Major Infrastructure
Security

Major infrastructure carries regulatory obligations, long asset lifecycles, and layered governance. Security advisory needs to integrate with systems engineering, work within alliance and consortium structures, and produce outputs that survive handover to operations.

Where security meets infrastructure delivery

Infrastructure security operates under regulatory frameworks, long programme timelines, and governance structures that demand traceability and auditability at every stage.

  • The SOCI Act and CIRMP requirements place specific obligations on responsible entities across physical, cyber, personnel, and supply chain vectors. Compliance requires systematic identification, assessment, and mitigation of risks, with documented evidence that each obligation has been addressed.
  • Multi-decade asset lifecycles mean security decisions made during design govern operational security for 30-50 years. Treatments specified without understanding operational realities create maintenance burdens and security postures that degrade over time.
  • Alliance and consortium delivery models distribute design responsibility across multiple organisations. Security requirements without clear ownership, traceability, and verification create coordination gaps that only surface at assurance gates, when correction costs are highest.
  • Balancing capital expenditure on protective measures against operational expenditure on ongoing security requires risk positions that distinguish threats warranting physical design responses from those better managed through operational controls.
  • Requirements traceability from threat assessment through to verification and handover is an assurance expectation on major programmes. Security requirements that cannot demonstrate how each risk was identified, treated, and verified will not pass independent review.

How we work on infrastructure projects

  • SOCI-aligned threat and risk assessment

    Threat assessment structured to address the four hazard vectors required under the CIRMP: physical, cyber, personnel, and supply chain. Risk positions calibrated to the specific asset class, threat environment, and regulatory context. Outputs that satisfy both the regulator and the project team, with clear evidence trails from threat identification through to treatment decisions. Security risk & threat analysis →

  • Security requirements management across design gates

    Individually tracked requirements mapped to security zones, assigned to responsible disciplines, and verified through documented designer responses at each gate. Requirements structured so that each discipline (architecture, civil, electrical, communications, operations) receives the requirements relevant to their scope, with expected evidence specified for each. Systems & assurance →

  • Protective design for critical assets

    Physical protection specified against credible design basis threats: perimeter treatments, blast protection, and access control infrastructure derived from the threat assessment. Protective design →

  • Operational security strategy for long-lifecycle assets

    Security management frameworks, operational procedures, and technology strategies designed for the full asset lifecycle. Distinguishing between risks that warrant capital protective measures and those better managed through operational controls, so the handover to operations includes a security posture the operator can sustain. Security design management →

Infrastructure projects

Coffs Harbour Bypass Security →

Frequently asked questions

What are the SOCI Act security requirements?

The SOCI Act requires responsible entities for critical infrastructure to adopt a Critical Infrastructure Risk Management Program (CIRMP) addressing four hazard vectors: physical, cyber, personnel, and supply chain security. Entities must identify material risks, implement measures to mitigate them so far as is reasonably practicable, and maintain documented evidence. The CIRMP must be approved by a board-level accountable person and subjected to annual reporting. The regulatory expectation is that security risk management is systematic, documented, and auditable.

How does security integrate with alliance delivery?

As an embedded function within the design team, not an external review layer. Core42 attends design coordination meetings, issues requirements directly to responsible disciplines, and tracks designer responses through each gate. Each discipline receives only requirements relevant to their scope, with expected evidence specified. This approach works within existing governance rather than creating a parallel security approval process.

What is a security requirements management approach?

The process of deriving individual security requirements from the threat assessment, assigning each to a responsible discipline, tracking designer responses, and verifying compliance at each design gate. Core42 typically manages 100+ individually tracked requirements per project, each mapped to a security zone with an Expected Evidence column specifying the required design output. This traceability from risk identification through to verified design response is what assurance reviewers look for.

Need security advisory for an infrastructure project?

Whether you're at business case, concept design, or detailed design, start with a 30-minute conversation to identify where security sits in your programme and what decisions need to happen next.

Speak to a Principal Take our Security Benchmark