In Brief
The SOCI Act's December 2024 amendments transferred liability directly onto critical infrastructure boards, with the CISC now empowered to compel rectification of deficient Risk Management Programs. Yet compliance and resilience remain fundamentally different things. Cyber insurance exclusions for nation-state attacks are migrating risk back onto balance sheets. Legacy OT assets on thirty-year investment cycles cannot be patched like enterprise IT. This article introduces a three-tier Resilience Maturity Model and examines why organisations pursuing minimum compliance will satisfy auditors until an incident exposes what their paper compliance actually protected.
The Liability Reality
When the Security of Critical Infrastructure Act 2018 was significantly expanded through the Enhanced Response and Prevention Act in December 2024, it represented more than a regulatory uplift. It was a transfer of liability directly onto the boards of critical infrastructure operators.
Energy sector executives need to understand what actually changed: the government can now compel responsible entities to vary deficient Risk Management Programs. The Cyber and Infrastructure Security Centre (CISC) has commenced its 2025 audit program. And the “all-hazards” expansion means these powers now extend beyond cyber incidents to floods, fires, and supply chain disruptions.
The response across the sector has been predictable. Consultants engaged. Checklists drafted. Risk Management Programs filed with the Cyber and Infrastructure Security Centre. Boxes ticked.
Yet boards remain dangerously exposed, not because they failed to comply, but because compliance and resilience are fundamentally different things.
The Audit Reality
This is not theoretical. In early 2025, the CISC directed multiple critical infrastructure operators to rectify serious deficiencies within 90 days.
remediation deadline imposed by CISC on operators with deficient Risk Management Programs in 2025
CISC 2025 Compliance Program
Common findings included incomplete OT asset visibility, inadequate contractor access controls, and Risk Management Programs that failed to address the expanded “all-hazards” scope introduced in December 2024.
These audit findings reflected systemic gaps, not isolated failures. Organisations that outsourced compliance to consultants without operationally testing the resulting artefacts were most exposed. Filed documentation described controls that existed on paper but had never been exercised under realistic conditions. The CISC’s enforcement posture made clear that attestation without validation would no longer suffice.
Organisations that assumed their 2023-vintage compliance documentation remained adequate discovered otherwise. The regulatory posture has shifted from guidance to enforcement.
The Insurance Gap
Cyber insurance policies increasingly exclude nation-state attacks and critical infrastructure events. Risk once assumed transferred to insurers is migrating back onto balance sheets, and onto personal director liability.
A SOCI-compliant Risk Management Program does not change this calculus. It documents that you tried. It does not demonstrate that you succeeded.
When, not if, the government exercises its step-in powers, the question will not be “Were you compliant?” It will be “Were your controls effective?” The distinction determines whether boards face regulatory sanction or reputational survival.
The Legacy Debt Problem
The IT/OT convergence narrative has become a cliche precisely because the energy sector has failed to honestly confront what convergence means in practice.
Energy infrastructure operates on thirty-year investment cycles. A turbine controller commissioned in 2005 was not designed to be patched like a laptop. A SCADA system deployed in 2010 was never intended to connect to enterprise networks. Yet here we are.
The uncomfortable truth: integration is often technically impossible for legacy assets. You cannot bolt modern security onto systems that predate modern threats.
Effective SOCI compliance requires acknowledging this constraint rather than pretending it away. The answer is not better collaboration between IT and OT teams, though that matters. The answer is rigorous segmentation, compensating controls, and honest assessment of what can and cannot be protected.
This means:
-
Network architecture that assumes breach rather than prevents it. Legacy OT systems should be isolated within defensible enclaves, with monitoring at every boundary.
-
Compensating controls that address risks where patching is impossible. If you cannot update the firmware, you can monitor the traffic patterns. If you cannot encrypt the protocol, you can restrict the access paths.
-
Explicit risk acceptance documented at board level. Some legacy systems present risks that cannot be fully mitigated within operational constraints. Boards must understand and formally accept these residual risks, not discover them during an incident.
Supply Chain: The Software Bill of Materials Imperative
The SOCI Act explicitly addresses supply chain risk, yet this remains the most underdeveloped aspect of most Risk Management Programs.
In 2025, the technical standard boards need to understand is the Software Bill of Materials (SBOM). An SBOM is an inventory of every component in your software stack: the dependencies, libraries, and modules that comprise the systems controlling your critical infrastructure.
Why does this matter? Because the SolarWinds attack succeeded not by compromising SolarWinds directly, but by inserting malicious code into a component that SolarWinds itself depended upon. Without an SBOM, you cannot know what your systems actually contain. Without knowing what your systems contain, you cannot assess supply chain risk meaningfully.
Energy organisations should be asking their OT vendors: Can you provide a complete SBOM for every system deployed in our environment? What is your process for monitoring vulnerabilities in third-party components? How quickly can you issue patches when upstream dependencies are compromised?
For most energy organisations, the honest answers to these questions remain unsatisfactory. Addressing them requires sustained effort over years, not a checkbox exercise completed before an audit.
The regulatory trajectory is clear. International frameworks including the EU Cyber Resilience Act and US Executive Order 14028 have established SBOM requirements for critical software. Australia’s own regulatory posture is converging toward similar expectations. Organisations that build supply chain visibility now will be positioned for compliance when, not if, mandatory SBOM obligations arrive.
The Resilience Maturity Model
Moving from compliance to capability requires a clear framework. We propose a three-tier maturity model:
SOCI Resilience Maturity Model
Tier 1: Compliant
- RMP documented and filed
- Annual board attestation completed
- Incident reporting procedures established
- Satisfies the regulator
- May not survive a targeted attack
Tier 2: Integrated
- IT and OT security under common governance
- Real-time monitoring across environments
- Supply chain risk including SBOMs
- Segmentation for legacy assets
- Detects and contains most incidents
Tier 3: Resilient
- Continuous threat intelligence integration
- OT-specific tested incident response
- Red team validated compensating controls
- Board-level residual risk acceptance
- Absorbs attacks while maintaining operations
Most energy organisations operate at Tier 1. Regulators expect Tier 2. Adversaries assume you are not at Tier 3.
The Forward View: AI-Assisted OT Security
The next generation of OT security will be fundamentally different. Machine learning systems can establish behavioural baselines for industrial control systems, detecting anomalies that signature-based tools miss entirely.
AI-powered security operations centres can correlate events across IT and OT environments at speeds impossible for human analysts. Predictive maintenance algorithms can identify equipment degradation before it becomes a reliability or security vulnerability.
These capabilities exist today. They are being deployed by sophisticated operators. They represent the frontier of industrial cybersecurity.
Energy organisations still struggling with basic compliance should understand: the gap between their current state and industry best practice is widening, not narrowing. Every year spent on checkbox exercises is a year not spent building genuine resilience.
For boards, AI-assisted security represents both an opportunity and a governance challenge. Organisations that invest in these capabilities now will build operational advantages that compound over time. Those that defer will face increasingly sophisticated adversaries with increasingly primitive defences. The CISC’s enforcement trajectory suggests future compliance expectations will assume access to these capabilities as baseline, not aspirational.
The gap between SOCI compliance and operational resilience is not a nuance. It is the difference between regulatory survival and operational catastrophe.
Questions for Leadership
What is our current Resilience Maturity tier, assessed honestly rather than aspirationally?
Most energy organisations operate at Tier 1 (Compliant). Regulators expect Tier 2 (Integrated). An honest baseline determines the investment gap between documentation and defence.
Which legacy OT assets cannot be patched, and what compensating controls protect them?
Energy infrastructure operates on thirty-year investment cycles. Systems predating modern threats cannot be secured through patching alone. Boards must know which assets carry residual risk.
Do we have Software Bills of Materials for critical control systems and OT environments?
Without SBOMs, organisations cannot assess supply chain risk meaningfully. The SolarWinds attack succeeded through component compromise invisible without inventory visibility.
What does our cyber insurance actually exclude, and what residual liability falls to the board?
Policies increasingly exclude nation-state attacks and critical infrastructure events. Risk assumed transferred to insurers may have migrated back to the balance sheet.
If CISC directed us to remediate deficiencies within 90 days, could we demonstrate compliance?
In early 2025, CISC directed multiple operators to rectify serious deficiencies within 90 days. Organisations assuming 2023-vintage documentation remained adequate discovered otherwise.
The Strategic Imperative
The SOCI Act exists because government concluded that market forces alone will not deliver adequate protection for critical infrastructure. The December 2024 amendments made the implied threat explicit: the CISC can now direct organisations to fix deficiencies, and non-compliance is no longer a theoretical risk.
Energy sector leaders should take this signal seriously. The organisations that treat SOCI compliance as a strategic investment rather than a regulatory burden will emerge more resilient, more operationally capable, and better positioned to manage board liability. The three-tier Resilience Maturity Model provides a framework for this transition: from Tier 1 compliance that satisfies auditors, through Tier 2 integration that detects and contains incidents, to Tier 3 resilience that absorbs sophisticated attacks while maintaining critical operations.
Those pursuing minimal compliance will satisfy auditors, until an incident exposes what their paper compliance actually protected: nothing. The gap between compliance and resilience is not a nuance. It is the difference between regulatory survival and operational catastrophe. For critical infrastructure boards, the time to choose which side of that gap they occupy is now.
Frequently Asked Questions
What is the SOCI Act and who does it apply to?
The Security of Critical Infrastructure Act 2018, significantly amended through December 2024, applies to organisations operating critical infrastructure assets across 11 sectors including energy, communications, data storage, financial services, and water. The amendments introduced expanded all-hazards scope extending beyond cyber incidents to physical threats, supply chain disruptions, and natural disasters. The CISC can now direct responsible entities to vary deficient Risk Management Programs.
What is a Risk Management Program under SOCI?
A Risk Management Program is a documented framework identifying material risks to critical infrastructure assets and establishing measures to mitigate those risks. It must address cyber security, personnel security, supply chain security, and physical security hazards under the expanded all-hazards scope introduced in December 2024. Programs must be filed with the Cyber and Infrastructure Security Centre and supported by annual board attestation confirming ongoing adequacy.
Will SOCI compliance stop a nation-state attack?
No. Compliance establishes a regulatory baseline but does not guarantee security against sophisticated state-sponsored adversaries. A compliant Risk Management Program documents that the organisation attempted to manage risk; it does not demonstrate that controls are effective against advanced persistent threats. True operational resilience requires moving beyond checkbox compliance to build defence-in-depth architectures, continuous monitoring, and tested incident response capabilities.
What are the penalties for SOCI non-compliance?
Penalties include civil penalties up to $44,400 per day for ongoing contraventions, government intervention and step-in powers allowing the CISC to direct specific remediation actions, and potential personal liability for directors overseeing systemic governance failures. The December 2024 amendments strengthened enforcement by empowering the CISC to compel responsible entities to vary deficient Risk Management Programs.
What is the relationship between SOCI Act compliance and Essential Eight maturity?
The SOCI Act and Essential Eight framework operate as complementary but distinct obligations. SOCI requires comprehensive risk management across all hazards including cyber, physical, supply chain, and personnel security. Essential Eight provides specific technical mitigation strategies for cyber security baseline controls. Critical infrastructure operators must satisfy both frameworks, with SOCI establishing governance obligations while Essential Eight addresses technical control implementation.