Securing operational technology requires a fundamentally different approach to IT security. OT environments face a growing and sophisticated threat landscape — and Australian operators now face binding legislative obligations to protect their critical infrastructure systems.
OT threats have evolved from opportunistic IT attacks spilling over into industrial networks to sophisticated, OT-specific campaigns deliberately targeting physical infrastructure. The consequences extend well beyond data loss.
OT-targeted ransomware encrypts historian databases, engineering workstations, and SCADA servers — forcing operators to shut down production or operate blind. The 2021 Colonial Pipeline attack halted fuel supply to the US East Coast via an IT-to-OT impact chain.
State-sponsored groups such as XENOTIME (Triton/TRISIS malware targeting Safety Instrumented Systems), Volt Typhoon, and Sandworm have demonstrated both capability and intent to attack critical infrastructure OT for espionage and pre-positioned destructive access.
OT assets running decade-old firmware and unsupported operating systems carry persistent known vulnerabilities that cannot be quickly patched. CVEs affecting SCADA software and PLC firmware remain unpatched for years in live production environments.
Malicious firmware or software introduced at the manufacturing stage, or through vendor remote access connections, can provide persistent and hard-to-detect access to OT environments. Third-party maintenance accounts are a recurring attack vector.
Authorised personnel — operators, maintenance engineers, contractors — hold privileged physical and logical access to OT systems. Access management in OT is often immature, with shared accounts, weak passwords, and no MFA on critical engineering workstations.
Increasing connectivity between IT and OT networks — via business intelligence feeds, IIoT sensors, and vendor remote access — eliminates the isolation that historically protected OT, without necessarily adding the compensating security controls to replace it.
OT cybersecurity in Australia is no longer a matter of best practice. Operators of critical infrastructure face binding legislative obligations with significant penalties for non-compliance.
Multiple frameworks guide OT security programs. IEC 62443 is the most comprehensive and OT-specific. These frameworks are complementary rather than competing.
The primary international standard for OT security. A multi-part series covering general concepts, security management systems, system design, component requirements, and evaluation methodology. Defines a risk-based zone-and-conduit architecture and five security levels (SL 0–4). Referenced by Australia's AESCSF and recommended by the ACSC as the preferred technical standard for OT environments. Applicable to asset owners (Series 2), system integrators (Series 3), and product manufacturers (Series 4). See iec62443.au for a detailed reference guide to all published parts and security levels.
Published by the US National Institute of Standards and Technology, SP 800-82 provides guidance on how to secure ICS — including SCADA, DCS, and PLC systems — while considering the performance, reliability, and safety requirements unique to OT environments. A widely cited companion to IEC 62443 and a foundation for many national OT security frameworks internationally, including elements of the AESCSF.
Mandatory cybersecurity standards for the North American bulk electric system, developed by the North American Electric Reliability Corporation. While not directly applicable in Australia, NERC CIP standards — particularly for electronic security perimeters, physical security, systems security management, and incident reporting — are widely referenced by Australian energy sector operators for OT security best practice.
The Network and Information Security 2 Directive extends EU cybersecurity obligations significantly, covering 18 critical sectors and explicitly requiring supply chain security. Australian operators with European operations, supply chains, or products sold into Europe face NIS2 obligations. The Directive references IEC 62443 for OT environments and has driven increased vendor-level OT security requirements globally.
Effective OT security is built on a small number of high-impact foundations. These principles apply regardless of sector, system scale, or maturity level — and directly support SOCI Act and IEC 62443 compliance.
You cannot secure what you cannot see. Comprehensive OT asset visibility — including firmware versions, network connections, and communication flows — is the non-negotiable foundation. Passive discovery tools are preferred to avoid disrupting OT devices.
Implement zone-and-conduit architecture per IEC 62443-3-2. Separate OT from IT using industrial DMZs and firewalls. Apply data diodes at boundaries where unidirectional data flow is sufficient. Air gaps where operationally feasible.
Assess OT assets continuously for known vulnerabilities. Prioritise by risk and operational impact. Where patching is not feasible — due to lifecycle or vendor constraints — apply layered compensating controls: network isolation, application allow-listing, monitoring.
Enforce least-privilege for all OT users. Implement MFA for all remote access paths, including vendor connections. Regularly audit and remove unused accounts. Eliminate shared credentials on critical engineering workstations and SCADA servers.
Deploy passive, OT-aware monitoring tools that understand industrial protocols (Claroty, Dragos, Nozomi Networks, or similar) and can detect anomalous behaviour without disrupting operations. Feed alerts into an OT-aware SOC or SIEM with OT context.
Develop OT-specific incident response playbooks that explicitly account for the safety implications of isolating or shutting down OT systems. Test response capability through regular tabletop exercises that include both IT and OT stakeholders.
Need specialist OT security advice for your critical infrastructure environment? Get in touch ↗