Changes to the Security of Critical Infrastructure Act for IT Managers

John Powell

Principal Security Consultant


If you work in IT, security, or operate in one of Australia’s critical infrastructure sectors, you would have heard about changes to the Security of Critical Infrastructure Act 2018 (SOCI Act) as part of the Government’s critical infrastructure reforms.

These changes to the SOCI Act to extend Australia’s critical infrastructure regime to 11 sectors is considered one of the most significant and wide-ranging pieces of security legislation to be mandated locally.

So what?

The critical infrastructure reforms set the bar for good practice regardless of whether you fall into the 11 sectors legislated or not. The government is enshrining into law the need to include all hazards, including cyber risk, as part of governance, risk and compliance.

Furthermore, any organisation considered a critical supplier to one of these 11 sectors, the critical infrastructure operator may request you to provide assurances – including undergoing risk assessments, meeting minimum cyber standards and employee background checks for employees accessing critical infrastructure.

How does this affect my role as IT Manager?

The accountability for cyber security sits with the board and directors are aware if they operate in a critical infrastructure sector they need to have a risk management plan – and they are turning to their IT manager to make sure that cyber risks are included in that risk management plan.

This is where uncertainty and fear starts to set in for some of these IT Directors and Managers, they don’t completely contemplate the compliance requirements, the new reporting/notification obligations, nor have the financial or team resources to cater for this new demand.

That’s normally the stage when we hear from our customers. Primarily, customers are coming to us for incident response planning support because if something happens, they are not quite sure what they need to do.

Where do I start?  

We have been recommending IT managers first undertake a threat, risk and controls assessment. This helps assess the current cyber security posture, exposure to threats, efficacy on the current risk management and response plan, and more.
To help you navigate through all these changes, Telstra Purple is launching a new bespoke service to help customers understand these new reforms and how to navigate through them.

The service is based on the customers needs but can offer advice, including help developing a robust information security management system (ISMS) and solutions such as Cyber Detection and Response, Incident Response Readiness (IR) Assessments, Vulnerability Assessments and cyber exercises to test protection and response plans across the organisation.

Interestingly, Telstra Purple, as part of Telstra, may be one of the only organisations that is both part of a critical infrastructure sector and consults on it too. We collaborate closely between our internal CISO teams which means we cross-pollinate learnings – our external and internal security consultants are learning from each other.

Leverage the skills of Telstra Purple and the experience of Telstra to help you implement the cyber security measures you need to navigate the updated Security of Critical Infrastructure Act.