In Brief
State-sponsored pre-positioning for high-impact sabotage is now an operational reality, not a theoretical risk. ASIO's November 2025 warnings identified Salt Typhoon and Volt Typhoon actively mapping Australian critical infrastructure. The CISC's CI Fortify guidance establishes scenario-based planning for 90-day OT isolation capability. Boards must pivot from compliance monitoring to active resilience governance, with personal accountability for cyber readiness commensurate with the threat environment Australia now faces.
The Threshold Moment
Australia faces an unprecedented state-sponsored cyber threat.
On 12 November 2025, ASIO Director-General Mike Burgess named Salt Typhoon and Volt Typhoon as “actively and aggressively mapping” Australian critical infrastructure. The objective is not espionage. It is pre-positioning for potential sabotage.
These groups are establishing covert access points that could disable telecommunications, destabilise power grids, disrupt water treatment, or compromise financial networks during a future crisis.
Salt Typhoon and Volt Typhoon are actively mapping Australian critical infrastructure networks. The objective is pre-positioning for potential high-impact sabotage during a future crisis scenario.
Burgess warned Australia is approaching conditions under which high-impact sabotage becomes feasible. The ASD Annual Cyber Threat Report 2024-25 confirms attacks on critical infrastructure more than doubled year-on-year.
ransomware incidents required ACSC response in a single fiscal year, with 39% identified by ASD before victims were aware
ASD Annual Cyber Threat Report 2024-25
The CISC’s CI Fortify guidance (October 2025) mandates scenario-based planning for 90-day OT isolation. This translates into capital investment, architectural redesign, and crisis planning only boards can authorise.
For directors, the calculus has changed. This is an operational reality demanding immediate governance response.
Pre-positioning is not theoretical. Intelligence agencies have confirmed active campaigns targeting Australian critical infrastructure.
Why 2025 Represents an Inflection Point
Three factors converge to create a governance inflection point.
Explicit threat attribution creates legal accountability. ASIO’s warnings eliminate the ambiguity that previously shielded boards from regulatory scrutiny. When intelligence agencies name specific sectors as targets, failure to respond exposes directors to SOCI Act obligations and APRA CPS 234 requirements.
The legal threshold has shifted from “should have known” to “were told.” Directors can no longer claim ignorance of the threat landscape when intelligence agencies have provided specific, attributable warnings.
Regulatory frameworks demand measurable resilience. The SOCI Act now covers 11 critical infrastructure sectors with mandatory incident reporting and risk management programs. The CISC’s CI Fortify guidance introduces 90-day OT isolation benchmarks.
Queensland’s $40M Cyber Security Strategy 2025-2027, launched after the state recorded 28% of national cyber incidents, signals political willingness to impose consequences.
The technical maturity gap remains dangerously wide. Only 15% of government entities achieve Essential Eight Maturity Level 2. Private critical infrastructure operators face similar challenges.
ASD identified 39% of ransomware incidents before victim organisations were aware. Detection capabilities remain insufficient across the sector.
These three pressures (explicit attribution, regulatory acceleration, and capability deficits) create a convergence of board-level accountability. The question is no longer whether to act, but how rapidly and comprehensively leadership can mobilise.
Architectural Resilience Beyond Segmentation
Traditional network segmentation is necessary but insufficient against state-sponsored actors.
The CI Fortify guidance on 90-day OT isolation represents a fundamental rethinking of infrastructure architecture. State-sponsored actors spend months mapping interdependencies before activation. Firewalls and DMZs alone cannot counter adversaries who have already mapped the internal topology.
True isolation capability requires four architectural pillars. Each demands board-level decisions on capital allocation, operational redesign, and risk acceptance.
Architectural Resilience Pillars
| Pillar | Requirement | Board Implication |
|---|---|---|
| Physical & logical separation | IEC 62443 (AS/NZS 62443) defence-in-depth: segmentation, secure remote access, hardening | Capital expenditure for legacy ICS replacement (20-30 year lifecycles) |
| Offline operational capability | Critical operations function 3 months without internet, cloud, or third-party access | Local storage, manual overrides, workforce training investment |
| Supply chain independence | Vendor risk assessments under Digital Supply Chain Risk Management framework | Contract renegotiation and vendor diversification required |
| Recovery architecture | Forensically sound recovery: clean backups, tested restoration, state-sponsored-specific playbooks | Essential Eight Enhanced (Level 3) maturity required |
CISC CI Fortify Guidance, October 2025; AS IEC 62443 Series, July 2025
Industrial control systems often have 20-30 year lifecycles and were designed without cybersecurity considerations. Retrofitting isolation capability onto legacy infrastructure requires staged investment over 18-36 months.
These decisions cannot be delegated to IT departments. They reshape operational models, capital allocation, and risk profiles. Board approval is required.
Governance for Crisis-Ready Boards
Quarterly risk reports and annual penetration tests are structurally inadequate.
State-sponsored pre-positioning demands governance that translates intelligence into operational preparedness. Four shifts are essential.
Intelligence-informed risk committees require direct access to ACSC briefings, CISC updates, and sector Information Sharing and Analysis Centres. Directors need technical literacy to interpret threat indicators and commission proportionate responses.
This may necessitate board composition reviews. Recruiting directors with OT security, defence, or intelligence backgrounds addresses a capability gap that IT expertise alone cannot fill.
Scenario-based crisis exercises must move beyond desktop sessions to full operational simulations. What decisions must the board make in the first 48 hours if SCADA systems are compromised? Who has authority to isolate networks at the cost of operational disruption?
These scenarios should include regulatory notification rehearsals under SOCI Act mandatory reporting timelines. Simulations should run biannually with external red teams, legal counsel, and government liaison functions.
Continuous assurance frameworks replace quarterly reporting cycles. Leading organisations deploy dashboards integrating SIEM data, vulnerability scanners, and configuration databases. These present board-consumable metrics on control effectiveness.
For APRA-regulated entities under CPS 234, continuous monitoring satisfies information security capability requirements while demonstrating due diligence.
Executive accountability structures tie cyber resilience KPIs to CEO, CIO, and CISO performance agreements. Specific metrics might include Essential Eight Level 3 achievement timelines, OT isolation testing completion, or CIRMP audit remediation rates.
Remuneration consequences for maturity target failures drive behaviour. Personal accountability is the strongest governance lever available to boards.
Board Response Framework
| Action | Owner | Timeline | Priority |
|---|---|---|---|
| Seek sector-specific CISC threat briefing | Chair / Board Secretary | Within 30 days | critical |
| Commission architectural resilience gap analysis | CIO / CISO | Q1 2026 | critical |
| Establish continuous assurance dashboard | CISO → Board | Q2 2026 | high |
| Conduct full operational crisis simulation | Board / Executive Team | H1 2026 | high |
| Embed cyber resilience KPIs in executive agreements | Remuneration Committee | Next review cycle | medium |
From Compliance Theatre to Strategic Advantage
Many organisations treat compliance as a checkbox exercise. This approach fundamentally misunderstands regulatory trajectory.
Australia’s overlapping frameworks (SOCI Act, Essential Eight, IRAP, Privacy Act 1988, APRA CPS 234, Australian Energy Sector Cyber Security Framework) create complex obligations. Many organisations pursue minimum viable conformance. This approach misunderstands both regulatory trajectory and competitive dynamics.
Regulators are harmonising around outcomes, not processes. The CI Fortify guidance is performance-oriented: demonstrate the capability, regardless of technical architecture. Essential Eight maturity levels focus on control effectiveness, not specific product implementations.
Regulatory excellence creates commercial differentiation. In sectors where critical infrastructure operators compete for contracts, demonstrated cyber maturity is becoming a tender requirement. Government agencies increasingly require Essential Eight compliance, IRAP assessments, or IEC 62443 certification.
Organisations at Enhanced maturity levels access opportunities competitors cannot pursue. Cyber investment transforms from cost centre to revenue enabler.
Early adoption mitigates future disruption. Regulatory requirements will intensify as the threat environment deteriorates. With only 15% of government entities at Essential Eight Level 2, enforcement will accelerate.
Boards that position ahead of the compliance curve avoid rushed implementations, reputational damage, and regulatory penalties that late adopters will face.
The strategic question is not whether to invest, but whether to lead adoption as competitive strategy or lag as defensive necessity.
Questions for Leadership
Have we received a classified threat briefing from ACSC specific to our sector, and do our directors have sufficient security clearances to access this intelligence?
Generic risk assessments are inadequate against state-sponsored actors. CISC Partnership Program provides sector-specific intelligence but requires appropriate clearances.
Can we operate critical functions for 90 days without external connectivity, and what investment is required to achieve the CISC's CI Fortify benchmark?
The October 2025 CI Fortify guidance establishes extended OT isolation scenarios as an operational benchmark requiring capital expenditure only boards can approve.
What is our current Essential Eight maturity level with independent verification, and what is the roadmap to Enhanced (Level 3)?
ASD data shows only 15% of government entities achieve Level 2. Demonstrating maturity progression is essential for regulatory compliance and fiduciary duty.
Who on this board or executive team has operational OT security expertise, and do we need to refresh our composition?
IT security expertise does not translate to OT environments governed by IEC 62443 standards. Boards lacking industrial cybersecurity backgrounds cannot effectively oversee resilience programs.
What are our crisis decision protocols if we detect state-sponsored pre-positioning, including network isolation authority and regulatory notification timelines?
SOCI Act mandatory reporting creates tight timeframes. Boards must pre-authorise crisis response protocols including decision rights and legal counsel engagement before incidents occur.
The Strategic Imperative
ASIO Director-General Burgess's November 2025 warning eliminates the luxury of further analysis. State-sponsored actors are not waiting for Australian boards to complete risk assessments or budget cycles. They are actively pre-positioning, establishing the digital footholds that, in a crisis scenario, could disable critical services Australians depend upon.
For board directors, this creates three immediate imperatives. First, seek a sector-specific threat briefing within 30 days through the CISC's Partnership Program. Generic risk reports are insufficient; boards require intelligence-grade understanding of targeting methodologies relevant to their organisation's technology stack. Second, commission an architectural resilience gap analysis against the 3-month OT isolation benchmark. This is not an IT audit; it is an operational capability assessment. Third, establish personal accountability mechanisms with explicit reporting lines, KPIs, and executive performance implications.
The threat environment has fundamentally changed. Australia's critical infrastructure faces sophisticated, persistent, state-sponsored adversaries with strategic objectives beyond financial gain. Boards that treat this solely as a technology problem risk inadequate response. Those that recognise it as a governance imperative, demanding the same rigour applied to financial controls or workplace safety, will materially strengthen the resilience underpinning Australia's national security. The threshold for high-impact sabotage is approaching. The question facing every critical infrastructure board is simple: when the crisis arrives, will your organisation be positioned as victim or exemplar?
Frequently Asked Questions
What is the difference between Salt Typhoon and Volt Typhoon, and why did ASIO name them specifically?
Salt Typhoon and Volt Typhoon are distinct state-sponsored cyber groups attributed to nation-state actors by Five Eyes intelligence partners, with different operational focuses. Volt Typhoon specialises in living-off-the-land techniques targeting operational technology in critical infrastructure, while Salt Typhoon focuses on telecommunications and data exfiltration. ASIO's decision to reference activity aligned with Five Eyes assessments signals the threat severity and eliminates ambiguity that previously allowed boards to claim insufficient threat intelligence.
Our organisation is not defined as critical infrastructure under the SOCI Act. Do these warnings still apply?
Yes. State-sponsored actors compromise supply chain partners, managed service providers, and interconnected systems to access ultimate targets. Even if not directly regulated, your organisation may provide services to SOCI Act entities, making you a vector for adversary access. Additionally, Essential Eight and Privacy Act obligations apply regardless of critical infrastructure designation, and ransomware attacks from state-affiliated groups affect all sectors indiscriminately.
What is the realistic timeline to achieve 3-month OT isolation capability for organisations with legacy industrial control systems?
Implementation timelines vary by sector and technology stack, but organisations should plan for 18-36 months for comprehensive capability development. This includes technology retrofits, offline operational procedure development, workforce training, and testing cycles. Legacy ICS systems with 20-plus year lifecycles may require staged replacement rather than retrofit, extending timelines and capital requirements significantly beyond initial estimates.
How do we balance the CISC's CI Fortify guidance on extended OT isolation with cloud migration strategies and digital transformation initiatives?
Modern architectures can achieve both through hybrid models: cloud-based IT systems for business operations with physically isolated OT environments for critical controls. The key is ensuring critical functions have offline operational capability while leveraging cloud scalability for non-essential workloads. This requires architectural planning that treats isolation as a design principle, not a constraint retrofit applied after the fact.
What insurance coverage exists for state-sponsored cyber attacks, given many policies exclude acts of war?
Most cyber insurance policies now include war exclusions or hostile nation-state clauses following NotPetya litigation, creating significant coverage gaps for state-sponsored incidents. Boards should assume limited insurance protection for the scenarios ASIO describes. This elevates the importance of preventive controls and operational resilience investments, as financial risk transfer through insurance is increasingly unavailable for state-sponsored threats targeting critical infrastructure.