Navigating Australian Cybersecurity Regulations for Critical Infrastructure Operators

Australia's critical infrastructure leaders must master a complex array of regulations and frameworks, including the SOCI Act, SLACI Act, and AESCSF. The requirements call for board-level compliance, incident reporting, and bolstering OT cyber resilience against rising geopolitical threats.

Australia’s critical infrastructure owners face a rapidly expanding set of obligations under the Security of Critical Infrastructure Act 2018 (SOCI Act) and sector-specific frameworks such as the Australian Energy Sector Cyber Security Framework (AESCSF). Electricity, gas, water, and transport entities must establish comprehensive governance, risk, and compliance programs that satisfy broad legislative duties and detailed technical standards. This blog post maps the regulatory landscape, explains the mandatory controls, and sets out a pragmatic roadmap to help boards and executives achieve and maintain compliance in 2025 and beyond.

While the regulations and frameworks detailed in this blog are specific to Australia, they offer important guidance for improving cybersecurity strategies that can benefit critical infrastructure operators worldwide

The strategic importance of critical infrastructure

Australia now designates 11 sectors, including energy, water, and transport, as critical because disruption “would significantly impact the social or economic wellbeing of the nation.” The policy response has been to hardwire security by legislating minimum cyber, physical, and supply-chain safeguards and giving government powers to intervene in emergencies. Recent geopolitical tensions and high-profile ransomware attacks have accelerated reform, culminating in the Cyber Security Act 2024 and the SOCI amendment, the Enhanced Response and Prevention (ERP) Act 2024, which tighten requirements and introduce new reporting triggers.

Australian critical infrastructure regulatory framework overview

Security of Critical Infrastructure Act 2018

SOCI is the umbrella statute which imposes three core Positive Security Obligations (PSO) on most critical assets, and Enhanced Cyber Security Obligations (ECSO) on Systems of National Significance (SoNS).

Positive Security Obligations (PSO)

1. Registration of ownership and operational details in the Critical Infrastructure Asset Register.
2. Mandatory cyber-incident reporting within 12 hours for “significant” and 72 hours for “relevant” incidents to the Australian Cyber Security Centre (ACSC)
3. Adoption and maintenance of a written Critical Infrastructure Risk Management Program (CIRMP) addressing cyber, personnel, supply-chain, and physical hazards.

CIRMP scope and deadlines

1. Identify material risks with potential relevant impact on availability, integrity, reliability, or confidentiality of systems and information.
2. Define critical components and interdependencies.
3. Establish processes to minimize/mitigate risk.
4. CIRMP adoption was required beginning Aug. 18, 2024; the 2024 – 2025 reporting period is the first requiring entities to report.
5. Protection of business critical data and secondary systems holding it came into scope under CIRMP beginning Apr. 4, 2025, via the Enhanced Response and Prevention Act and 2025 Measures Rules.

Enhanced Cyber Security Obligations (ECSO)

For critical infrastructure assets designated as Systems of National Significance (SoNS), additional obligations may apply on top of PSO/CIRMP. The obligations include:

1. developing cybersecurity incident response plans
2. undertaking cybersecurity exercises to build cyber preparedness
3. undertaking vulnerability assessments to identify vulnerabilities for remediation and/or providing system information to develop
4. maintaining a near-real time threat picture.

How the SOCI Act interacts with other laws and standards

Critical infrastructure operators also need to be mindful of other regulations that can intersect with SOCI Act requirements, including:

• The Privacy Act 1988 (Notifiable Data Breach scheme), which applies to personal data processed by critical infrastructure operators.
• The Cyber Security Act 2024, which adds ransomware payment reporting and IoT security standards with staged commencement dates through 2026.
• Occupational safety, environmental, and sectoral licensing laws, which overlap with SOCI physical-security controls, requiring integrated governance.

Sector-specific obligations matrix

The SOCI Act differentiates obligations by sector and asset class. The matrix below summarizes applicability for electricity, gas, water, and transport operators.

Key insights

• Energy, water, and most transport assets must comply with all three PSOs; only SoNS assets trigger ECSO automatically.
• Within the transport sector, ports and freight networks already required CIRMPs, while aviation assets had a switch-on date of April 2025.

The Australian Energy Sector Cyber Security Framework (AESCSF)

Purpose and structure 

AESCSF provides a maturity model tailored to operational technology (OT) environments across electricity, gas, and liquid fuels. It aligns with the U.S. Cybersecurity Capability Maturity Model (C2M2) and National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and International Organization for Standardization (ISO) 27001. It is recognized as an approved cybersecurity framework under the CIRMP requirements from August 2024.

• Security Profiles (SP-1 to SP-3) set target states linked to entity criticality: low-criticality entities aim for SP-1, medium for SP-2, and high-criticality or SoNS assets for SP-3.
• Maturity Indicator Levels (MIL-1 to MIL-3) gauge practice depth in 11 domains, from risk management to OT architecture.

Integration with SOCI

Entities were required to demonstrate compliance to CIRMP Rules section 8 by achieving AESCSF SP-1 (or equivalent ISO 27001 maturity) by Aug. 18, 2024. Board-signed annual reports must attest to progress and gaps each September.

Deep dive: Obligations by sector

Responsible entities for specified critical infrastructure assets face various penalties for failing to meet CIRMP-related obligations. Penalties vary depending on the violation, but can result in a maximum daily penalty of $660,000 (AUD).

The regulations and frameworks detailed above have specific requirements for each critical infrastructure sector, as follows:

Electricity and gas

• Since many generation, transmission, and pipeline operators are SoNS, they must undertake ministerially directed cyber exercises and provide live telemetry to the Australian Signals Directorate (ASD), the government’s cybersecurity and foreign signals intelligence agency, when requested.
• AESCSF SP-2 is the benchmark for most transmission and market-operator entities.

Water and sewerage

• Required to register assets, implement CIRMPs, and report incidents; this requirement came into effect in February 2023.
• High-criticality treatment plants are potential SoNS; boards should prepare ECSO compliance pre-emptively.
• Incident-reporting thresholds mirror energy rules; utilities must notify of any OT breach that threatens safe supply within 12 hours.

Transport (ports, freight, aviation, public transport)

• Critical ports, freight networks, aviation operators, and critical telecommunications providers must implement CIRMPs and report incidents; this requirement came into effect in April 2025.
• Port operators are advised to align their maritime International Ship and Port Facility Security (ISPS) Code physical-security plans with CIRMP to avoid duplication.
• Transport SoNS (e.g., national rail control) face ECSO directives focused on real-time network visibility.

Compliance timeline and milestones

Notable dates:

• April 4, 2025 – Telecommunications Security & Risk Management Program rules (Schedule 5 of Enhanced Response and Prevention (ERP) Act 2024) commenced, extending CIRMP to carrier assets.
• May 30, 2025 – Ransomware payment reporting rules under the Cyber Security Act 2024 commenced for all SOCI entities.
• March 4, 2026 – Mandatory IoT security standards take effect for smart devices supplied to critical infrastructure operators.

Building a compliant governance program

Board oversight

Directors must approve the CIRMP, set risk appetite, and receive quarterly cyber-risk updates. Failure to do so may breach Corporations Act duty-of-care provisions. Below are seven practical steps CISOs and other cybersecurity leaders can take to support compliance efforts.

Practical steps for security leaders

1. Asset scoping: Map OT, IT, and data-storage systems; confirm SOCI asset-class status.
2. Gap assessment: Benchmark against AESCSF SP target; identify missing controls and anti-patterns.
3. Risk treatment: Focus on AESCSF Priority Practices and Essential Eight controls; integrate with ISO 27001 Information Security Management System (ISMS) where possible.
4. Incident readiness: Align response plans with ECSO templates­­; exercise annually with ASD and sector Computer Security Incident Response Team (CSIRT).
5. Supply-chain security: Flow-down SOCI clauses to contractors; conduct vendor cyber-risk assessments.
6. Data-services notices: Issue written notifications to all external SaaS and cloud providers storing business-critical data.
7. Reporting loop: File CIRMP annual report by September 28 each year; update Register within 30 days of material change.

Enforcement and penalties

Home Affairs can issue remediation directions for “seriously deficient” CIRMPs and apply daily fines until rectified. For SoNS, non-compliance with an ECSO direction can trigger civil or criminal penalties, and the government may assume control to restore services under Part 3A emergency powers.

Additional recommendations

• Adopt a single, enterprise-wide CIRMP and avoid siloed asset plans to streamline board oversight.
• Choose AESCSF as the anchor framework for electricity, gas, and water assets; map transport controls where relevant.
• Reach SP-1 (or higher) now and document a board-approved roadmap to SP-2/SP-3 within two years.
• Embed supply-chain clauses requiring subcontractors to co-operate with SOCI incident reporting and audits.
• Align with Essential Eight maturity level 2 as an interim technical baseline, pending full AESCSF implementation.

Conclusion

Australia’s regulatory regime now demands demonstrable, board-level assurance that critical infrastructure is resilient to cyber, physical, and supply-chain threats. By integrating SOCI Act obligations with the AESCSF maturity model and global standards, electricity, gas, water, and transport operators can achieve compliance and strengthen operational resilience and stakeholder trust.

Learn more

• How to Remediate Risk to Critical OT/IoT Systems Without Disrupting Operations
• Applying Tenable’s Risk-based Vulnerability Management to the Australian Cyber Security Centre's Essential Eight