Full Report
Australia's critical infrastructure leaders must master a complex array of regulations and frameworks, including the SOCI Act, SLACI Act, and AESCSF. The requirements call for board-level compliance, incident reporting, and bolstering OT cyber resilience against rising geopolitical threats.Key takeaways:Mandatory compliance with Australia’s critical infrastructure regulations demands board-level action, elevating compliance beyond IT to become a governance and financial risk issue. For the energy, gas, and water sectors, the Australian Energy Sector Cyber Security Framework (AESCSF) is the key to demonstrating compliance. Organizations can use its structure to streamline asset scoping, risk treatment, and supply-chain security across IT and operational technology (OT) systems. The focus for critical infrastructure operators must shift from basic reporting to proactive risk mitigation across cyber, physical, and supply-chain hazards to pre-empt government intervention.Australia’s critical infrastructure owners face a rapidly expanding set of obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act) and sector-specific frameworks such as the Australian Energy Sector Cyber Security Framework (AESCSF). Electricity, gas, water, and transport entities must establish comprehensive governance, risk, and compliance programs that satisfy broad legislative duties and detailed technical standards. This blog post maps the regulatory landscape, explains the mandatory controls, and sets out a pragmatic roadmap to help boards and executives achieve and maintain compliance in 2025 and beyond.While the regulations and frameworks detailed in this blog are specific to Australia, they offer important guidance for improving cybersecurity strategies that can benefit critical infrastructure operators worldwideThe strategic importance of critical infrastructureAustralia now designates 11 sectors, including energy, water, and transport, as critical because disruption “would significantly impact the social or economic wellbeing of the nation.” The policy response has been to hardwire security by legislating minimum cyber, physical, and supply-chain safeguards and giving government powers to intervene in emergencies. Recent geopolitical tensions and high-profile ransomware attacks have accelerated reform, culminating in the Cyber Security Act 2024 and the SOCI amendment, the Enhanced Response and Prevention (ERP) Act 2024, which tighten requirements and introduce new reporting triggers.Australian critical infrastructure regulatory framework overviewSecurity of Critical Infrastructure Act 2018SOCI is the umbrella statute which imposes three core Positive Security Obligations (PSO) on most critical assets, and Enhanced Cyber Security Obligations (ECSO) on Systems of National Significance (SoNS).Positive Security Obligations (PSO)Registration of ownership and operational details in the Critical Infrastructure Asset Register.Mandatory cyber-incident reporting within 12 hours for “significant” and 72 hours for “relevant” incidents to the Australian Cyber Security Centre (ACSC)Adoption and maintenance of a written Critical Infrastructure Risk Management Program (CIRMP) addressing cyber, personnel, supply-chain, and physical hazards.CIRMP scope and deadlinesIdentify material risks with potential relevant impact on availability, integrity, reliability, or confidentiality of systems and information.Define critical components and interdependencies.Establish processes to minimize/mitigate risk.CIRMP adoption was required beginning Aug. 18, 2024; the 2024 – 2025 reporting period is the first requiring entities to report.Protection of business critical data and secondary systems holding it came into scope under CIRMP beginning Apr. 4, 2025, via the Enhanced Response and Prevention Act and 2025 Measures Rules.Enhanced Cyber Security Obligations (ECSO)For critical infrastructure assets designated as Systems of National Significance (SoNS), additional obligations may apply on top of PSO/CIRMP. The obligations include:developing cybersecurity incident response plansundertaking cybersecurity exercises to build cyber preparednessundertaking vulnerability assessments to identify vulnerabilities for remediation and/or providing system information to developmaintaining a near-real time threat picture.How the SOCI Act interacts with other laws and standardsCritical infrastructure operators also need to be mindful of other regulations that can intersect with SOCI Act requirements, including:The Privacy Act 1988 (Notifiable Data Breach scheme), which applies to personal data processed by critical infrastructure operators.The Cyber Security Act 2024, which adds ransomware payment reporting and IoT security standards with staged commencement dates through 2026.Occupational safety, environmental, and sectoral licensing laws, which overlap with SOCI physical-security controls, requiring integrated governance.Sector-specific obligations matrixThe SOCI Act differentiates obligations by sector and asset class. The matrix below summarizes applicability for electricity, gas, water, and transport operators. Source: Tenable, November 2025 Key insightsEnergy, water, and most transport assets must comply with all three PSOs; only SoNS assets trigger ECSO automatically.Within the transport sector, ports and freight networks already required CIRMPs, while aviation assets had a switch-on date of April 2025.The Australian Energy Sector Cyber Security Framework (AESCSF)Purpose and structure AESCSF provides a maturity model tailored to operational technology (OT) environments across electricity, gas, and liquid fuels. It aligns with the U.S. Cybersecurity Capability Maturity Model (C2M2) and National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and International Organization for Standardization (ISO) 27001. It is recognized as an approved cybersecurity framework under the CIRMP requirements from August 2024. Source: Tenable, November, 2025 Security Profiles (SP-1 to SP-3) set target states linked to entity criticality: low-criticality entities aim for SP-1, medium for SP-2, and high-criticality or SoNS assets for SP-3.Maturity Indicator Levels (MIL-1 to MIL-3) gauge practice depth in 11 domains, from risk management to OT architecture.Integration with SOCIEntities were required to demonstrate compliance to CIRMP Rules section 8 by achieving AESCSF SP-1 (or equivalent ISO 27001 maturity) by Aug. 18, 2024. Board-signed annual reports must attest to progress and gaps each September.Deep dive: Obligations by sectorResponsible entities for specified critical infrastructure assets face various penalties for failing to meet CIRMP-related obligations. Penalties vary depending on the violation, but can result in a maximum daily penalty of $660,000 (AUD).The regulations and frameworks detailed above have specific requirements for each critical infrastructure sector, as follows:Electricity and gasSince many generation, transmission, and pipeline operators are SoNS, they must undertake ministerially directed cyber exercises and provide live telemetry to the Australian Signals Directorate (ASD), the government’s cybersecurity and foreign signals intelligence agency, when requested.AESCSF SP-2 is the benchmark for most transmission and market-operator entities.Water and sewerageRequired to register assets, implement CIRMPs, and report incidents; this requirement came into effect in February 2023.High-criticality treatment plants are potential SoNS; boards should prepare ECSO compliance pre-emptively.Incident-reporting thresholds mirror energy rules; utilities must notify of any OT breach that threatens safe supply within 12 hours.Transport (ports, freight, aviation, public transport)Critical ports, freight networks, aviation operators, and critical telecommunications providers must implement CIRMPs and report incidents; this requirement came into effect in April 2025.Port operators are advised to align their maritime International Ship and Port Facility Security (ISPS) Code physical-security plans with CIRMP to avoid duplication.Transport SoNS (e.g., national rail control) face ECSO directives focused on real-time network visibility.Compliance timeline and milestones Source: Tenable, November 2025 Notable dates:April 4, 2025 – Telecommunications Security & Risk Management Program rules (Schedule 5 of Enhanced Response and Prevention (ERP) Act 2024) commenced, extending CIRMP to carrier assets.May 30, 2025 – Ransomware payment reporting rules under the Cyber Security Act 2024 commenced for all SOCI entities.March 4, 2026 – Mandatory IoT security standards take effect for smart devices supplied to critical infrastructure operators.Building a compliant governance programBoard oversightDirectors must approve the CIRMP, set risk appetite, and receive quarterly cyber-risk updates. Failure to do so may breach Corporations Act duty-of-care provisions. Below are seven practical steps CISOs and other cybersecurity leaders can take to support compliance efforts.Practical steps for security leadersAsset scoping: Map OT, IT, and data-storage systems; confirm SOCI asset-class status.Gap assessment: Benchmark against AESCSF SP target; identify missing controls and anti-patterns.Risk treatment: Focus on AESCSF Priority Practices and Essential Eight controls; integrate with ISO 27001 Information Security Management System (ISMS) where possible.Incident readiness: Align response plans with ECSO templates; exercise annually with ASD and sector Computer Security Incident Response Team (CSIRT).Supply-chain security: Flow-down SOCI clauses to contractors; conduct vendor cyber-risk assessments.Data-services notices: Issue written notifications to all external SaaS and cloud providers storing business-critical data.Reporting loop: File CIRMP annual report by September 28 each year; update Register within 30 days of material change.Enforcement and penaltiesHome Affairs can issue remediation directions for “seriously deficient” CIRMPs and apply daily fines until rectified. For SoNS, non-compliance with an ECSO direction can trigger civil or criminal penalties, and the government may assume control to restore services under Part 3A emergency powers.Additional recommendationsAdopt a single, enterprise-wide CIRMP and avoid siloed asset plans to streamline board oversight.Choose AESCSF as the anchor framework for electricity, gas, and water assets; map transport controls where relevant.Reach SP-1 (or higher) now and document a board-approved roadmap to SP-2/SP-3 within two years.Embed supply-chain clauses requiring subcontractors to co-operate with SOCI incident reporting and audits.Align with Essential Eight maturity level 2 as an interim technical baseline, pending full AESCSF implementation.ConclusionAustralia’s regulatory regime now demands demonstrable, board-level assurance that critical infrastructure is resilient to cyber, physical, and supply-chain threats. By integrating SOCI Act obligations with the AESCSF maturity model and global standards, electricity, gas, water, and transport operators can achieve compliance and strengthen operational resilience and stakeholder trust.Learn moreHow to Remediate Risk to Critical OT/IoT Systems Without Disrupting OperationsApplying Tenable’s Risk-based Vulnerability Management to the Australian Cyber Security Centre's Essential Eight
Analysis Summary
# Regulation/Compliance: Australian Critical Infrastructure Security Regime (SOCI Act & Related Frameworks)
## Overview
This framework mandates minimum cyber, physical, and supply-chain security safeguards for entities owning or operating Australia's critical infrastructure sectors. Compliance is now a board-level governance and financial risk issue, requiring proactive risk mitigation across IT and Operational Technology (OT) systems, moving beyond basic reporting.
## Key Details
- Issuing Authority: Australian Government (Home Affairs, ACSC)
- Effective Date: SOCI Act 2018 is in effect, with significant amendments and reporting obligations commencing through 2025 and beyond (e.g., CIRMP from Aug 18, 2024).
- Jurisdiction: Australia (Mandatory compliance for designated critical infrastructure assets).
- Status: In Effect (with ongoing amendments and staggered commencement dates).
## Requirements
### Mandatory Requirements
1. **Registration:** Register ownership and operational details in the Critical Infrastructure Asset Register.
2. **Incident Reporting (PSOs):** Report cyber incidents to the Australian Cyber Security Centre (ACSC) within **12 hours** for "significant" incidents and **72 hours** for "relevant" incidents.
3. **Critical Infrastructure Risk Management Program (CIRMP) (PSO):** Adopt and maintain a written CIRMP addressing cyber, personnel, supply-chain, and physical hazards.
4. **CIRMP Scope:** The CIRMP must identify material risks impacting availability, integrity, reliability, or confidentiality; define critical components and interdependencies; and establish risk minimization/mitigation processes.
5. **Business-Critical Data Protection (ECSO/Upcoming):** Protect business-critical data and secondary systems holding it (mandatory starting **April 4, 2025**).
6. **Enhanced Cyber Security Obligations (ECSO - for Systems of National Significance (SoNS)):** Obligations layered on top of PSOs, including developing incident response plans, undertaking cybersecurity exercises, conducting vulnerability assessments, and maintaining near-real-time threat pictures.
7. **Sector-Specific Compliance:** Electricity, gas, and water entities must adhere to the **AESCSF** for demonstrating CIRMP compliance, particularly concerning OT environments.
8. **Board Oversight:** Directors must approve the CIRMP, set the risk appetite, and receive quarterly cyber-risk updates, or risk breaching Corporations Act duty-of-care provisions.
9. **Annual Reporting:** Submit board-signed annual reports attesting to CIRMP progress and identified gaps every **September**.
### Recommended Practices
1. **Anchor Framework:** For energy, water, and gas, use the **AESCSF** as the anchor framework to manage OT cyber resilience and streamline risk treatment.
2. **Maturity Target:** Aim to achieve AESCSF **Security Profile (SP)-1** maturity or equivalent ISO 27001 maturity immediately (required by Aug 18, 2024), with a roadmap to SP-2/SP-3 within two years.
3. **Interim Technical Baseline:** Align with **Essential Eight Maturity Level 2** as an interim technical safeguard pending full AESCSF implementation.
4. **Supply Chain:** Embed clauses in contracts requiring subcontractors to cooperate with SOCI incident reporting and audits.
## Affected Organizations
- Industries: Energy (Electricity, Gas, Liquid Fuels), Water and Sewerage, Transport (Ports, Rail, Aviation, Freight).
- Organization Size: Entities owning or operating critical infrastructure assets designated by the Australian Government (11 sectors designated).
- Geographic Scope: Australia.
## Compliance Timeline
- **August 18, 2024:** CIRMP adoption required. Entities must demonstrate initial compliance against CIRMP Rules section 8 (achieving AESCSF SP-1 or equivalent).
- **September (Annually):** Deadline for filing the board-signed CIRMP annual report.
- **February 2023:** Requirements came into effect for Water and Sewerage sectors.
- **Before April 2025:** Aviation assets required to implement CIRMPs.
- **April 4, 2025:** CIRMP obligations (via **ERP Act 2024**) extended to cover protection of business-critical data and secondary systems.
- **May 30, 2025:** Ransomware payment reporting rules under the Cyber Security Act 2024 commence for all SOCI entities.
- **March 4, 2026:** Mandatory IoT security standards take effect for smart devices supplied to critical infrastructure operators.
## Implementation Guidance
### Assessment Phase
- **Asset Scoping:** Map OT, IT, and data-storage systems; confirm facility status under SOCI (including SoNS designation).
- **Gap Assessment:** Benchmark current security posture against the mandatory PSOs/ECSOs and the target state defined by the AESCSF Security Profile (SP-1/SP-2).
### Implementation Phase
- **CIRMP Development:** Create a single, enterprise-wide CIRMP covering cyber, physical, and supply-chain hazards.
- **Risk Treatment:** Focus risk mitigation efforts on **AESCSF Priority Practices** and **ACSC Essential Eight** controls.
- **Supply Chain:** Issue Data-Services notices to external cloud/SaaS providers storing business-critical data.
### Validation Phase
- **Exercises:** Align incident response plans with ECSO templates and conduct required cybersecurity exercises (especially SoNS assets, some directed by the Minister through ASD).
- **Reporting:** Ensure the timeline for incident reporting (12/72 hours) is rigorously tested.
## Technical Requirements
- **OT Focus:** Specific tailoring required for OT environments, primarily guided by the **AESCSF** maturity model (MILs 1-3 across 11 domains).
- **SoNS Requirement:** Maintaining a near-real-time threat picture (for SoNS assets).
- **IoT Security:** Compliance with standards for supplied smart devices (by 2026).
## Penalties & Enforcement
- **Fines:** Failure to meet CIRMP obligations can result in a maximum daily penalty of **$660,000 AUD**.
- **Other Consequences:**
- Home Affairs can issue **Remediation Directions** for "seriously deficient" CIRMPs, with fines accruing until rectification.
- Non-compliance with an **ECSO direction** can trigger civil or criminal penalties.
- In extreme cases (emergency powers, Part 3A), the government may assume operational control to restore services.
- **Enforcement:** Oversight by the Department of Home Affairs, reporting via the ACSC.
## Related Standards
- **Australian Energy Sector Cyber Security Framework (AESCSF):** The recognized framework for energy, gas, and water sectors for CIRMP compliance. Aligns with NIST CSF, C2M2, and ISO 27001.
- **ACSC Essential Eight:** Recommended as an interim technical baseline.
- **ISO 27001:** Can be used to demonstrate equivalent maturity to AESCSF requirements.
- **Corporations Act 2001:** Directors could face breach fines for failing in their duty-of-care regarding cyber risk governance.
- **Privacy Act 1988:** Applies to personal data processing (Notifiable Data Breach scheme).
## Resources
- Official Documentation: **Security of Critical Infrastructure Act 2018 (SOCI Act)** and amendments via the **Enhanced Response and Prevention (ERP) Act 2024**.
- Guidance Documents: **AESCSF** documentation detailing Security Profiles (SP-1 to SP-3).
- Tools: Use vulnerability management tools applied against the **Essential Eight** maturity model as a step toward AESCSF compliance.
## Practical Recommendations
1. **Single CIRMP:** Institute one enterprise-wide CIRMP rather than siloed asset plans to simplify board oversight and reporting.
2. **Framework Anchoring:** Use AESCSF as the primary control standard for energy, water, and gas assets, mapping and extending relevant controls to transport assets.
3. **Governance Integration:** Ensure board discussions track risk appetite, mandate quarterly updates, and formally approve the CIRMP to meet legal governance duties.
4. **Supply Chain Rigor:** Mandate subcontractors flow down key SOCI reporting and audit cooperation clauses.
5. **Roadmap:** Immediately aim for AESCSF SP-1 compliance, and document a board-approved path to SP-2/SP-3 maturity within a two-year timeframe.