SOCI Act Investigation Requirements for Critical Infrastructure

The SOCI Act and Investigation Obligations

The Security of Critical Infrastructure Act 2018 (SOCI Act) creates a comprehensive framework for protecting Australia’s critical infrastructure from threats across personnel, physical, cyber, and supply chain domains. For investigation teams within critical infrastructure entities, the Act creates specific obligations around incident investigation, reporting, and risk management documentation.

The SOCI Act applies to entities operating across eleven critical infrastructure sectors: communications, data storage and processing, defence, energy, financial services, food and grocery, health, higher education and research, space, transport, and water and sewerage.

If your organisation operates within these sectors, your investigation function must be equipped to meet SOCI Act obligations.

Critical Infrastructure Risk Management Programs (CIRMPs)

The SOCI Act requires responsible entities to adopt and maintain a Critical Infrastructure Risk Management Program (CIRMP). The CIRMP must address four hazard categories:

1. Personnel Hazards

Personnel hazards include insider threats, malicious insiders, compromised employees, and inadequate background screening. Investigation teams must be equipped to investigate personnel-related security incidents, including:

• Insider threat investigations
• Background check anomalies and adverse findings
• Unauthorised access to critical systems or information
• Suspicious behaviour flagged by security monitoring
• Conflicts of interest involving critical roles

2. Physical Hazards

Physical security incidents affecting critical infrastructure assets require investigation:

• Unauthorised access to critical facilities
• Sabotage or tampering with critical assets
• Physical security system failures
• Theft of critical components or materials

3. Cyber Hazards

Cyber security incidents are the most time-sensitive investigation category under the SOCI Act, with mandatory reporting deadlines to the Australian Signals Directorate (ASD):

• Critical cyber security incidents: must be reported within 12 hours
• Other cyber security incidents: must be reported within 72 hours

These deadlines apply from the point at which the entity becomes aware of the incident. Investigation teams must be able to commence investigation, assess the incident, and prepare a report within these compressed timeframes.

4. Supply Chain Hazards

Supply chain investigations address risks arising from dependencies on suppliers, vendors, and service providers:

• Supplier compromise investigations
• Supply chain integrity assessments
• Third-party access incidents
• Vendor security incident response

Cyber Incident Reporting and Investigation

The 12-Hour and 72-Hour Deadlines

The SOCI Act’s cyber incident reporting deadlines are among the most demanding in Australian regulation:

Critical incidents (12 hours):

• Significant impact on the availability of the critical infrastructure asset
• Unauthorised access or modification that could compromise the asset
• Ransomware or destructive malware affecting the asset

Other reportable incidents (72 hours):

• Unauthorised access to sensitive data related to the asset
• Attempted compromise of systems relevant to the asset
• Other incidents that could impact the delivery of essential services

Investigation Within Reporting Deadlines

The challenge for investigation teams is conducting meaningful investigation within these compressed timeframes. The initial report to ASD must include:

• Description of the incident
• Impact assessment (actual and potential)
• Systems and assets affected
• Actions taken in response
• Contact information for further follow-up

SentinelOps provides structured incident investigation workflows with deadline tracking, ensuring that reporting obligations are met while the investigation continues. The immutable audit trail documents the investigation timeline, demonstrating to regulators that the reporting deadline was met and that the investigation was conducted with appropriate urgency.

Cross-Domain Investigation Challenges

SOCI Act investigations frequently span multiple hazard domains. A cyber incident may reveal a personnel hazard (insider threat). A physical security breach may involve supply chain compromise. A personnel investigation may uncover cyber security vulnerabilities.

Effective SOCI Act investigation requires:

• Cross-domain case management: the ability to manage investigations that span personnel, physical, cyber, and supply chain hazards within a single platform
• Multi-team collaboration: cyber security, physical security, HR, legal, and compliance teams may all be involved in a single investigation
• Unified audit trail: a single, comprehensive audit trail across all investigation activities, regardless of which team or domain is involved
• Evidence management: digital forensic evidence, physical security records, personnel files, and communications evidence managed with consistent chain-of-custody controls

SentinelOps provides this cross-domain investigation capability through a single case management platform with role-based access controls that allow different teams to collaborate on shared cases while maintaining appropriate information barriers.

Essential Eight and ISM Alignment

Essential Eight

The ASD’s Essential Eight mitigation strategies are the baseline cyber security framework for Australian organisations. While not mandatory for all private sector entities, the Essential Eight is increasingly referenced as a compliance expectation, and critical infrastructure entities subject to the SOCI Act should demonstrate alignment.

Investigation platforms must themselves align with Essential Eight:

• Application control: preventing unauthorised applications from executing
• Patching: timely patching of applications and operating systems
• MFA: multi-factor authentication for all users
• Restricting administrative privileges: limiting admin access to those who genuinely require it
• Restricting Microsoft Office macros: blocking macros from the internet
• User application hardening: configuring web browsers and email clients to block malicious content
• Regular backups: maintaining backups that are tested and stored securely
• Patching operating systems: applying OS patches within recommended timeframes

Information Security Manual (ISM)

Government agencies and some critical infrastructure entities are assessed against the ISM. Investigation platforms handling classified or sensitive investigation data should align with ISM controls for:

• Data classification and handling
• Access control and authentication
• Cryptographic standards
• Network security
• System monitoring and auditing

SentinelOps is designed to align with both the Essential Eight and ISM frameworks. See our Security page for details.

CIRMP Compliance Documentation

Investigation records form a critical component of CIRMP compliance documentation. Regulators assessing CIRMP adequacy will examine:

• Incident investigation records: evidence that personnel, physical, cyber, and supply chain incidents are investigated promptly and thoroughly
• Risk assessment updates: evidence that investigation findings inform CIRMP risk assessments
• Control effectiveness: evidence that investigations identify control failures and trigger remediation
• Trend analysis: investigation data demonstrating the organisation’s threat landscape and risk trajectory

SentinelOps reporting and analytics provide this documentation through automated dashboards, trend analysis, and compliance reports that demonstrate CIRMP effectiveness.

How SentinelOps Supports SOCI Act Compliance

SOCI Act Requirement	SentinelOps Capability
Cyber incident reporting (12hr/72hr)	Incident investigation workflows with deadline tracking and escalation
CIRMP documentation	Cross-domain case management with compliance reporting
Personnel hazard investigation	Case management with access controls and audit trails
Cross-domain investigations	Single platform supporting all hazard categories
Essential Eight alignment	Security architecture aligned with Essential Eight
Evidence preservation	Chain-of-custody controls for all evidence types
Audit trail	Immutable, tamper-evident logging of all investigation activity

Frequently Asked Questions

Does the SOCI Act apply to my organisation?

The SOCI Act applies to entities that own, operate, or have a direct interest in critical infrastructure assets across eleven sectors. The Department of Home Affairs maintains the Register of Critical Infrastructure Assets. If your organisation is registered or believes it may be a responsible entity, SOCI Act obligations apply.

What is the penalty for failing to report a cyber incident?

Failure to report a cyber security incident within the required timeframe can result in civil penalties. The Secretary of the Department of Home Affairs can also issue directions requiring specific actions, and failure to comply with a direction can result in further penalties.

Can SentinelOps handle classified information?

SentinelOps is designed for enterprise and government investigation environments with appropriate security controls. For organisations requiring platforms assessed at specific classification levels, contact us to discuss deployment options aligned with your security requirements.

How does SentinelOps integrate with our SOC?

SentinelOps integrates with SIEM platforms (Splunk, Microsoft Sentinel, QRadar, Elastic) through API and webhook infrastructure. Security alerts can automatically generate investigation cases, and investigation outcomes can feed back into SIEM analytics.

Does the SOCI Act require specific investigation software?

The SOCI Act does not mandate specific software. However, it does require that responsible entities have adequate processes for investigating and reporting incidents. Demonstrating the adequacy of your investigation processes is significantly easier with purpose-built investigation software than with spreadsheets and email.