SOCI Act 2018 IAM Obligations for Critical Infrastructure

With the rise of advanced cybersecurity threats and global geopolitical instability, many government organisations have introduced key legislation and mandatory cybersecurity obligations for financial services, energy, healthcare, and other essential services.  

To protect these key sectors, the Australia Government first introduced the Security of Critical Infrastructure (SOCI) Act 2018 and recently amended this Act with the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. The ERP 2024 Bill has mandatory obligations spanning across cybersecurity, supply chain security and personnel to help protect Australia’s CI and prioritise identity security.  

SOCI Act 2018 and ERP Bill 2024 require identity and access management (IAM) and identity governance and administration (IGA) capabilities and compliance controls that prevent risks, detect threats, and maintain compliance. Let’s review what industries meet these mandatory obligations and requirements, the capabilities that CI needs to implement, and some immediate steps that organizations must take.  

SOCI Act 2018 and ERP Bill 2024 apply to organisations working in the following sectors: 

• Financial services and markets 
• Data storage or processing 
• Defence industry 
• Higher education and research 
• Energy 
• Food and grocery 
• Health care and medical 
• Space technology 
• Transport, including aviation and maritime assets 
• Water and sewerage 

In addition to SOCI Act 2018 requirements, the Australian Government can privately declare a given critical infrastructure asset to be a system of national significance (SoNS). SoNS organisations have additional cybersecurity requirements that are detailed in Australia’s  Enhanced Cybersecurity Obligations Framework.  

SOCI Act 2018 lists five key obligations for Critical Infrastructure Operators: 

• Obligation to notify data service providers. (SOCI Act Subsection 12(F)) 
• Register of Critical Infrastructure Assets (Part 2)  
• Risk Management Program (RMP) (Part 2A) 
• Mandatory Cyber Incident Reporting (Part 2B) 
• Enhanced Cyber Security Obligations (ECSO) (Part 2C) 

IAM and IGA are essential to meeting the Risk Management Program Requirements, Mandatory Cyber Incident Reporting, and Enhanced Cybersecurity Obligations: 

Under this obligation, all CI assets must maintain a risk management program. This program specifically requires CI operators to identify and mitigate material risks arising from cybersecurity, supply chain, personnel, and physical security threats. This means CI organisations must have appropriate access controls in place for identities and systems. 

To meet these obligations, CI operators must ensure they have the following controls: 

• User identification, authentication, and authorisation to ensure only authorised individuals have access 
• Role Bases Access Controls (RBAC) to assign access only as needed, to simplify access reviews and role audits, and to enforce segregation of duties (SoD) 
• Audit capabilities, including monitoring user activity to detect breaches or misuse/abuse of systems 
• Identity lifecycle management with automation of employee onboarding, access changes, and employee offboarding processes 
• Enforcing privileged access controls to restrict high-risk functions to the least number of people 

This obligation mandates the reporting of cybersecurity incidents within 12 hours if the incident has a significant impact on the availability of the CI asset or 72 hours for incidents with an impact that is not immediately disruptive. 

To meet reporting requirements and fulfil these obligations, CI operators need:  

• Immediate visibility into real time monitoring and access controls to detect unauthorised access or suspicious attempts to log in 
• Capabilities that allow operators to correlate incident root cases to identities  
• Demonstrable compliance for further incident investigation following reporting or during audits 

Enhanced SoNS Cybersecurity Requirements  

Systems that are designated as SoNS assets have additional cybersecurity obligations to meet. These obligations require SoNS to have Cybersecurity Incident Response Plans, periodic vulnerability assessments, and the ability to provide the government access to system information, including all identity and access logging information when requested.  

IGA capabilities help organisations meet these obligations by providing comprehensive auditing and reporting, which includes real time access logs, visibility into privileged access and the capability to integrate into Security Information and Event Management (SIEM) tools. 

Australian CI and SoNS organizations should implement the following capabilities and best practices to meet SOCI Act 2018 Risk Management Program Requirements, Mandatory Cyber Incident Reporting, and Enhanced Cybersecurity Obligations: 

• Adopt access control policies. Enforce least privilege access and Zero Trust principles by using role-based access control (RBAC) to map permissions to job functions. 
• Secure all identities with multi-factor authentication (MFA) or passwordless authentication. Require all users within Critical Infrastructure to have MFA or adopt passwordless/passkey authentication. 
• Use real-time behavioural analysis monitoring and alerting to detect anomalous access behaviours that may indicate account compromise and protect against insider threats with real time alerting 
• Ensure Separation of Duties (SoD) to prevent conflicts of interest in roles (e.g., preventing a single user from both approving and executing transactions). 

Threat actors increasingly exploit weak identity controls, making IAM and IGA central to Australia’s national security strategy. The SOCI Act represents a significant evolution in how Australia protects CI from threats.  

While compliance may seem challenging, a unified IAM and IGA approach not only helps CI organisations to meet their regulatory obligations, but also greatly improves operational security, reduces risk, and ensures long-term resilience. 

RSA Security helps Critical Infrastructure organisations to secure their identities and meet compliance requirements with: 

RSA® ID Plus delivers the identity and access management (IAM) security capabilities that critical infrastructure need to prevent account takeovers, ransomware attacks, and other cyberattacks. The solution delivers: 

• Phishing-resistant and passwordless authentication to stop credential-based attacks 

• Adaptive access policies that block suspicious login attempts in real time 

• Secure multi-factor authentication (MFA) that balances security and ease of access for public sector employees 

• AI-driven risk analytics that detect and respond to anomalous access attempts before they become threats 

RSA® Governance & Lifecycle provides the IGA capabilities that critical infrastructure need to facilitate and secure identity lifecycle management for all users and
devices. The solution: 

• Automates onboarding, offboarding, and access changes to ensure users have the right access at the right time 
• Enforces role-based access controls (RBAC) to prevent privilege creep 
• Eliminates manual approvals by streamlining identity requests with automated workflows 
• Ensures immediate access removal when employees leave or change roles, reducing insider threats 

For over 40 years, RSA has helped CI and security-first organisations protect their assets. As cyber threats grow more sophisticated and compliance requirements become more stringent, CI organisations must take proactive steps to secure identities, prevent attacks, and maintain operational resilience. Contact RSA to learn more about how RSA provides a range of IAM solutions that meet SOC Act regulations and integrate into a broader identity security strategy.