Security of Critical Infrastructure (SOCI)
A cyber security strategy and roadmap tailored to your business.
We help critical infrastructure organisations improve their cyber security to meet current SOCI (Security of Critical Infrastructure) requirements.
Talk to a Cyber Security Specialist
The SOCI Act is designed to strengthen Australia’s national security interests across 11 sectors of critical infrastructure.
These include food, water, health care, energy, communications, transport, banking, higher education, defence, data storage and space technology.
Critical infrastructure is defined by the Australian Government as: ‘those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security’.
In January 2017, the Australian Government launched the Critical Infrastructure Centre (the Centre) as a way to work with critical infrastructure owners and operators to identify and manage national security risks.
The critical infrastructure sectors are of particular concern because disruptions, or a switch of whose in control, can cause severe impacts. For instance, if someone disabled controls at a water plant and polluted the water supply, this could cause a major public health crisis. Critical infrastructure organisations also often hold large data sets about customers, which need to be protected. Plus many organisations are also privately owned and operated, so SOCI was created to ensure all players are doing their part to protect the nation.
The SOCI Act involves The Centre assessing critical infrastructure organisations and performing Risk assessments to ensure compliance.
The Centre works across all levels of government to identify Australia’s most critical infrastructure, conduct national security risk assessments, develop risk management strategies, and support compliance.
To ensure you're meeting your SOCI requirements, we can help...
Develop a SOCI Risk Management Program
This is a requirement of the SOCI Act rules. We’ll help:
- Identify hazards, including cyber and information security, personnel, and supply chain
- Determine the risk of occurrence of each hazard and the consequences
- Design controls and processes to minimise/eliminate the risk of each hazard occurring
- Assess and implement systems and controls to limit the damage done if a cyber attack is successful.
Monitor cyber incidents and develop reporting mechanisms
We’ll help put the tools in place to monitor cyber security incidents and develop reporting mechanisms for immediate notification. This is crucial because the SOCI Act now requires critical cyber security incidents to be reported within 12 hours of becoming aware of an incident.
Prepare annual reports for SOCI Act regulators
Another requirement of the SOCI Act is to submit annual reports. We can help create these reports for submission to the relevant Commonwealth regulator, so you can demonstrate you are meeting your SOCI cyber security obligations.
SOCI is focused primarily on espionage, sabotage and coercion arising from foreign involvement in Australia’s critical infrastructure.
We'll develop your risk management program, and mature your cyber security, to address these key areas.
Espionage
We uplift your cyber security capabilities beyond systems and tools to help protect you from outside threats, we also help set up the right controls and processes to protect you from within. For instance, ensuring only necessary parties have access to data and that all monitoring and sharing of data is under continual surveillance.
Sabotage
We help protect your key assets from cyber attack by not just considering cyber risk but risk in general. So, really understanding your key crown jewel assets, and the threats to these assets, and then developing a tailored initiatives to protect what matters. For instance, we help with strategy and roadmaps, tools selection and implementation, team training, ongoing monitoring, and maintenance, reporting etc.
Coercion
Considering coercion both as a weapon against your organisation, or a third party like the Australian Government, we put cyber security controls in place that protect you from insider cyber attacks, which are sometimes carried out by employees without their knowledge.