May 27, 2026

OT security for critical infrastructure: what Australian operators need to know in 2026

Operational technology (OT) security in 2026 — what Australian critical infrastructure operators need to know about SCADA security, SOCI Act obligations, IoT standards, and the enhanced CIRMP Rules.

OT security for critical infrastructure: what Australian operators need to know in 2026

Operational technology (OT) security is one of the most misunderstood and underinvested areas of cybersecurity in Australian critical infrastructure — and it's now one of the most actively regulated.

As IT and OT systems continue to converge, and as SOCI Act obligations bring OT environments into formal cybersecurity governance, Australian energy, water, transport, and industrial operators face a challenge that most standard managed security providers aren't equipped to address: how do you secure systems that were never designed with security in mind, can't be easily patched, and where downtime is measured in community impact rather than productivity loss?

The stakes in 2026 are higher than they've ever been. The first Independent Review of the SOCI Act, delivered in January 2026, identified OT environments as an area requiring stronger controls. The proposed enhanced CIRMP Rules released in March 2026 are expected to tighten requirements for sectors with significant OT exposure — electricity, gas, liquid fuels, water, and freight. And IoT security standards that took effect in March 2026 bring a new compliance dimension to connected devices in OT environments.

This post explains what OT security is, why it's different from IT security, what the current threat and regulatory landscape looks like, and what a credible OT security program needs to cover.

What is operational technology (OT)?

Operational technology refers to the hardware and software that monitors and controls physical processes, devices, and infrastructure. In a critical infrastructure context, OT includes:

  • SCADA systems (Supervisory Control and Data Acquisition) — used to monitor and control distributed infrastructure like power grids, water treatment plants, and gas pipelines
  • Industrial Control Systems (ICS) — the broader category covering systems that automate and control industrial processes
  • Distributed Control Systems (DCS) — used in continuous process environments like refineries and power generation facilities
  • Programmable Logic Controllers (PLCs) — physical devices that execute control commands in industrial environments
  • Remote Terminal Units (RTUs) — field devices that interface between physical sensors and SCADA systems
  • Energy Management Systems (EMS) and Building Management Systems (BMS)
  • IoT devices — an increasingly significant category following the mandatory IoT security standards that took effect March 2026

These systems are the physical layer of critical infrastructure. When a SCADA system for a water treatment plant is compromised, the consequence isn't a data breach — it's the potential manipulation of water chemistry affecting public health. When an electricity distribution management system is attacked, the consequence is blackouts affecting hospitals, homes, and businesses.

Why OT security is different from IT security

Standard IT security practices — designed for corporate networks, endpoints, and cloud environments — don't map cleanly onto OT environments. The differences are fundamental:

Availability trumps confidentiality. In IT security, the classic security triad weights confidentiality highly. In OT, availability is almost always the top priority. A water treatment plant cannot take its control systems offline for patching during a maintenance window the way a corporate server can.

Asset lifecycles are measured in decades, not years. Corporate IT equipment is replaced every three to five years. OT devices — PLCs, RTUs, industrial controllers — often remain in service for 15 to 30 years. Many were designed before cybersecurity was a consideration, run legacy operating systems that are no longer supported, and cannot be patched without extensive testing and change management.

Proprietary protocols and systems. OT environments use industrial communication protocols — Modbus, DNP3, IEC 61850, OPC — that most IT security tools don't understand. Visibility into OT traffic requires specialised tools and expertise.

Air gaps are a myth. There is a persistent assumption that OT environments are isolated from the internet and therefore secure. In reality, most OT environments have connectivity to corporate IT networks, vendor remote access, cloud-based monitoring, or the internet. The IT/OT convergence of the past decade has significantly expanded the attack surface.

Safety implications. In some OT environments — oil and gas, energy generation, water treatment — a successful cyberattack could have physical safety consequences. OT security decisions need to account for safety instrumented systems (SIS) and the potential for cyber events to cause physical harm.

The Australian OT threat landscape in 2026

Australian critical infrastructure OT environments are facing a documented and growing threat. Key threats include:

Nation-state actors — sophisticated threat groups affiliated with foreign governments have demonstrated the capability and intent to pre-position themselves in critical infrastructure OT environments. The goal is often not immediate disruption but persistence, with attacks designed to activate during geopolitical crises. Australia's geopolitical environment in 2026 makes this a material risk, not a theoretical one.

Ransomware — ransomware groups have increasingly targeted OT environments, recognising that operational disruption creates more pressure to pay than data theft alone. Under the Cyber Security Act 2024 ransomware payment reporting rules (in effect since May 2025), Australian organisations with turnover above $3 million must report payments to the ASD — making OT ransomware incidents a regulatory event as well as an operational one.

Supply chain compromise — OT environments rely on vendor remote access for maintenance and support. Compromising a vendor is a well-documented route into OT environments that would otherwise be difficult to reach directly.

IoT attack surface expansion — the proliferation of connected IoT devices in OT environments has created new attack vectors. The March 2026 mandatory IoT security standards are a direct response to this growing risk. Organisations that haven't yet inventoried their IoT devices and assessed compliance are carrying unquantified risk.

What the SOCI Act requires for OT security in 2026

The SOCI Act's CIRMP obligations apply to OT environments — not just corporate IT. Your Critical Infrastructure Risk Management Program must identify and manage risks to your critical assets across all four hazard categories, and the cybersecurity component must cover the systems that underpin your operations, including OT.

Key current requirements:

Your chosen cybersecurity framework must cover OT. If you've selected the Essential Eight, you need to understand which controls are applicable to OT assets. If you're in the energy sector and have adopted the AESCSF, the framework includes OT-specific considerations — which is one of the reasons it's the preferred choice for energy operators.

Your asset register must include OT assets. You cannot have a credible CIRMP if your asset inventory covers only IT systems. OT assets — even those that appear isolated — need to be identified, documented, and assessed.

IoT devices need to meet mandatory standards. From March 2026, smart devices supplied to critical infrastructure operators must meet the mandatory IoT security standards under the Cyber Security Act 2024. Devices already in your OT environment need to be assessed for compliance.

Enhanced CIRMP Rules are coming. The proposed 2026 enhancements specifically target sectors with significant OT exposure. Energy, water, and freight operators in particular should treat the proposed rules as a preview of incoming obligations and begin gap analysis now rather than waiting for final implementation guidance.

Incident notification applies to OT incidents. A cybersecurity incident affecting an OT system that controls critical infrastructure is a notifiable incident under the SOCI Act. Your notification process needs to account for OT-specific scenarios — including the 12-hour deadline for serious incidents.

For a comprehensive overview of all current SOCI Act obligations, see our SOCI Act compliance checklist and our SOCI Act compliance services page.

What a credible OT security program looks like in 2026

1. OT asset discovery and inventory

You cannot secure what you don't know you have. OT asset discovery is often the most confronting phase of an OT security engagement — organisations frequently discover assets they didn't know were networked, legacy devices still in production, and vendor connections they weren't aware of. In 2026, this must also include IoT devices assessed against the March 2026 mandatory standards.

Passive network monitoring tools designed for OT can discover assets without sending traffic that could disrupt sensitive control systems. This matters — active scanning in an OT environment can cause operational disruptions if not carefully managed.

2. Network segmentation

The Purdue Enterprise Reference Architecture provides a model for segmenting IT and OT networks into zones, with defined communication paths between them. Proper segmentation means that a compromise in the corporate IT environment cannot directly reach the OT control systems.

In practice, many Australian critical infrastructure operators have incomplete segmentation. IT/OT convergence projects have created connections that weren't adequately documented or secured. A network architecture review is a standard early step in any OT security engagement.

3. OT-specific monitoring and visibility

Standard SIEM tools don't understand OT protocols. OT security monitoring requires tools that can parse industrial communication protocols, understand normal OT traffic patterns, and alert on anomalies without generating false positives that overwhelm operations teams.

ASE Tech's managed cybersecurity services include OT-specific visibility and monitoring capabilities — continuous detection without the operational risk of applying IT security tools in OT contexts.

4. Vulnerability management for OT

Patching OT systems is not like patching IT systems. It requires vendor involvement, extensive testing, change management approval, and often a maintenance window planned months in advance. In some cases, patches simply cannot be applied to systems that are too old or too critical to take offline.

A mature OT vulnerability management program accepts this reality and works within it — prioritising the highest-risk vulnerabilities, implementing compensating controls where patches cannot be applied, and maintaining a risk register that documents accepted risks with clear rationale.

5. Remote access security

Vendor remote access is one of the highest-risk vectors in OT environments. A credible OT security program implements secure remote access with strong authentication, session recording, and least-privilege access controls for every external connection to OT systems.

6. OT incident response

An OT incident response plan is fundamentally different from an IT incident response plan. The decision to isolate or shut down an OT system — which might be automatic in an IT context — needs to be weighed against the operational and safety consequences of doing so. OT incident response requires coordination between security teams, operations teams, safety engineers, and often regulators.

Given the SOCI Act's 12-hour notification deadline for serious incidents, tabletop exercises that simulate OT-specific scenarios are not optional — they're essential. Organisations that haven't tested their OT incident response plans recently should treat this as an urgent gap.

Getting started

For most Australian critical infrastructure operators, the starting point is understanding what you have and where the biggest risks are. An OT security assessment covers asset discovery (including IoT), network architecture review, vulnerability identification, and a gap analysis against your CIRMP cybersecurity obligations and the relevant framework — AESCSF, Essential Eight, or both.

The output is a prioritised remediation roadmap that works within your operational constraints — not a list of IT security recommendations retrofitted to an OT environment.

ASE Tech specialises in OT and industrial cybersecurity for Australian critical infrastructure. We work across energy, water, transport, and telecommunications environments, and our approach is built around operational realities. Visit our cybersecurity services page to learn more, read about our SOCI Act compliance program, or contact our team to discuss your environment.

Technology without compromise starts here
For more than 20 years, ASE Tech has helped Australia’s most critical industries cut waste, reduce risk, and keep systems performing 24×7. Now we bring the same engineer-led approach to your business, delivering technology chosen on merit, built for resilience, and proven to deliver better outcomes.
Book a Call Today
All rights reserved. 2026 ASE Tech.