Translating legislative obligation into operational security. From CIRMP development to IEC 62443 control alignment — practical implementation for responsible entities.
The SOCI Act is in force. CIRMPs are mandatory. But most responsible entities have a compliance gap they haven't identified — the distance between what they've documented and what would survive regulatory scrutiny.
2025-26 marks a shift. CISC has moved from education and awareness into active assurance and audit. The 2023-24 trial audits already identified systemic deficiencies: inadequate insider threat mitigation, missing critical worker identification policies, and physical hazard programs that existed on paper but not in practice. Entities that treated CIRMP adoption as a paperwork exercise are now exposed.
Many programs were drafted by compliance teams with no input from OT operations. They reference "cyber risks" without identifying specific control system vulnerabilities, and list mitigations that don't map to the actual network architecture.
The SOCI Act mandates risk treatment but doesn't prescribe a framework. Without a deliberate mapping to IEC 62443 or equivalent, there's no defensible line between identified risk and implemented control.
Boards are signing annual reports attesting that the CIRMP is current and effective. In many cases, there is no evidence trail — no review records, no risk register updates, no control effectiveness testing — to support that attestation.
A structured approach to translating SOCI obligations into implementable OT security outcomes. Six layers, from governance through to continuous improvement — each mapped to the Act, the CIRMP Rules, and IEC 62443.
Establish CIRMP ownership, board attestation processes, and annual review cycles. Define accountable roles per s30AC of the Act. Map governance structure to IEC 62443-2-1 management commitment and security policy requirements.
Identify critical infrastructure assets, their critical components (PLCs, RTUs, SIS, DCS, HMIs), critical workers (control room operators, OT engineers, integrators), and data storage systems that form part of the CI asset under s9(7). This is where most OT programs have gaps — the Act's definition of "critical component" captures far more than organisations expect.
Conduct risk assessment across all four CIRMP hazard vectors — cyber and information security, personnel, supply chain, and physical and natural hazards — with OT-specific threat scenarios. Identify material risks and relevant impacts per the Rules (s6, s7). Apply IEC 62443-3-2 risk assessment methodology for the cyber vector.
Map identified risks to IEC 62443 foundational requirements (FR1-FR7), assign target security levels (SL-T) per zone and conduit, and identify control gaps between current state (SL-A) and target. This creates the defensible technical basis your CIRMP needs.
Align incident response plans to SOCI notification timelines — 12 hours for critical cyber security incidents, 72 hours for other reportable incidents. Ensure OT-specific detection capabilities exist to meet these obligations. Build response procedures that account for ASD's intervention powers under Part 3A.
Establish the evidence trail: annual report preparation per s30AG, board-approved attestation, documented CIRMP reviews (minimum every 12 months per the Rules s7), and update triggers for changes in operating environment, threat landscape, or asset configuration. Build maturity over successive review cycles.
The SOCI Act mandates outcomes. IEC 62443 provides the implementation path. This mapping demonstrates how 62443 controls satisfy SOCI obligations — creating a defensible compliance position that delivers genuine security uplift.
| SOCI Obligation | OT Operational Impact | IEC 62443 Reference | Practical Control |
|---|---|---|---|
| CIRMP must identify material risks across all hazard vectors (Part 2A, s30AC) | Requires structured risk assessment covering OT-specific cyber, physical, personnel, and supply chain threats | 62443-3-2 ZCR 1-7 — Risk assessment methodology |
Zone and conduit risk assessment with threat modelling for each OT zone |
| Minimise or eliminate material risks, so far as reasonably practicable (Rules s7) | Implement controls proportionate to risk — not theoretical, but achievable in constrained OT environments | 62443-3-3 SR 1-7 — System security requirements by SL |
Assign SL-T per zone, implement controls to close SL-A to SL-T gaps |
| Adopt a recognised cyber security framework (Rules s8(4)) | Must comply with one of the prescribed frameworks or demonstrate equivalency | 62443-2-1 — IACS Security Management System |
IEC 62443 as equivalent framework — documented justification in CIRMP |
| Identify critical workers and manage personnel hazards (Rules s9) | Map individuals with access to control systems, assess insider risk, implement access controls | 62443-2-1 4.3.3.6 — Personnel security62443-3-3 SR 1.1 — Human user identification |
Role-based access control for OT systems, background checks, access review cycles |
| Manage supply chain hazards and list major suppliers (Rules s10) | Assess OT vendor risk — system integrators, SCADA vendors, remote access providers | 62443-2-1 4.3.2.6 — Procurement62443-4-1 — Secure product development |
Vendor security requirements, 62443-4-1 certification in procurement, third-party access controls |
| Identify physical critical components and manage physical/natural hazards (Rules s11) | Protect control rooms, substations, pump stations, remote sites from physical and environmental threats | 62443-3-3 SR 2.1 — Authorisation enforcement62443-2-1 4.3.3.3 — Physical security |
Physical access controls for OT areas, environmental monitoring, redundancy for critical sites |
| Report critical cyber incidents within 12 hours (Part 2B, s30BC) | Requires OT-specific detection and triage capability to identify and classify incidents within reporting window | 62443-2-1 4.3.4.5 — Incident response62443-3-3 SR 6.1 — Audit log accessibility |
OT network monitoring, IDS/anomaly detection, defined escalation path to ASD |
| Board must approve annual report attesting CIRMP currency (s30AG) | Board needs evidence-based reporting on OT security posture, not just compliance assertions | 62443-2-1 4.2.2 — Management commitment62443-2-1 4.2.3 — Management review |
Board reporting pack with risk metrics, control effectiveness evidence, and maturity trajectory |
| Data storage systems form part of CI asset (s9(7)) | OT historians, engineering workstations, backup systems are legally part of the critical infrastructure asset | 62443-3-3 SR 3.1-3.8 — System integrity62443-3-3 SR 7.1-7.8 — Resource availability |
Historian segmentation, backup integrity validation, engineering workstation hardening |
The CIRMP Rules define four hazard vectors. Each requires specific treatment in OT environments. Here's what the regulator expects — and what we typically find when we assess.
Compliance with a prescribed cyber framework (ISO 27001, NIST CSF, Essential Eight, C2M2, AESCSF, or equivalent). Documented process to minimise and mitigate cyber hazards. From 2024-25, entities must report which framework they use.
IT-centric frameworks applied to OT without adaptation. No zone and conduit model. Flat OT networks with no segmentation between safety and control systems. No OT-specific incident detection capability.
Critical workers identified by name and position. Access to critical components restricted to assessed and suitable workers. Process to minimise insider risk — including malicious, negligent, and departing employees.
No formal critical worker register. Shared HMI credentials across shifts. Third-party integrators with persistent remote access and no access review. The 2023-24 CISC audit trials flagged this as a systemic deficiency.
Major suppliers listed in the CIRMP. Process to minimise risks from unauthorised access, interference, or exploitation through the supply chain. Consideration of supplier country of origin, ownership, and influence.
No formal major supplier register for OT. System integrators with domain admin-equivalent access to SCADA. No contractual security requirements flowing to OT vendors. No assessment of vendor product security maturity (IEC 62443-4-1).
Physical critical components identified. Access restricted to critical workers. Security arrangements tested for effectiveness. Process to detect, delay, deter, respond to, and recover from physical breaches and natural hazards.
Remote substations and pump stations with no physical intrusion detection. No bush fire survival plan for exposed infrastructure. Control rooms without access logging. The CISC determined physical and natural hazards were the most common cause of significant impact in 2023-24.
Three structured engagements — each designed to move responsible entities from regulatory exposure to defensible compliance with genuine operational security improvement.
Rapid assessment of your current CIRMP posture against CISC expectations and the CIRMP Rules. Identifies gaps before the regulator does.
Full CIRMP development or overhaul — built with operational input, mapped to IEC 62443, and structured to withstand regulatory scrutiny. Includes the governance and reporting framework boards need to attest with confidence.
Deep technical engagement mapping IEC 62443 controls to SOCI hazard vectors. Zone and conduit modelling, security level assignment, gap analysis, and a remediation roadmap that closes the gap between legislative obligation and operational reality.
Every responsible entity under the SOCI Act needs a defensible CIRMP. Most don't have one that would withstand the 2025-26 audit cycle. Let's fix that.