supply chain risk assessments and remediation actions

Cyber Incident Reporting to ASD

The SOCI Act imposes mandatory cyber incident reporting obligations on responsible entities. These obligations are operationally demanding:

Critical cyber security incidents must be reported to the Australian Signals Directorate within 12 hours of the entity becoming aware that the incident is occurring or has occurred. A critical incident is one that has a significant impact on the availability of the critical infrastructure asset.

Other cyber security incidents that are relevant to the critical infrastructure asset must be reported within 72 hours. These include incidents that could reasonably be expected to have a relevant impact on the asset, even if the impact has not yet materialised.

Reports must include details of the incident, the affected systems, the impact or potential impact, and the response actions taken. These are not superficial notifications; they require substantive investigation and analysis within compressed timeframes.

Investigation Obligations Under the SOCI Act

The SOCI Act creates investigation obligations that span all four hazard domains. Unlike some regulatory frameworks where investigation is implied, the SOCI Act’s CIRMP requirements make investigation an explicit component of risk management.

Personnel investigations. When a personnel hazard is identified — whether through background checking, behavioural indicators, or a reported incident — the organisation must investigate, assess the risk, and implement appropriate controls. This may range from enhanced monitoring to removal of access. Every step must be documented.

Physical security investigations. Breaches of physical security, unauthorised access attempts, and security system failures must be investigated to determine cause, assess impact, and implement corrective actions. Investigation records must demonstrate that the response was proportionate to the risk.

Cyber security investigations. Cyber incidents require rapid investigation to determine scope, impact, and attribution where possible. Investigation records feed directly into the mandatory reporting to ASD and must be sufficiently detailed to support the report’s content requirements.

Supply chain investigations. When a supply chain compromise is suspected or identified, the organisation must investigate the nature and extent of the compromise, assess the impact on the critical asset, and take remediation action. Supply chain investigations are often the most complex, as they involve third-party entities with their own security environments.

Cross-domain investigations. Many critical infrastructure incidents span multiple hazard domains. A cyber intrusion facilitated by an insider (personnel + cyber), a physical security breach exploited through a compromised supplier (physical + supply chain), or a personnel hazard identified through cyber security monitoring (personnel + cyber) all require investigation capability that can operate across domains without losing coherence.

Essential Eight and ISM Alignment

The SOCI Act does not prescribe specific cyber security controls, but the explanatory materials and regulatory guidance strongly reference the Australian Government’s Essential Eight Maturity Model and the Information Security Manual (ISM) maintained by the Australian Cyber Security Centre (ACSC).

Responsible entities are expected to demonstrate alignment with these frameworks, particularly:

• Essential Eight Maturity Level 2 as a baseline for most critical infrastructure entities
• ISM controls relevant to the entity’s threat environment and asset criticality
• ASD’s cyber security advisories as they relate to the entity’s sector

Investigation processes must demonstrate that cyber incidents are assessed against these frameworks and that remediation actions address identified gaps in Essential Eight or ISM compliance.

Who Is Affected?

The SOCI Act’s expanded coverage means that investigation obligations now apply to organisations that may not have previously considered themselves part of critical infrastructure:

• Universities with significant research programs or student populations above thresholds
• Data centre operators and cloud service providers meeting asset value or capacity thresholds
• Food and grocery businesses operating processing, distribution, or retail above specified thresholds
• Private hospitals meeting bed count thresholds
• Energy retailers and generators across electricity, gas, and liquid fuel
• Telecommunications carriers and carriage service providers
• Financial institutions including banks, insurers, and superannuation trustees
• Defence industry suppliers including SMEs in the defence supply chain
• Transport operators including ports, airports, and freight logistics providers
• Water and sewerage utilities across metropolitan and regional areas

For many of these entities, the SOCI Act represents their first encounter with structured investigation and reporting obligations from a national security perspective.

How SentinelOps Supports SOCI Act Compliance

SentinelOps provides the investigation case management capability that SOCI Act compliance demands across all four hazard domains:

Cross-domain case management. SentinelOps manages investigations across personnel, physical, cyber, and supply chain hazard domains within a single platform. When an incident spans multiple domains, the investigation remains coherent rather than fragmenting across different tools and teams.

Structured incident investigation workflows. SentinelOps provides configurable investigation workflows aligned to the CIRMP framework. These workflows guide investigators through the required steps — identification, assessment, response, documentation, and reporting — ensuring that nothing is missed under operational pressure.

Audit trails for regulatory reporting. Every action, decision, and communication within a SentinelOps case is automatically logged with timestamps and user attribution. When you need to demonstrate to the Cyber and Infrastructure Security Centre (CISC) or ASD that your investigation was thorough and timely, the evidence is already there.

Incident reporting support. SentinelOps tracks the 12-hour and 72-hour reporting deadlines for cyber security incidents and generates the structured information that ASD reporting requires. Investigators can focus on the incident response rather than the administrative burden of assembling a report under time pressure.

Essential Eight and ISM alignment tracking. SentinelOps allows organisations to document their Essential Eight maturity posture and ISM alignment, linking investigation findings to specific control gaps and remediation actions.

OSINT integration. SentinelOps integrates open-source intelligence capabilities, enabling investigators to enrich personnel investigations with external data sources, assess supply chain risks through public information, and support cyber threat analysis with external threat intelligence.

Personnel security case management. For personnel hazard investigations — insider threat assessments, background checking anomalies, behavioural concerns — SentinelOps provides the secure, compartmented case management that these sensitive matters require. Access controls ensure that personnel investigations are visible only to those with a legitimate need to know.

Frequently Asked Questions

Which organisations are covered by the SOCI Act?

The SOCI Act applies to responsible entities for critical infrastructure assets across 11 sectors: communications, data storage or processing, defence industry, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, and water and sewerage. Whether your specific asset is covered depends on sector-specific thresholds defined in the Security of Critical Infrastructure (Definitions) Rules.

What is a CIRMP and when did it become mandatory?

A Critical Infrastructure Risk Management Program (CIRMP) is a documented risk management program covering personnel, physical, cyber, and supply chain hazards to a critical infrastructure asset. CIRMPs became mandatory from August 2024, with responsible entities required to adopt, maintain, and comply with their programs on an ongoing basis. Annual reports on CIRMP compliance must be provided to the relevant Commonwealth regulator.

What are the cyber incident reporting timeframes?

Critical cyber security incidents must be reported to the Australian Signals Directorate within 12 hours of the entity becoming aware of the incident. Other relevant cyber security incidents must be reported within 72 hours. These timeframes are tight and require investigation processes that can rapidly assess and document incidents.

Does the SOCI Act apply to suppliers and subcontractors?

The SOCI Act applies to responsible entities for critical infrastructure assets, not directly to their suppliers. However, the CIRMP framework requires responsible entities to manage supply chain hazards, which includes assessing and monitoring the security posture of critical suppliers. In practice, this means that suppliers to critical infrastructure operators will face increasing security and compliance expectations from their customers.

How does the SOCI Act interact with state-based critical infrastructure regulation?

The SOCI Act is Commonwealth legislation and operates alongside state and territory frameworks. Some sectors, particularly energy and water, have existing state-based regulatory requirements. The SOCI Act adds a national security overlay to these existing obligations. Organisations in these sectors may need to comply with both Commonwealth and state requirements.

Build SOCI Act Investigation Capability

The SOCI Act’s expanded scope and CIRMP requirements have created investigation obligations across domains that many organisations have never managed in an integrated way. Personnel, physical, cyber, and supply chain investigations each have their own methodologies, but under the SOCI Act, they must operate within a coherent risk management framework.

SentinelOps delivers the cross-domain investigation case management that critical infrastructure operators need, built by Australians with direct experience in security operations and regulatory compliance environments.

Book A Demo and see how SentinelOps makes SOCI Act compliance operational across all four hazard domains.