Systems of Critical Infrastructure Act (SOCI) Guidance
Welcome to the Systems of Critical Infrastructure (SOCI) Guidance and asset declaration webpage. From here you can access information to help you understand how to comply with SOCI legislation and declare a critical research asset. If you're aware of the legislation and want to fast track the process, view the SOCI Critical Asset Declaration Form or scroll down to find relevant section below.
Australia’s Cyber Security Strategy 2020 (now the 2023-2030 Strategy) commenced several key Government initiatives such as critical infrastructure law reforms to protect and improve the resilience of Australia’s critical infrastructure. This includes the Systems of Critical Infrastructure (SOCI) Act and the subsequent Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP).
The SOCI Act, commenced on the 31st of March 2022. The act creates a framework for regulating sectors that operate, support, or maintain critical infrastructure assets, as per the definition. The original act has been amended under the (SLACIP Bill) to include the Higher Education and Research sector. UNSW is now obligated to comply with the requirements of the act.
The assets in scope of the act are limited to the following, as defined in the Security of Critical Infrastructure Act:
" an asset that is an Australian university category of the National Register of Higher Education Providers and is used in connection with undertaking a program of research that is critical to:
(i) a critical infrastructure sector
(ii) the defence of Australia
(iii) national security.
Per item (i), critical infrastructure (CI) sectors include communications, data storage and processing, financial services and markets, water and sewerage, energy, health and medical, food and grocery, transport, space technology and defence industry.
Overview
-
Critical Infrastructure entities (UNSW Included) are required to report cyber security incidents that impact critical research being performed in support of the 11 sectors in scope (communications, data storage and processing, financial services and markets, water and sewerage, energy, health and medical, food and grocery, transport, space technology, and defence industry). The incident must be reported to the Australian Cyber Security Centre (ACSC) after being made aware, within the following time frames:
- 12 hours, if the incident is having a significant impact on the availability of the asset
- 72 hours, if the incident impacts the availability, integrity, or reliability of the asset, or the confidentiality of information about, or held by the asset.
Under this legislation, UNSW must comply with the reporting time frames in the event of an incident impacting (or has the potential to impact) the assets in scope. Penalties of up to 50 penalty units exist where reports are not given within the required time frames. the Cyber Security team has established a process to help identify and capture relevant details for critical research assets to be prepared for this event and meet our regulatory obligations under the act.
- 12 hours, if the incident is having a significant impact on the availability of the asset
-
The Cyber Security team have provided an online form to help key personnel declare assets that potentially fall within the definition of critical research, to help support the University in meeting the obligations under the SOCI legislation.
All research applications/investigators are required to attest on whether their research does or does not fall within the definition of critical research by completing the online form in the link below.
Submit SOCI Asset Declaration Form
Note: Research investigators and sponsors are accountable for ascertaining whether their research meets the definition of critical research.
When thinking about risks to help contextualise what would be considered critical, think also about the provisioning and operation of learning resources for universities, affecting the higher education of students in a specialised field of study and/or the ability to conduct critical research.
-
For more information about the act, please visit the resources below:
- Security of Critical Infrastructure Act 2018 (Original SOCI Act)
- Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act/Bill 1)
- Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP/ Bill 2)
- Security of Critical Infrastructure (Application) Rules 2021
- Advisory report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022
Reporting cyber incidents
It is important to report any cyber security incidents as quickly as possible so that UNSW IT’s Cyber Security team can address any issues and mitigate risk exposure.
What should I report?
- Suspecting your computer or account has been compromised.
- Having evidence on how technology or University data may be vulnerable.
- Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
- Losing a University asset containing sensitive information.
Report a cyber security incident by calling the UNSW IT Service Centre on 02 9385 1333 or using the link below.
Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and Awareness for more information.
"Enhancing cyber security, including protecting information and privacy, is of paramount importance to our core functions of education and research. We all play a part in being cyber smart."
Professor Attila Brungs, Vice-Chancellor and President, UNSW Sydney