Australia’s cybersecurity regulations for critical infrastructure keep expanding. The latest amendments to the Security of Critical Infrastructure Act (SOCI Act) bring more manufacturing operations into scope—and many operators don’t realise they’re affected.

I’ve spent the past few months helping clients understand what’s actually required. Here’s a practical rundown.

What’s changed

The SOCI Act originally covered obvious critical infrastructure: power plants, water treatment, hospitals. Recent amendments have progressively expanded the definition to include more of the supply chain.

Key changes affecting manufacturers:

Food and grocery sector: Major food manufacturers and processors are now explicitly covered. If you’re a significant supplier to the food supply chain, you may be in scope.

Manufacturing inputs: Manufacturers of critical inputs to other SOCI sectors (think: chemicals used in water treatment, components for energy systems) are increasingly being pulled in.

Data storage and processing: If you host or process data for SOCI-covered entities, you may inherit obligations.

The thresholds vary by sector. Generally, larger operations are affected first, but the trend is toward broader coverage over time.

The actual obligations

If you’re a “responsible entity” under the SOCI Act, you have several obligations:

Register with the government

You must register your critical infrastructure asset with the Cyber and Infrastructure Security Centre (CISC). This includes providing ownership and operational control information.

Adopt a risk management program

You need a written risk management program covering:

• Cyber and information security
• Personnel hazards (insider threats, etc.)
• Supply chain risks
• Physical security and natural hazards

This must be board-approved (or equivalent) and regularly reviewed.

Report cyber incidents

Certain cyber incidents must be reported to the Australian Signals Directorate within specific timeframes—24 hours for critical incidents, 72 hours for serious ones.

Maintain records

You must keep records demonstrating compliance, available for audit.

Government assistance powers

In extreme circumstances, the government can step in to assist or direct operations during cyber emergencies. This is the “last resort” power that got a lot of attention when introduced.

Where OT security comes in

Here’s where it gets relevant to industrial operations: the risk management program explicitly includes operational technology (OT) systems.

Many manufacturers have historically treated IT and OT security separately—or haven’t thought much about OT security at all. SOCI requirements don’t let you ignore the factory floor.

What does OT security actually mean in practice?

Asset inventory: Know what systems you have, including legacy equipment that’s been running for decades.

Network segmentation: Industrial control systems shouldn’t be freely accessible from the corporate network (or worse, the internet).

Access controls: Who can connect to PLCs, SCADA systems, and other industrial controllers? How is that access authenticated?

Monitoring: Can you detect unusual activity on industrial networks?

Patching and updates: How do you handle security updates for industrial systems that can’t easily be taken offline?

Incident response: What happens when something goes wrong? Who’s responsible?

Most manufacturers I work with have gaps in at least some of these areas.

The practical challenges

The SOCI requirements sound reasonable on paper. In practice, they create real challenges for industrial operations:

Legacy equipment

A plant might have PLCs from 1998 that control critical processes. Those systems weren’t designed with cybersecurity in mind. Patching is often impossible. Replacing them is expensive and disruptive.

Uptime requirements

You can’t easily take a production line offline to implement security controls. Changes need to be planned around maintenance windows—which might be once a year.

Skills gap

IT security people often don’t understand industrial protocols (Modbus, OPC, EtherNet/IP). Industrial engineers often don’t understand cybersecurity. Finding people who know both is difficult.

Vendor dependencies

Much of industrial software comes from OEMs who aren’t responsive to security concerns. “That’s how the system works” isn’t a great answer when you’re trying to comply with regulations.

Budget reality

SOCI compliance competes with other investments. And the return is defensive—avoiding bad things rather than generating revenue.

A pragmatic approach

If you’re affected (or might be affected soon), here’s a sensible path:

Step 1: Determine your status

Are you definitively a responsible entity under SOCI? The definitions are complex. If there’s any question, get formal advice. The penalties for non-compliance are significant.

Step 2: Assess current state

Where are you today against the requirements? Most manufacturers have some controls in place (physical security, basic IT security) but gaps in OT-specific areas.

Step 3: Prioritise based on risk

You can’t fix everything at once. Focus on:

• The most critical systems (those that could affect safety or major production)
• The most exposed systems (anything connected to the internet or external networks)
• The easiest wins (sometimes simple changes make big differences)

Step 4: Build the risk management program

Document your approach. This isn’t just paperwork—the process of writing it down forces clarity on responsibilities and gaps.

Step 5: Implement controls progressively

Security improvement is a journey, not a destination. Build momentum with early wins, then tackle harder problems.

Step 6: Monitor and maintain

Security isn’t a one-time project. Establish ongoing processes for monitoring, updating, and improving.

Getting help

This is an area where external expertise often makes sense. Specialists who understand both industrial operations and cybersecurity regulations can:

• Help you interpret whether and how SOCI applies
• Assess your current OT security posture
• Prioritise remediation efforts
• Build programs that satisfy regulators without breaking operations

Industrial cybersecurity is a growing specialty within the consulting world. Look for people with actual OT experience, not just IT security people who’ve read about industrial protocols.

The bigger picture

SOCI compliance is a forcing function, but the underlying issues—protecting industrial systems from cyber threats—are real regardless of regulation.

Ransomware hitting manufacturing plants isn’t theoretical. It’s happened to Australian companies. Production systems getting compromised happens. The regulatory framework is catching up to a threat environment that’s been building for years.

Even if you’re not technically covered by SOCI today, the security practices it requires are worth implementing. The regulations are following the risk, not creating it.