Australia issues new CI Fortify guidance to protect critical infrastructure from cyber threats

The Australian Signals Directorate (ASD) has released new guidance for operators of critical infrastructure (CI) aimed at strengthening resilience against growing cyber threats. The document, titled Critical Infrastructure (CI) Fortify, was published on 13 October and targets large organisations and government entities managing operational technology (OT) and essential services.

The guidance outlines a framework to help CI operators withstand and recover from severe cyber incidents. It calls for updated inventories of OT assets, identification of vital systems, and the ability to isolate key networks from external connections for up to three months. Operators are also advised to develop the capacity to rebuild essential systems rapidly using trusted offline backups.

According to ASD, the guidance responds to escalating risks from both state-sponsored actors and criminal groups. These actors are increasingly targeting critical systems, such as energy grids, transport networks, and water supply facilities, for espionage, sabotage, or extortion. The agency warns that compromise of such systems could lead to major service disruptions or even physical harm.

The document notes that operational technology has become a prime target over the past decade, citing incidents such as the 2010 Stuxnet attack on Iran’s nuclear facilities, the 2016 Industroyer malware in Ukraine, and the 2021 Colonial Pipeline breach in the United States. ASD says these examples demonstrate how IT and OT networks are now deeply intertwined, and how disruption in one can cascade into the other.

CI systems in Australia often rely on legacy technology and complex supply chains, many of which were not originally designed with cybersecurity in mind. ASD cautions that such dependencies expand the attack surface and expose national infrastructure to systemic vulnerabilities.

The guidance advises operators to take three preparatory steps before implementation: maintain a complete inventory of OT assets, identify which systems are essential to sustaining critical services, and map out points where isolation can be safely applied. These measures, it says, form the foundation for a robust resilience plan.

Among the practical recommendations are two main “planned actions”:

1. Isolate vital OT systems: CI operators should be able to disconnect critical systems from external networks and third parties for a period of up to three months while continuing to provide essential services.
2. Rebuild rapidly: Organisations should maintain secure offline backups and spare equipment to allow quick restoration of essential functions after an incident.

ASD acknowledges that isolation may disrupt normal business processes but stresses that continuity of critical services must take priority. The guidance encourages a ‘graduated plan’ for isolation that allows operators to adjust their posture as threats evolve.

In its concluding section, the document highlights the broader benefits of proactive preparation: increased long-term stability, reduced recovery costs, and improved crisis response across both cyber and physical incidents. ASD’s Director-General reiterated that strengthening resilience is now an urgent national security priority, as foreign interference and cyberespionage continue to rise.

Background
The CI Fortify framework complements Australia’s existing cyber defence measures, including the Essential Eight mitigation strategies and the Information Security Manual. It builds on the 2025 Annual Threat Assessment by the Australian Security Intelligence Organisation (ASIO), which classified espionage and foreign interference risks as “extreme” and likely to intensify.