When Your Network Goes Down, the Lights Go Out

Governing body

Cyber and Infrastructure Security Centre (CISC), Department of Home Affairs

homeaffairs.gov.au / cisc.gov.au

What it requires

The SOCI Act designates electricity, gas and water as critical infrastructure sectors and imposes obligations on responsible entities for assets that meet the threshold criteria. Obligations include maintaining and annually attesting to a Critical Infrastructure Risk Management Programme (CIRMP) covering cyber, physical, supply-chain and personnel hazards; mandatory cyber incident reporting within 12 hours (significant incidents) and 72 hours (relevant incidents) to the ASD/ACSC; and system of national significance (SoNS) obligations for the most critical assets. CIRMP compliance was required from August 2024 and the first board-signed annual reports were due September 2024

Applies to

All responsible entities for critical infrastructure assets in the electricity, gas and water sectors.

Consequence of non-compliance

Failure to maintain a compliant CIRMP carries a civil penalty of 200 penalty units under s.30AB — currently up to $330,000 for a body corporate — with a separate 150 penalty unit penalty (up to $234,750) for failing to lodge the annual report

Governing body

Australian Energy Market Operator (AEMO), in collaboration with the ASD/ACSC and CISC

aemo.com.au/initiatives/major-programs/cyber-security

What it requires

The AESCSF is the primary framework used to demonstrate SOCI Act CIRMP compliance for energy sector participants. It is structured across 11 domains and 37 subdomains encompassing 282 requirements, and uses Security Profiles (SP-1 to SP-3) to set target maturity states based on entity criticality. From August 2024, the AESCSF was formally recognised as an approved framework under CIRMP Rules Section 8. The 2026 AESCSF Programme assessment portal is currently open (March–May 2026).

Applies to

Entities include electricity generators, distributors, retailers, gas networks and liquid fuels operators.

Consequence of non-compliance

Failure to demonstrate AESCSF compliance equivalent to the applicable Security Profile constitutes a CIRMP breach.

Governing body

ASD/ACSC, Department of Home Affairs

What it requires

Ransomware payment reporting obligations commenced 30 May 2025 for all SOCI-regulated entities. Mandatory IoT security standards for smart devices supplied to critical infrastructure operators commenced 4 March 2026. 

Applies to

All critical infrastructure entities including electricity, gas and water operators

Reference

cyber.gov.au

Governing body

Office of the Australian Information Commissioner (OAIC) oaic.gov.au

What it requires

All utilities with annual turnover above $3 million must notify the OAIC and affected individuals of eligible data breaches involving personal information likely to cause serious harm. This obligation sits alongside the SOCI Act incident reporting obligation — a single incident may trigger both.

Governing body

Australian Signals Directorate (ASD)

What it requires

The Essential Eight Maturity Model is the de facto cybersecurity baseline for Australian organisations and is incorporated by reference into the AESCSF. It is increasingly required by insurers and procurement frameworks. For utilities operating across both IT and OT environments, applying the Essential Eight requires OT-aware adaptation — particularly around patching, application control and macro settings in environments where standard patch cycles are not operationally feasible.

Reference

cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

The connectivity challenge for utilities is fundamentally different from that facing most enterprise sectors. Assets are dispersed across geographically diverse and often remote locations — substations, pumping stations, water treatment facilities, remote monitoring sites, control rooms and field operations that may be separated by hundreds of kilometres. Each site has different connectivity options, different latency tolerances and different criticality to operational continuity. A connectivity architecture that works for a metropolitan data centre doesn’t work for a regional substation, and solutions designed for enterprise environments are frequently inadequate for the reliability standards utilities require.

Orro designs and manages purpose-built network architectures for utility operations, combining SD-WAN, SASE, managed connectivity and private wireless where the asset density and geography warrant it. As one of a small number of organisations in Australia to hold private spectrum, Orro can deploy private LTE networks for utility sites that require secure, high-capacity wireless connectivity independent of public carrier infrastructure — particularly relevant for distributed assets, industrial campuses and remote monitoring environments where public cellular coverage is unreliable or its use introduces unacceptable security risk.

Network segmentation is built into the architecture from the ground up. IT and OT environments are separated by design, with traffic policies that enforce the boundaries between corporate networks and operational systems. Failover and redundancy configurations ensure that a connectivity failure at a single site does not cascade into broader operational disruption, and out-of-band management capability ensures that network issues can be diagnosed and resolved without requiring physical attendance at site.

Outcome: Resilient, segmented connectivity across utility sites — from urban distribution infrastructure to remote field assets — with the reliability and latency characteristics that operational continuity demands.

Utilities face a threat profile that demands more than conventional cybersecurity controls. State-sponsored actors pre-positioning in OT environments, ransomware operators targeting operational systems for maximum leverage, and the persistent exposure created by legacy infrastructure that cannot be patched on standard cycles — these are not problems that periodic vulnerability scans or annual penetration tests will adequately address.

Orro’s National Cyber Defence Centre (NCDC) provides 24/7 security monitoring with OT-aware threat detection for utility environments. Unlike security operations capabilities built primarily for enterprise IT, Orro’s monitoring extends into OT environments, with detection logic calibrated to the specific traffic patterns, protocols and behavioural baselines of industrial control systems. This matters: the “living off the land” techniques used by groups like Volt Typhoon are specifically designed to evade signature-based detection by using legitimate system tools and credentials. Detecting them requires behavioural analysis, persistent monitoring and threat intelligence that understands the sector.

Orro’s Continuous Threat Exposure Management (CTEM) service moves beyond point-in-time assessment to provide continuous visibility of the exposure surface across both IT and OT environments. Rather than producing a list of vulnerabilities ranked by technical severity, CTEM identifies and prioritises exposures based on actual exploitability and operational impact — factoring in the specific constraints of OT environments where not everything can be patched and not all remediation options are equal. This approach enables utilities to manage their risk on a continuous basis against the AESCSF domains and the Essential Eight maturity requirements, rather than treating compliance as an annual exercise.

Identity and access management for operational environments, network segmentation validation, incident detection and response, and vulnerability management across the full IT/OT stack complete the cybersecurity picture for utility clients.

Outcome: Continuous, OT-aware security monitoring and exposure management that keeps pace with the threat landscape — not a snapshot of security posture taken once a year.

The move to cloud-hosted and hybrid infrastructure is well underway in the utilities sector, driven by operational analytics, asset performance management, digital twin platforms and the data requirements of the energy transition. Managing that transition without introducing new security risk or disrupting operational systems requires architecture and engineering capability that understands both the regulatory constraints of critical infrastructure environments and the specific performance requirements of operational applications.

Orro designs and manages hybrid cloud architectures for regulated environments, applying security controls appropriate to the sensitivity of operational data and the compliance obligations utilities must meet. Secure data transport between field assets, operational systems and cloud platforms — including appropriate encryption, access controls and logging — ensures that the connectivity layer does not become the weakest link in an otherwise well-engineered cloud deployment.

For utilities undergoing significant transformation programmes — digitising metering infrastructure, deploying operational analytics platforms, integrating distributed energy resources — Orro provides the managed cloud and application performance capabilities to ensure these programmes succeed without compromising operational continuity. Disaster recovery and business continuity designs are built to the availability standards that utility regulators and communities expect, not to generic enterprise SLAs.

Outcome: Secure, high-availability cloud and application environments built to the specific compliance and operational requirements of Australian utilities — not adapted from generic enterprise designs.

This is the section of Orro’s capability that matters most for utilities, and where the sector’s risk is most concentrated. Operational technology in the energy and water sectors — industrial control systems, SCADA platforms, distributed control systems, RTUs, PLCs and the field devices connected to them — represents both the core of what utilities protect and the environment least well served by conventional IT security approaches.

Orro brings genuine OT security capability to utility environments: asset discovery and inventory across OT networks, network visibility and segmentation analysis, OT-specific monitoring and anomaly detection, and the architectural expertise to design security controls that work within the operational constraints of industrial environments. Orro’s capability extends to the full OT security stack — from network architecture and segmentation through to monitoring, incident response and AESCSF compliance alignment.

The Orro OT Security Operations Centre (OT SOC) extends 24/7 monitoring into industrial environments, with detection capabilities tuned for OT protocols and industrial control system behaviour. Orro also supports utilities in meeting SOCI Act CIRMP obligations as they relate to OT — including asset scoping, risk management programme development, and the AESCSF assessment and attestation process. The Orro team understands that in an OT environment, the question is never simply “can we patch this?” — it is “how do we manage the exposure while maintaining operational continuity?” That framing shapes every recommendation Orro makes in a utility engagement.

Outcome: Comprehensive OT security visibility, monitoring and risk management across the full industrial environment — purpose-built for utilities, compliant with AESCSF and SOCI Act requirements.

The operational demands on utilities don’t pause while technology teams work through security uplift programmes or infrastructure transitions. Orro’s managed services model is designed to extend the operational capacity of utility technology teams — providing the monitoring, management and expertise that keeps networks, security and cloud environments performing to the standards that critical infrastructure requires.

One Touch Control, Orro’s proprietary network management platform, provides unified multi-vendor, multi-carrier visibility and management across a utility’s full network estate — from enterprise connectivity through to site-level links serving substations, treatment plants and field operations. The platform normalises data across carriers and vendors into a single operational view, enabling proactive identification and resolution of issues before they affect operational continuity. For utilities managing connectivity across dozens or hundreds of sites with different infrastructure types and carrier relationships, this visibility is not a convenience — it is operationally critical.

Orro’s proactive monitoring approach means that the majority of issues are identified and resolved before they generate an outage or an incident report. The Australia Post relationship — where Orro manages 4,000+ sites with an 80% proactive ticket management rate and a 43% reduction in critical incidents — demonstrates the scale and maturity of Orro’s managed services capability. The metrics differ by sector and environment, but the operational discipline is the same.

Australian-owned with Australian-based support escalation and 24/7 global operations capability, Orro provides the continuity assurance that utility operators need from a managed services partner — including the escalation path to senior technical and engineering resources when critical infrastructure events require it.

Outcome: Unified operational visibility and proactive managed services that reduce incident frequency, accelerate resolution and free utility technology teams to focus on strategic priorities rather than reactive infrastructure management.

If your organisation is responsible for a critical infrastructure asset in the electricity, gas or water sector, you are required to maintain a written Critical Infrastructure Risk Management Programme (CIRMP) addressing cyber, physical, supply-chain and personnel hazards. The CIRMP must be approved by your board, and an annual attestation report must be submitted each September. You must also demonstrate compliance with an approved cybersecurity framework — for energy operators, the AESCSF is the primary option. Mandatory cyber incident reporting obligations apply: significant incidents must be reported to the ASD/ACSC within 12 hours and relevant incidents within 72 hours. Failure to maintain a compliant CIRMP carries a civil penalty of 200 penalty units under section 30AB of the SOCI Act — currently up to $330,000 for a body corporate — and the CISC has signalled an increasingly firm compliance posture.

The Australian Energy Sector Cybersecurity Framework (AESCSF) is developed by AEMO in collaboration with the ASD/ACSC and CISC. It provides a structured maturity model across 11 domains covering risk management, asset management, OT architecture, incident response, supply chain and other areas — mapped to the NIST Cybersecurity Framework and the Essential Eight. It applies to electricity generators, distributors and retailers, gas networks and liquid fuels operators. Since August 2024, it has been a formally recognised framework under the SOCI Act CIRMP Rules. The 2026 AESCSF Programme assessment portal is open March–May 2026.

The answer is sequenced and non-disruptive. The starting point is visibility — mapping what OT assets exist, how they are networked, and what the current traffic patterns look like between IT and OT environments. Network segmentation can then be validated and tightened, with firewall rules and access controls enforcing the boundary between enterprise systems and industrial systems. Where legacy OT devices cannot be patched or updated, compensating controls — including network monitoring tuned to OT protocols and strict access management — provide the risk management layer. The goal is not to lock down OT to the point where operational staff cannot do their jobs; it is to ensure that lateral movement from a compromised IT environment cannot reach operational systems.

Yes. The ASIO Director-General confirmed in November 2025 that groups including Volt Typhoon and Salt Typhoon — linked to Chinese state intelligence — had been probing Australian critical infrastructure, including utilities. The ASD/ACSC’s Annual Cyber Threat Report 2024–25 confirmed that notifications to critical infrastructure entities of potentially malicious cyber activity increased 111% in FY2024–25, with the ACSC notifying critical infrastructure entities more than 190 times. These actors do not use obvious malware — they use legitimate credentials and built-in system tools, moving slowly through networks over months or years while preserving the option to trigger disruption at a strategic moment.

CTEM replaces the periodic point-in-time assessment model with continuous visibility of the exposure surface across both IT and OT environments. For utilities, this is particularly important because the exposure landscape changes constantly — new devices are connected, firmware versions change, network configurations are modified, and the threat intelligence picture shifts. CTEM identifies and prioritises exposures based on actual exploitability and operational impact rather than technical severity scores, which means it accounts for the specific constraints of OT environments. The output is a continuously maintained risk picture that underpins both security operations decisions and AESCSF compliance reporting.

The architecture needs to match the geography. Urban and suburban sites with existing fibre or carrier Ethernet infrastructure have different options from a remote pumping station or a rural substation. SD-WAN provides centralised management, traffic prioritisation and failover capability across a mixed connectivity estate. Private LTE is increasingly viable for industrial campuses and distributed assets where public carrier coverage is unreliable or its security characteristics are unacceptable for OT connectivity. In genuinely remote locations, satellite connectivity has improved significantly and is now operationally viable for telemetry and monitoring applications. Orro designs architectures that combine these technologies based on the operational requirements and risk tolerances of each site.

The SOCI Act has already resolved part of this question by making board sign-off on CIRMP mandatory. But compliance is a floor, not a ceiling. The board-level question is whether the organisation has genuine, continuous visibility of its exposure across both IT and OT environments — not just annual attestations that last year’s controls were in place. The shift the ASD/ACSC and AEMO are both encouraging is from periodic compliance checking to continuous exposure management, with risk reported to the board on a basis that reflects the actual threat environment. A board that understands where its critical OT systems sit relative to its enterprise network, and what controls exist at that boundary, is better positioned to make the risk appetite decisions that the SOCI Act now requires of them.

The risk is that the separation exists on paper but not in practice. The IT/OT convergence that has happened over the past decade — remote monitoring, digital metering, enterprise integration with operational platforms — has already connected these environments in ways that traditional governance structures haven’t caught up with. State-sponsored actors are explicitly targeting enterprise IT environments as the pathway to OT. If your security operations, your monitoring, and your incident response are calibrated only to enterprise IT, you have a visibility gap that covers the most operationally critical part of your environment.

Orro is an Australian-owned company with Australian-based account management and support escalation. First-line network support includes globally distributed capability, but escalation to senior engineering and account management resources is Australian-based. For critical infrastructure clients with specific data sovereignty or security requirements around who can access network management and security platforms, this is a material consideration. Orro’s National Cyber Defence Centre is Australian-operated.