Cyber Resilience for Critical Infrastructure Under Australia’s SOCI Act

Australia’s SOCI (Security of Critical Infrastructure) Act has reshaped how responsible entities manage cyber and operational risk. The Act shifts the focus from high-level policy alignment to demonstrable, operational resilience supported by evidenced risk management practices.

The latest amendments reinforce the Australian Government’s expectation that critical infrastructure owners move beyond static frameworks toward practical, operational controls, particularly in cyber and information security.

Under Part 2A of the SOCI Act, responsible entities must establish, maintain, and comply with the CIRMP (Critical Infrastructure Risk Management Program). This requirement applies across sectors including:

The CIRMP requires organizations to address risk across four hazard vectors. Each vector requires enforceable, auditable controls that reduce material risk to critical infrastructure assets.

Hazard vectors include:

1. Cyber and information security
2. Personal
3. Supply chain
4. Physical security

The following sections outline how these hazard categories translate into operational security controls within critical infrastructure environments.

CIRMP requires organizations to implement controls that minimize material cyber risks capable of disrupting the availability, integrity, or reliability of critical infrastructure assets. Common cyberthreats include phishing, malware, ransomware, and denial-of-service attacks.

File-based threats remain one of the most common initial access vectors. Organizations must secure how files are uploaded, downloaded, transferred, and introduced into both IT and OT environments.

OPSWAT’s MetaDefender Core™ is designed to prevent file-borne threats before they reach users or critical systems. It integrates into existing infrastructure to inspect uploads, downloads, email attachments, and file transfers without disrupting operational workflows.

MetaDefender Core applies multiple detection technologies to support defense-in-depth inspection, including:

• Metascan™ multiscanning technology with more than 30 anti-malware engines
• Signature-based, heuristic, and machine learning-based detection
• AI-driven, machine learning-based pre-execution zero-day detection
• File reputation and hash analysis

For unknown and zero-day threats, Deep CDR™ Technology performs deep file sanitization to recursively remove embedded threats such as scripts, macros, and out-of-policy content, then regenerates safe and usable files while preserving business functionality.

Adaptive Sandbox™ analysis enables behavioral observation in a controlled environment. Proactive DLP™ inspects file content to detect sensitive information and enforce policy-based actions such as removing, redacting, or watermarking content before files are released to users or systems.

Additional inspection capabilities include:

• True file type verification
• Archive extraction and recursive scanning
• File-based vulnerability assessment
• Data loss prevention and content inspection

These capabilities support CIRMP objectives by:

• Reducing reliance on a single detection technology
• Detecting and preventing zero-day attacks
• Generating auditable evidence of due diligence in threat detection

Under the CIRMP, personnel hazards include risks introduced by employees, contractors, subcontractors, interns, and other individuals with access to critical infrastructure assets. Organizations must assess who qualifies as a critical worker, what level of access they hold, and whether that access could introduce material risk.

Removable media and portable devices remain common vectors for introducing malware into OT environments, particularly in air-gapped or segmented networks. Without enforceable controls, these pathways can bypass perimeter defenses.

MetaDefender Kiosk™ and MetaDefender Media Firewall™ are designed to enforce security controls at media entry points and at the HMI (Human Machine Interface) layer.

MetaDefender Kiosk automates the scanning and sanitization of removable media before files are allowed into secure environments. It enforces predefined security policies and generates logs to support audit requirements.

MetaDefender Media Firewall provides inline inspection and policy enforcement for data transfers between networks, including OT segments. It prevents unauthorized or unsafe files from moving into critical systems.

These controls support CIRMP personnel hazard requirements by:

• Reducing the risk of malicious or negligent insider activity
• Enforcing secure handling of removable media within OT networks
• Restricting the use of unapproved devices
• Improving visibility into who introduces files and when

The SOCI Act explicitly identifies supply chain hazards as a material risk category under the CIRMP. Responsible entities must address risks introduced by vendors, contractors, OEMs (original equipment manufacturers), and third-party service providers.

Supply chain exposure can arise through:

• Third-party endpoints connecting to critical networks
• Remote access pathways into OT environments
• Portable devices brought onsite by contractors
• Software updates and maintenance activities

Many critical infrastructure operators rely on remote connectivity to monitor assets, perform diagnostics, and conduct upgrades across distributed or regional sites. Without appropriate controls, these access pathways can introduce cyberthreats into sensitive environments, including air-gapped or semi-connected OT networks.

OPSWAT MetaDefender Drive™ and MetaDefender OT Access™ are designed to reduce risk from third-party interactions with critical systems.
MetaDefender Drive scans and assesses transient laptops, desktops, and servers outside the host operating system before they connect to secure environments. It detects malware, identifies vulnerabilities, and validates device integrity to ensure only trusted systems are allowed into controlled or air-gapped networks.

MetaDefender OT Access is a secure remote access solution purpose-built for OT and CPS (Cyber-Physical Systems) environments. It enables controlled connectivity for third parties and remote personnel while enforcing granular access controls and session management policies.

These capabilities support CIRMP supply chain hazard requirements by:

• Protecting critical systems against interference or disruption introduced through third-party assets
• Restricting access to authorized systems and functions
• Improving visibility into vendor and contractor interactions with critical infrastructure

Physical and environmental hazards remain a core component of the CIRMP. In modern critical infrastructure environments, physical security increasingly intersects with cyber risk, particularly where OT systems rely on controlled data flows between IT and OT networks.

Many critical infrastructure environments operate legacy OT systems where traditional endpoint security tools cannot be deployed. As a result, security controls must be implemented at network boundaries and data transfer points.

Regulatory guidance and industry standards commonly recommend the use of unidirectional gateways, also known as data diodes, to protect sensitive OT networks. These controls enforce one-way data flow to prevent unauthorized access, command injection, or data exfiltration from critical systems.

MetaDefender Netwall™ enforces hardware-based unidirectional data transfer. By physically preventing reverse traffic, it eliminates the risk of inbound network-based attacks across segmented environments.

When deployed within a DMZ (demilitarized zone) architecture and combined with layered firewall controls, this approach supports:

• Reduced risk of malware propagation between IT and OT networks
• Protection against unauthorized remote access into critical systems
• Preservation of operational continuity
• Demonstrable risk-aware network design aligned with CIRMP principles

By controlling how data moves between trust zones, organizations can strengthen both physical and cyber resilience in environments where availability and safety are critical.

Australia’s SOCI Act and the CIRMP represent a measurable shift in regulatory expectations. Responsible entities must move beyond documented intent and demonstrate that risk controls are implemented and continuously improved in practice.

Regulators expect organizations to show that controls are:

• Appropriate for the asset’s criticality and threat profile
• Embedded into operational workflows
• Supported by logging, monitoring, and governance oversight
• Capable of withstanding board and regulatory scrutiny

CIRMP is not a static compliance framework. It requires preventative, enforceable, and auditable controls across cyber, personnel, supply chain, and physical hazard vectors.

Preventative security plays a central role in meeting these expectations. Controls must operate at common entry points, across IT, OT, and ICS boundaries, and within third-party interaction pathways. They must also generate the visibility and evidence required to support governance, assurance, and regulatory engagement.

OPSWAT’s focus on critical infrastructure protection directly supports the operational and regulatory demands of Australia’s SOCI Act. Implementing enforceable technical controls under CIRMP strengthens both compliance posture and real-world resilience.

In critical infrastructure environments, preventative security is not optional. It is foundational to maintain availability, safety, and public trust. To learn how to align your CIRMP strategy with enforceable preventative controls, speak with an OPSWAT cybersecurity expert.