Executive Summary
The Threat: State-sponsored pre-positioning for high-impact sabotage is now an operational reality, not a theoretical risk. The Benchmark: CISC's CI Fortify guidance (October 2025) establishes scenario-based planning for 90-day OT isolation capability. The Mandate: Boards must pivot from compliance monitoring to active resilience governance—with personal accountability for cyber readiness.
The Threshold Moment
On November 12, 2025, ASIO Director-General Mike Burgess delivered a warning unprecedented in Australian intelligence history. Speaking with uncharacteristic specificity, Burgess warned of state-sponsored cyber groups—identified by Five Eyes partners as Salt Typhoon and Volt Typhoon—'actively and aggressively mapping' Australian critical infrastructure networks. The objective is not espionage. It is pre-positioning: establishing covert access points that could, in a crisis scenario, disable telecommunications systems, destabilise power grids, disrupt water treatment facilities, or compromise financial transaction networks.
Threat Assessment
Salt Typhoon and Volt Typhoon are actively mapping Australian critical infrastructure networks. The objective is not espionage—it is pre-positioning for potential high-impact sabotage during a future crisis scenario.
Burgess warned that Australia is approaching conditions under which high-impact sabotage becomes feasible. The specificity of this warning is unprecedented. The ASD's Annual Cyber Threat Report 2024-25, released in October, confirmed critical infrastructure now comprises an increasing proportion of cyber incidents nationally, with attacks on critical infrastructure more than doubling year-on-year, with 138 ransomware events requiring ACSC response in a single fiscal year—39% of which were proactively identified by ASD before the victims themselves were aware. Meanwhile, the CISC's CI Fortify guidance (October 2025) emphasises scenario-based planning for extended OT isolation (up to 90 days)—a technical consideration that translates directly into capital investment, architectural redesign, and crisis planning only boards can authorise.
For directors and C-suite executives, the calculus has fundamentally changed. This is no longer a theoretical component of scenario planning. It is an operational reality demanding immediate governance response, investment prioritisation, and accountability frameworks commensurate with the threat environment Australia now faces.
Why 2025 Represents an Inflection Point
Three convergent factors make 2025 a watershed moment for critical infrastructure cyber governance in Australia.
"When intelligence agencies provide specific, attributable warnings, failure to respond appropriately may expose directors to heightened regulatory scrutiny. Directors can no longer claim ignorance of the threat landscape."
First, explicit threat attribution creates legal and fiduciary accountability. ASIO's explicit warnings regarding nation-state actors eliminates the ambiguity that previously shielded boards from shareholder and regulatory scrutiny. When intelligence agencies provide specific, attributable warnings of pre-positioning activities targeting sectors your organisation operates within, failure to respond appropriately may expose directors to heightened regulatory scrutiny under SOCI Act obligations and APRA CPS 234 information security requirements for regulated entities. Directors can no longer claim ignorance of the threat landscape.
Second, regulatory frameworks are accelerating toward measurable operational resilience expectations. The Security of Critical Infrastructure (SOCI) Act expanded to cover 11 critical infrastructure sectors, requiring mandatory incident reporting, risk management programs (CIRMPs), and vulnerability assessments. The CISC's CI Fortify guidance, released October 2025, introduces scenario-based planning for extended OT isolation (up to 90 days)—signalling a shift toward operational resilience benchmarks. Queensland's $40M Cyber Security Strategy 2025-2027, launched following the state's 28% share of national cyber incidents, demonstrates both the scale of vulnerability and political willingness to impose consequences for inadequate preparation.
Third, the technical maturity gap remains dangerously wide. Only 15% of government entities have achieved Essential Eight Maturity Level 2—the baseline standard recommended by ASD for all organisations. If government agencies struggle to meet this threshold, the private critical infrastructure operators they interconnect with face similar challenges. The ASD report notes that 39% of ransomware incidents were proactively identified by ACSC rather than victim organisations—evidence that detection capabilities remain insufficient across the sector.
These three factors—explicit attribution, regulatory acceleration, and capability deficits—create a convergence of board-level accountability pressures. The question is no longer whether to act, but how rapidly and comprehensively leadership can mobilise.
Ransomware incidents identified by ASD before victims aware
Government entities at Essential Eight Level 2
OT isolation benchmark under CI Fortify
Architectural Resilience: Beyond Network Segmentation
The CISC's CI Fortify guidance (October 2025) on scenario-based planning for extended OT isolation (up to 90 days) represents a fundamental rethinking of critical infrastructure architecture. Traditional network segmentation—dividing IT and OT environments through firewalls and DMZs—is necessary but insufficient against state-sponsored actors who spend months mapping interdependencies before activation.
True isolation capability requires four architectural pillars:
- —
Physical and logical separation of control systems
IEC 62443, now formally adopted as AS/NZS 62443 in Australia, provides the industrial automation security framework. This standard mandates defence-in-depth through network segmentation, secure remote access, and system hardening. For boards, this translates into capital expenditure for legacy system replacement or retrofit—industrial control systems often have 20-30 year lifecycles and were designed without cyber security considerations.
- —
Offline operational capability
Three-month isolation means critical operations must function without external connectivity—no internet, no cloud services, no third-party remote access. This requires local data storage, manual override capabilities, and staff trained to operate in degraded or disconnected modes. The investment extends beyond technology to procedural development and workforce capability building.
- —
Supply chain independence
State-sponsored pre-positioning frequently exploits third-party access. Managed service providers, equipment vendors, and software suppliers all represent potential vectors. Architectural resilience demands vendor risk assessments under the Australian Government's Digital Supply Chain Risk Management framework, potentially requiring contract renegotiation or vendor diversification.
- —
Recovery architecture
Beyond isolation, organisations need forensically sound recovery pathways. This means clean backup environments, tested restoration procedures, and incident response playbooks specific to state-sponsored compromise. Critical infrastructure operators require Essential Eight Enhanced (Level 3) maturity given threat sophistication.
These architectural decisions cannot be delegated to IT departments. They require board approval because they fundamentally reshape operational models, capital allocation, and risk profiles. The board's role is not to design network topologies but to mandate outcomes, allocate resources, and hold executives accountable for delivery against measurable maturity benchmarks.
Governance Models for Crisis-Ready Boards
Traditional cyber governance—quarterly risk reports, annual penetration tests, insurance policy renewals—is structurally inadequate for the state-sponsored pre-positioning threat. Boards require new governance mechanisms that translate intelligence warnings into operational preparedness.
Intelligence-Informed Risk Committees: Best-practice critical infrastructure boards are establishing dedicated subcommittees with direct access to ACSC threat intelligence briefings, CISC guidance updates, and sector-specific Information Sharing and Analysis Centres (ISACs). These committees require directors with sufficient technical literacy to interpret threat indicators and commission proportionate responses. This may necessitate board composition reviews—recruiting directors with OT security, defence, or intelligence backgrounds.
Scenario-Based Crisis Exercises: ASIO's warning of 'high-impact sabotage' demands boards move beyond desktop exercises to full operational crisis simulations. What decisions must the board make in the first 48 hours if SCADA systems are compromised? Who has authority to isolate networks at the cost of operational disruption? How does the organisation communicate with regulators, customers, and markets under the SOCI Act's mandatory reporting timelines? These scenarios should be tested biannually with external red teams, including representation from legal counsel, public relations, and government liaison functions.
Continuous Assurance Frameworks: Quarterly reporting is too slow. Leading organisations are implementing continuous monitoring dashboards that provide boards real-time visibility into Essential Eight maturity levels, OT network anomalies, and third-party access patterns. These systems integrate data from Security Information and Event Management (SIEM) platforms, vulnerability scanners, and configuration management databases, presenting board-consumable metrics on control effectiveness. For APRA-regulated entities under CPS 234, this continuous assurance satisfies information security capability requirements while demonstrating due diligence.
Executive Accountability Structures: Personal accountability drives behaviour. Boards should establish explicit cyber resilience KPIs in CEO, CIO, and CISO performance agreements, with remuneration consequences for maturity target failures. This might include Essential Eight Level 3 achievement timelines, OT isolation testing completion, or CIRMP audit findings remediation rates. The objective is ensuring cyber resilience receives the same executive priority as financial performance or safety records.
The Queensland Government's $40M investment includes dedicated cyber coordinator roles—recognition that fragmented responsibilities create accountability gaps. Private sector boards should consider similar structural reforms: Chief Resilience Officers with cross-functional authority, or elevating CISO reporting lines directly to the board rather than through technology functions.
From Compliance Theatre to Strategic Advantage
Australia's regulatory framework—SOCI Act, Essential Eight, IRAP, Privacy Act 1988, APRA CPS 234, Australian Energy Sector Cyber Security Framework (AESCSF)—creates complex, overlapping obligations. Many organisations treat compliance as a check-box exercise, pursuing minimum viable conformance. This approach misunderstands both the regulatory trajectory and competitive dynamics.
Regulators are harmonising around outcomes, not processes. The CISC's CI Fortify guidance (October 2025) is performance-oriented: demonstrate the capability, regardless of technical architecture. Similarly, Essential Eight maturity levels focus on control effectiveness, not specific product implementations. This outcomes orientation rewards organisations that embed resilience into operational design rather than retrofitting compliance onto legacy infrastructure. Forward-looking boards position cyber resilience investments as operational excellence programs that happen to satisfy regulatory requirements, rather than compliance costs.
Regulatory excellence creates commercial differentiation. In sectors where critical infrastructure operators compete for contracts—energy retail, telecommunications, logistics—demonstrated cyber maturity is becoming a tender requirement. Government agencies increasingly require vendors to evidence Essential Eight compliance, IRAP assessments, or IEC 62443 certification. Organisations achieving Enhanced maturity levels gain access to opportunities competitors cannot pursue. This transforms cyber investment from cost centre to revenue enabler.
Early adoption mitigates future disruption. Regulatory requirements will only intensify as the threat environment deteriorates. Organisations that achieve compliance early avoid the rushed, costly implementations their peers will face under compressed timelines. The ASD ACSC's observation that only 15% of government entities meet Essential Eight Level 2 suggests regulatory enforcement will eventually accelerate. Boards that position their organisations ahead of the compliance curve avoid the operational disruption, reputational damage, and regulatory penalties late adopters will experience.
The strategic question for boards is not whether to invest in compliance, but whether to lead regulatory adoption as a competitive strategy or lag as a defensive necessity. Given ASIO's explicit warnings and the CISC's CI Fortify guidance, the strategic advantage accrues to leaders, not laggards.
"The question is no longer whether to act, but how rapidly and comprehensively leadership can mobilise."
The Boardroom Imperative: Action Over Analysis
ASIO Director-General Burgess's November 2025 warning eliminates the luxury of further analysis. State-sponsored actors are not waiting for Australian boards to complete risk assessments or budget cycles. They are actively pre-positioning—establishing the digital footholds that, in a crisis scenario, could disable critical services Australians depend upon.
For board directors, this creates three immediate imperatives:
First, seek a sector-specific threat briefing within 30 days. Engage ACSC through the CISC's Partnership Program for a classified threat briefing specific to your sector and operational footprint. Generic risk reports are insufficient; boards require intelligence-grade understanding of the Salt Typhoon and Volt Typhoon tradecraft, targeting methodologies, and indicators of compromise relevant to their organisation's technology stack.
Second, commission an architectural resilience gap analysis against the 3-month OT isolation benchmark. This is not an IT audit—it is an operational capability assessment. Can your organisation maintain critical functions for 90 days without internet connectivity, cloud services, or vendor remote access? What capital investments, procedural changes, and workforce training are required to achieve this capability? What is the implementation timeline and cost?
Third, establish personal accountability mechanisms. Cyber resilience cannot remain a technology function responsibility when the consequences of failure include operational shutdown, regulatory penalties under the SOCI Act, reputational destruction, and potential director liability. Board committees must own cyber resilience outcomes, with explicit reporting lines, KPIs, and executive performance implications.
The threat environment has fundamentally changed. Australia's critical infrastructure faces sophisticated, persistent, state-sponsored adversaries with strategic objectives beyond financial gain. Boards that treat this solely as a technology problem risk inadequate response. Those that recognise it as a governance imperative—demanding the same rigour applied to financial controls, workplace safety, or environmental compliance—will materially strengthen the resilience underpinning Australia's national security.
The threshold for high-impact sabotage is approaching. The question facing every critical infrastructure board is simple: when the crisis arrives, will your organisation be positioned as victim or exemplar?
Questions for Leadership
| Question | Why It Matters |
|---|---|
| Have we received a classified threat briefing from ACSC specific to our sector, and do our directors have sufficient security clearances to access this intelligence? | Generic risk assessments are inadequate against state-sponsored actors. CISC Partnership Program provides sector-specific intelligence on Salt Typhoon and Volt Typhoon tactics, but requires appropriate clearances and formal engagement protocols boards must authorise. |
| Can we operate critical functions for 90 days without external connectivity, and what investment is required to achieve the CISC's CI Fortify guidance (October 2025) on extended OT isolation? | The CISC's October 2025 CI Fortify guidance establishing extended OT isolation scenarios provides an operational benchmark. Achieving this capability requires capital expenditure for system retrofits, offline operational procedures, and workforce training that only boards can approve—timeline and cost must inform strategic planning. |
| What is our current Essential Eight maturity level with independent verification, and what is the roadmap to Enhanced (Level 3) given only 15% of government entities achieve Level 2? | ASD data shows widespread failure to meet baseline security standards. For critical infrastructure under SOCI Act obligations and APRA-regulated entities under CPS 234, demonstrating maturity progression with independent assessment evidence is essential for regulatory compliance and fiduciary duty satisfaction. |
| Who on this board or executive team has operational OT security expertise, and do we need to refresh our composition to address industrial control system vulnerabilities? | IT security expertise does not translate to OT environments governed by IEC 62443 standards. State-sponsored actors specifically target SCADA, DCS, and ICS systems. Boards lacking directors with industrial cybersecurity backgrounds may be unable to effectively oversee resilience programs or challenge management assumptions. |
| What are our crisis decision protocols if we detect state-sponsored pre-positioning, including network isolation authority, regulatory notification timelines, and stakeholder communication strategies? | SOCI Act mandatory reporting creates tight timeframes for regulatory notification. Decisions to isolate networks cost revenue but may prevent wider compromise. Boards must pre-authorise crisis response protocols including decision rights, legal counsel engagement, and public disclosure strategies before incidents occur. |
Frequently Asked Questions
What is the difference between Salt Typhoon and Volt Typhoon, and why did ASIO name them specifically?
Salt Typhoon and Volt Typhoon are distinct state-sponsored cyber groups attributed to nation-state actors by Five Eyes intelligence partners, with different operational focuses. Volt Typhoon specialises in 'living off the land' techniques targeting operational technology in critical infrastructure, while Salt Typhoon focuses on telecommunications and data exfiltration. ASIO's decision to reference activity aligned with Five Eyes assessments signals the threat severity and eliminates ambiguity that previously allowed boards to claim insufficient threat intelligence.
Our organisation isn't defined as 'critical infrastructure' under the SOCI Act—do these warnings still apply?
Yes. State-sponsored actors compromise supply chain partners, managed service providers, and interconnected systems to access ultimate targets. Even if not directly regulated, your organisation may provide services to SOCI Act entities, making you a vector for adversary access. Additionally, Essential Eight and Privacy Act obligations apply regardless of critical infrastructure designation, and ransomware attacks affect all sectors.
What is the realistic timeline to achieve 3-month OT isolation capability for organisations with legacy industrial control systems?
Implementation timelines vary by sector and technology stack, but organisations should plan for 18-36 months for comprehensive capability development. This includes technology retrofits, offline operational procedure development, workforce training, and testing cycles. Legacy ICS systems with 20+ year lifecycles may require staged replacement rather than retrofit, extending timelines and capital requirements significantly.
How do we balance the CISC's CI Fortify guidance (October 2025) on extended OT isolation with cloud migration strategies and digital transformation initiatives?
Modern architectures can achieve both through hybrid models: cloud-based IT systems for business operations with physically isolated OT environments for critical controls. The key is ensuring critical functions have offline operational capability while leveraging cloud scalability for non-essential workloads. This requires architectural planning that treats isolation as a design principle, not a constraint retrofit.
What insurance coverage exists for state-sponsored cyber attacks, given many policies exclude 'acts of war'?
Most cyber insurance policies now include war exclusions or 'hostile nation-state' clauses following NotPetya litigation, creating significant coverage gaps for state-sponsored incidents. Boards should assume limited insurance protection for the scenarios ASIO describes. This elevates the importance of preventive controls and operational resilience investments, as financial risk transfer through insurance is increasingly unavailable for state-sponsored threats.
References
- Australian Signals Directorate, Annual Cyber Threat Report 2024-25, October 2025
- ASIO Director-General Mike Burgess, Annual Threat Assessment Address, November 2025
- Critical Infrastructure Security Centre, CI Fortify Guidance, October 2025
- Security of Critical Infrastructure Act 2018 (Cth), as amended
- APRA Prudential Standard CPS 234: Information Security
- Standards Australia, AS IEC 62443 Series (Industrial Automation Security), July 2025
- Queensland Government, Cyber Security Strategy 2025-2027, December 2025