How the SOCI Act Is Reshaping OT Security and Critical Infrastructure

SOCI experts

How the SOCI Act Is Reshaping OT Security and Critical Infrastructure

Following our recent participation in an industry discussion on securing critical infrastructure in Western Australia hosted by FACCI, a key theme emerged clearly: the SOCI Act is rapidly evolving beyond a traditional cybersecurity obligation into a broader operational resilience framework.

The conversation explored how organisations across critical industries are strengthening cyber resilience, governance, and operational risk management in increasingly complex OT and industrial environments. As AI adoption accelerates across critical infrastructure sectors, organisations are also recognising the need for stronger collaboration between cybersecurity, infrastructure, HR, engineering, and asset management teams.

This growing shift is driving increased focus on areas such as OT software asset management and visibility, practical SOCI Act compliance programs, and integrated OT security and advisory services that support resilience across operational and corporate environments alike.


With recent updates and evolving expectations under the SOCI Act, are organisations still defending against yesterday’s threats rather than today’s?

It’s really a combination of both. As an industrial automation company working predominantly across Operational Technology (OT) environments, including SCADA and industrial control systems, we see firsthand how the distinction between “old” and “new” threats remains incredibly important.

On one hand, we are still dealing with yesterday’s threats. OT environments often rely on legacy infrastructure – systems that are not actively patched, or in some cases no longer supported by vendors. That means known vulnerabilities, sometimes years old, are still present in operational technology environments.

But at the same time, these systems are increasingly accessed via modern IT networks and remote access pathways, which exposes them to very current and sophisticated threat actors. So we are also defending against today’s attack techniques – identity compromise, ransomware infrastructure, and supply chain attacks targeting IT layers that bridge into OT.


SOCI is often positioned as a cyber security issue, but the obligations extend well beyond cyber. From your experience, where are organisations struggling the most?

One of the biggest challenges is that SOCI has a much broader impact than many organisations initially expect. It doesn’t just sit within cyber security teams – it extends into people, processes, governance, and physical and operational domains. We see impact across infrastructure teams, HR, OT engineering, and asset management functions.

The challenge is coordination. SOCI requires executive alignment across the organisation to successfully run a program that touches so many domains. The breadth of SOCI means that departments that traditionally did not need to collaborate closely now have to become tightly integrated. Everyone needs to be aligned to ensure all domains of critical infrastructure risk are being managed cohesively.

A lot of organisations initially think they are signing up for a cyber program. In reality, they are signing up for an organisational transformation that cuts across most parts of the business.

With increasing reliance on external platforms and cloud services, how should organisations think about sovereign risk under SOCI?

The first step is understanding your infrastructure supply chains in detail. That means knowing your systems, your data, how it moves, where it is stored, and who is consuming it. Without visibility, you don’t actually have a clear grip on your dependencies or your exposure.

The second point is understanding data criticality through a risk lens, not a blanket assumption. Not all data is required to be sovereign, but organisations need to classify it based on how it is used and how critical it is to operations.

Ultimately, sovereign risk is about clarity – knowing where your dependencies sit, and whether those dependencies align with your risk appetite and regulatory obligations. That clarity is a key foundation of managing sovereign risk effectively.

Where do organisations typically start when assessing SOCI maturity, governance, and asset visibility?

The starting point is being honest about your current state. That often sounds simple, but in practice it is the hardest step. Organisations need to clearly understand: where are we now? That can feel overwhelming, but it is essential.

Too often, organisations jump straight into designing a framework. The problem is that many of these frameworks are not immediately implementable because they are disconnected from the reality of existing systems, especially in legacy OT and hybrid environments.

Once the current state is properly mapped, organisations should then design a framework that aligns to that reality. From there, you identify the gaps between the current state and the desired state, and build a structured remediation plan to close those gaps.

It’s also important to recognise that SOCI is not a one-off project that delivers compliance forever. It is an evolving framework that must be regularly reviewed and adapted as new risks emerge and systems change.

How recent SOCI Act developments 2025/2026 are reshaping the conversation around operational resilience?

The Australian Government has introduced significant amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) in 2025 and 2026. These amendments aim to enhance the Act’s effectiveness in managing national security risks to critical infrastructure.

Key changes include:

  • Expansion of government intervention and direction powers in critical incidents
  • Stronger and more detailed Critical Infrastructure Risk Management Program (CIRMP) expectations
  • Broader expectations around supply chain, personnel, and operational resilience controls
  • Increasing scrutiny of digital infrastructure, cloud dependencies, and emerging technology platforms
  • Greater emphasis on board-level accountability and governance maturity

These changes reflect a clear shift: SOCI is no longer just a compliance exercise – it is becoming a whole-of-organisation resilience framework. What SOCI is driving, more than anything, is a shift in mindset. It is pushing organisations to move from fragmented risk ownership toward a unified view of operational resilience – where cyber, OT, governance, supply chain, and data sovereignty are all part of the same system of risk. And for many industrial organisations, that transition is still ongoing.

Interview with Rheinhardt Peens

Scroll to Top