By Stu Long, Chief Technology Officer, Orro
This isn’t a recap. The conversation we had in that room was substantive enough that I want to share the substance of it — because the themes we discussed matter to anyone responsible for keeping critical infrastructure running safely.
The nature of the threat has changed
The most important thing to understand about modern OT attacks is that they are no longer primarily about data. For most of the last decade, the dominant threat model in cybersecurity was theft or extortion: get in, take something valuable, get paid. That model still exists, but it has been joined by something more serious: the deliberate disruption of physical operations.
The incidents that defined the recent threat landscape — Colonial Pipeline, the Oldsmar water treatment facility intrusion, the confirmed pre-positioning of adversaries like Volt Typhoon inside US energy, water, and transport infrastructure — all share a common characteristic. The attack didn’t stay in the digital domain. The impact crossed into the physical world: fuel shortages, the attempted manipulation of chemical dosing systems to dangerous levels, persistent access designed to enable future disruption at a time of geopolitical conflict.
The data supports this shift. According to Waterfall Security’s 2025 OT Cyber Threat Report, the number of sites suffering physical consequences from cyberattacks grew by 146% in 2024 — from 412 sites to more than 1,000. The number of attacks didn’t grow proportionally; what grew was the blast radius of each one. Nation-state attacks with physical consequences tripled over the same period.
This is no longer a theoretical risk category. It is an operational reality.
Evidence Snapshot
146% — Increase in sites suffering physical consequences from cyberattacks in 2024, rising from 412 to 1,015 sites globally. (Waterfall Security / ICS STRIVE, 2025 OT Cyber Threat Report)
3x — Increase in nation-state attacks with confirmed physical consequences in 2024. (Waterfall Security / ICS STRIVE, 2025 OT Cyber Threat Report)
AI is changing the economics of attack
One theme that generated significant discussion at the roundtable was the role of AI in lowering the barrier to sophisticated OT attacks.
The concern isn’t science-fiction scenarios about autonomous malware. The practical reality is more prosaic and more dangerous: AI tools are being used to automate the search for known vulnerabilities across industrial environments at a speed and scale that simply wasn’t possible before.
The numbers tell the story. In 2025, attackers began scanning for new vulnerabilities within 15 minutes of a CVE publication, with 50–60% of new vulnerabilities weaponised within 48 hours of disclosure. For context, the average time organisations take to patch critical OT vulnerabilities remains 15–30 days. That gap — between the moment a vulnerability becomes public knowledge and the moment an organisation can address it — is where OT environments are most exposed.
This matters because OT environments typically run protocols that were designed decades ago for closed, serial networks: Modbus TCP, EtherNet/IP, BACnet. These protocols carry no encryption and require no authentication. They were never intended to traverse wide-area networks, but business integration requirements have made that connectivity necessary. Today, knowledge of these protocols and their weaknesses is no longer confined to plant engineers — it’s searchable, scriptable, and increasingly automated.
Evidence Snapshot
15 minutes — Time within which attackers now begin scanning for newly disclosed vulnerabilities after CVE publication. Average time-to-patch for critical OT vulnerabilities: 15–30 days. (Cydome Maritime Cyber Report, 2025)
The regulatory environment has shifted — permanently
For organisations operating critical infrastructure in Australia, this threat landscape intersects with a compliance environment that has fundamentally changed in the past 18 months.
The Security of Critical Infrastructure Act (SOCI Act), and its 2024 amendments through the Enhanced Response and Prevention Act, have moved the obligations of critical infrastructure operators from voluntary guidance to legislated requirement. The Critical Infrastructure Risk Management Program (CIRMP) — now mandated across 11 sectors including energy, water, transport, and telecommunications — requires organisations to demonstrate documented, board-approved risk management programs. The first annual reports were due in September 2024.
For the energy sector specifically, the Australian Energy Sector Cyber Security Framework (AESCSF) defines maturity levels that organisations must now actively work toward — moving from ad hoc, reactive security postures toward documented, managed, and repeatable controls. The framework uses Maturity Index Levels (MIL): organisations operating at MIL 1, where security processes are largely informal, are expected to demonstrate a pathway toward MIL 2 or MIL 3.
What this means in practice is that OT security is now a board-level obligation, not an IT issue. Directors have a fiduciary duty to manage cyber risk with the same rigour they apply to financial or operational risk. The Cyber Security Act 2024 adds ransomware payment reporting requirements for entities with annual turnover above AUD $3 million, effective May 2025. This is the compliance environment in which every operator of critical infrastructure in Australia now operates.
Evidence Snapshot
11 sectors — Number of critical infrastructure sectors now subject to mandatory CIRMP obligations under Australia’s SOCI Act, including energy, water, transport, and telecommunications. (CISC / Department of Home Affairs)
AUD $3 million — Annual turnover threshold above which organisations must report ransomware payments under Australia’s Cyber Security Act 2024, effective May 2025. (Cyber Security Act 2024 Rules)
What a structured response actually looks like
The question we spent the most time on during the roundtable — the one that drew the most candid discussion — was this: given all of the above, what does a realistic, achievable security programme look like for an organisation that isn’t starting from zero but isn’t yet where it needs to be?
The honest answer is that most organisations are dealing with what I’d call “accidental architecture” — networks that grew organically over years, where IT and OT systems were connected incrementally to satisfy business needs, without a security-first design philosophy. The priority for these organisations isn’t perfection; it’s establishing the foundations that make everything else possible.
There are four things that tend to be missing, and that matter more than anything else.
Visibility. You cannot protect what you cannot see. In OT environments, active network scanning can crash sensitive industrial controllers, so passive discovery tools — purpose-built for industrial protocols — are essential. Understanding every asset, its firmware version, and its patch status is the baseline from which everything else flows.
Segmentation. The “flat network” — where IT and OT systems share network space without meaningful barriers between them — remains the most common and most dangerous architectural weakness we encounter. Aligning environments to IEC 62443 and implementing zone-based segmentation means that a threat actor who breaches the corporate IT layer meets a hardened barrier before they can reach critical control systems. This is the architectural principle behind the DMZ-in-a-Box solutions we deploy with Fortinet: a pre-configured, hardened gateway that enables the secure data flows that business requires, without allowing direct traffic between the corporate network and the plant floor.
Contextual monitoring. Standard IT security operations often can’t interpret OT alerts meaningfully — a “Stop Command” sent to an industrial controller looks very similar whether it’s a legitimate maintenance shutdown or a malicious intrusion. OT-specific security operations require analysts who understand the context of industrial processes, and the tools to distinguish between normal operational behaviour and genuine threat activity. This is the work we do through our OT SOC, working with Claroty’s platform and our own visibility capabilities.
A clear compliance roadmap. The regulatory obligations now in place aren’t just a compliance exercise — they’re a useful forcing function. Having a documented pathway from current state to MIL 2 or MIL 3 gives security investment a structure and a rationale that boards can approve and track.
The conversation continues
What struck me most about the Melbourne roundtable wasn’t any single insight — it was the quality of the questions from people in the room. The practitioners who attended were sophisticated, clear-eyed about the constraints they’re operating under, and genuinely looking for paths forward rather than validation of the status quo.
If any of this resonates with challenges you’re working through — whether that’s asset visibility, network segmentation, compliance readiness, or building the case for board-level investment in OT security — I’d welcome the conversation.
Orro partners with Claroty and Fortinet to deliver end-to-end OT security architecture, assessment, and managed monitoring services across Australia’s critical infrastructure sectors. To discuss your environment, contact our team.
