What is the SOCI Act and who does it apply to?

The Security of Critical Infrastructure Act 2018 (amended 2021-2022) applies to organisations operating critical infrastructure assets across 11 sectors including energy, communications, data storage, and financial services.

What is a Risk Management Program under SOCI?

A documented program identifying material risks to critical infrastructure assets and establishing measures to mitigate those risks. It must address cyber, personnel, supply chain, and physical security hazards.

Will SOCI compliance stop a nation-state attack?

No. Compliance establishes a baseline but does not guarantee security against sophisticated adversaries. True operational resilience requires going beyond checkbox compliance to build defence-in-depth architectures.

What are the penalties for SOCI non-compliance?

Penalties include civil penalties up to $44,400 per day for ongoing contraventions, government intervention powers, and potential director liability for systemic failures.

SOCI Act Compliance: Beyond the Checklist

The Liability Reality

When the Security of Critical Infrastructure Act 2018 was significantly expanded through the Enhanced Response and Prevention Act in December 2024, it represented more than a regulatory uplift. It was a transfer of liability directly onto the boards of critical infrastructure operators.

Energy sector executives need to understand what actually changed: the government can now compel responsible entities to vary deficient Risk Management Programs. The Cyber and Infrastructure Security Centre (CISC) has commenced its 2025 audit program. And the "all-hazards" expansion means these powers now extend beyond cyber incidents to floods, fires, and supply chain disruptions.

The response across the sector has been predictable. Consultants engaged. Checklists drafted. Risk Management Programs filed with the Cyber and Infrastructure Security Centre. Boxes ticked.

Yet boards remain dangerously exposed—not because they failed to comply, but because compliance and resilience are fundamentally different things.

The Audit Reality

This is not theoretical. In early 2025, the CISC directed multiple critical infrastructure operators to rectify serious deficiencies within 90 days. Common findings included incomplete OT asset visibility, inadequate contractor access controls, and Risk Management Programs that failed to address the expanded "all-hazards" scope introduced in December 2024.

Organisations that assumed their 2023-vintage compliance documentation remained adequate discovered otherwise. The regulatory posture has shifted from guidance to enforcement.

The Insurance Gap

Here is what keeps general counsel awake at night: cyber insurance policies are increasingly excluding nation-state attacks and critical infrastructure events. The risk that boards thought they had transferred to insurers is migrating back onto their balance sheets—and their personal liability.

A SOCI-compliant Risk Management Program does not change this calculus. It documents that you tried. It does not demonstrate that you succeeded.

When—not if—the government exercises its step-in powers, the question will not be "Were you compliant?" It will be "Were your controls effective?" The distinction determines whether boards face regulatory sanction or reputational survival.

The Legacy Debt Problem

The IT/OT (Information Technology/Operational Technology) convergence narrative has become a cliché precisely because the energy sector has failed to honestly confront what convergence means in practice.

Energy infrastructure operates on thirty-year investment cycles. A turbine controller commissioned in 2005 was not designed to be patched like a laptop. A SCADA (Supervisory Control and Data Acquisition) system deployed in 2010 was never intended to connect to enterprise networks. Yet here we are.

The uncomfortable truth: integration is often technically impossible for legacy assets. You cannot bolt modern security onto systems that predate modern threats.

Effective SOCI compliance requires acknowledging this constraint rather than pretending it away. The answer is not better collaboration between IT and OT teams—though that matters. The answer is rigorous segmentation, compensating controls, and honest assessment of what can and cannot be protected.

This means:

—
Network architecture that assumes breach rather than prevents it. Legacy OT systems should be isolated within defensible enclaves, with monitoring at every boundary.
—
Compensating controls that address risks where patching is impossible. If you cannot update the firmware, you can monitor the traffic patterns. If you cannot encrypt the protocol, you can restrict the access paths.
—
Explicit risk acceptance documented at board level. Some legacy systems present risks that cannot be fully mitigated within operational constraints. Boards must understand and formally accept these residual risks—not discover them during an incident.

Supply Chain: The Software Bill of Materials Imperative

The SOCI Act explicitly addresses supply chain risk, yet this remains the most underdeveloped aspect of most Risk Management Programs.

In 2025, the technical standard boards need to understand is the Software Bill of Materials (SBOM). An SBOM is an inventory of every component in your software stack—the dependencies, libraries, and modules that comprise the systems controlling your critical infrastructure.

Why does this matter? Because the SolarWinds attack succeeded not by compromising SolarWinds directly, but by inserting malicious code into a component that SolarWinds itself depended upon. Without an SBOM, you cannot know what your systems actually contain. Without knowing what your systems contain, you cannot assess supply chain risk meaningfully.

Energy organisations should be asking their OT vendors:

● Can you provide a complete SBOM for every system deployed in our environment?
● What is your process for monitoring vulnerabilities in third-party components?
● How quickly can you issue patches when upstream dependencies are compromised?

For most energy organisations, the honest answers to these questions remain unsatisfactory. Addressing them requires sustained effort over years, not a checkbox exercise completed before an audit.

The Resilience Maturity Model

Moving from compliance to capability requires a clear framework. We propose a three-tier maturity model:

Tier 1: Compliant

● Risk Management Program documented and filed
● Annual board attestation completed
● Incident reporting procedures established

Reality: You satisfy the regulator. You may not survive an attack.

Tier 2: Integrated

● IT and OT security functions unified under common governance
● Real-time monitoring across converged environments
● Supply chain risk assessment including SBOM requirements
● Segmentation architecture implemented for legacy assets

Reality: You can detect and contain most incidents. Recovery may be prolonged.

Tier 3: Resilient

● Continuous threat intelligence integration
● Tested incident response with OT-specific playbooks
● Compensating controls validated through red team exercises
● Board-level risk acceptance for residual exposures
● Crisis communication and regulatory liaison protocols exercised

Reality: You can absorb and recover from sophisticated attacks while maintaining critical operations.

Most energy organisations operate at Tier 1. Regulators expect Tier 2. Adversaries assume you are not at Tier 3.

Board Questions to Ask Tomorrow Morning

Question	Why It Matters
What is our current Resilience Maturity tier—honestly?	Establishes baseline for improvement investment
Which legacy OT assets cannot be patched, and what compensating controls exist?	Identifies highest-risk exposure points
Do we have SBOMs for critical control systems?	Reveals supply chain visibility gaps
What does our cyber insurance actually exclude?	Clarifies residual board liability
If CISC directed us to remediate within 90 days, could we?	Tests operational readiness for regulatory action
When did we last test OT-specific incident response?	Validates response capability beyond documentation

The Forward View: AI-Assisted OT Security

The next generation of OT security will be fundamentally different. Machine learning systems can establish behavioural baselines for industrial control systems, detecting anomalies that signature-based tools miss entirely.

AI-powered security operations centres can correlate events across IT and OT environments at speeds impossible for human analysts. Predictive maintenance algorithms can identify equipment degradation before it becomes a reliability—or security—vulnerability.

These capabilities exist today. They are being deployed by sophisticated operators. They represent the frontier of industrial cybersecurity.

Energy organisations still struggling with basic compliance should understand: the gap between their current state and industry best practice is widening, not narrowing. Every year spent on checkbox exercises is a year not spent building genuine resilience.

The Strategic Imperative

The SOCI Act exists because government concluded that market forces alone will not deliver adequate protection for critical infrastructure. The December 2024 amendments made the implied threat explicit: the CISC can now direct you to fix deficiencies, and non-compliance is no longer a theoretical risk.

Energy sector leaders should take this signal seriously. The organisations that treat SOCI compliance as a strategic investment rather than a regulatory burden will emerge more resilient, more operationally capable, and better positioned to manage board liability.

Those pursuing minimal compliance will satisfy auditors—until an incident exposes what their paper compliance actually protected: nothing.