Fortura Logo

ForturaIndustries

Cyber Security for Critical Infrastructure & OT

In critical infrastructure, cyber risk isn’t about data first. It’s about whether the lights stay on, the water stays clean, and trains keep moving.

Energy, water, transport, resources, communications, ports, health, food and other essential services are now deeply digital. Operational technology (OT) and industrial control systems (ICS) that used to be isolated are increasingly connected—to IT networks, cloud platforms and third-party vendors.

Adversaries have noticed.

Cyber Risk in Critical Operations

The 2024 IBM Cost of a Data Breach analysis for the industrial sector reported an average breach cost of USD 5.56 million, an 18% increase on 2023—one of the steepest jumps across all sectors. (IBM)

In Australia, the latest Annual Cyber Threat Report 2024–25 from the Australian Signals Directorate shows:

USD 5.56M

Average industrial breach cost (IBM 2024)

18%

Year on-year increase in industrial breach cost

1,200+

Cyber incidents responded to (ASD 2024–25)

219%

Increase in average cost for large businesses

Industrial-focused research from Dragos in early 2025 shows OT/ICS cyber threats continuing to escalate, driven by ransomware, exploitation of remote access, and supply-chain gaps—with ransomware activity against industrial organisations remaining consistently high and ICS becoming one of the most impacted sectors. (Dragos)

All of this is happening as AI-assisted attacks and “grey zone” operations blur the line between criminals, hacktivists and state-aligned actors, with critical infrastructure a prime target for disruption and leverage. (Daily Telegraph)

Fortura exists so that “assume compromise” doesn’t turn into “assume outage”.

Our Focus

Who We Work With

This page is for operators and owners of critical infrastructure and OT-heavy environments across ANZ, including:
  • Electricity generation, transmission and distribution
  • Gas production and pipelines
  • Water and wastewater utilities
  • Ports, airports, rail and road transport operators
  • Telecommunications and data centre providers
  • Mining, resources and heavy manufacturing
  • Hospitals and health infrastructure
  • Food and grocery distribution and logistics
  • Government-owned corporations and shared utility platforms

If an outage in your environment would show up on the news, in Parliament, or in a national incident report, this is your threat model.

Rising Expectation

The New Operating Reality for Critical Infrastructure & OT

Critical infrastructure operators are being pulled in two directions at once:
01

Digitalisation and Convergence

OT and ICS networks increasingly connected to IT for monitoring, analytics and remote operations

Cloud-hosted historians, asset management, work management and engineering systems

Remote access for OEMs, vendors and field crews

02

Regulation and Public Expectation

Tougher obligations under Australia’s Security of Critical Infrastructure Act 2018 (SOCI) and associated Critical Infrastructure Risk Management Program (CIRMP) rules, including 2025 amendments that explicitly bring “business critical data” and secondary systems into scope (CISA Website)

Growing focus on resilience and “minimum operating levels” for essential services

Greater scrutiny from media, customers and community whenever there is a disruption

03

Threat Landscape

ASD’s 2024–25 report highlights an 83% increase in proactive notifications to entities about potentially malicious cyber activity, with nearly half of confirmed incidents involving malware or ransomware. (Cyber.gov.au)

Dragos’s 2025 OT/ICS reporting describes a convergence of state-sponsored threats, criminal groups and hacktivist fronts, with industrial organisations squarely in the crosshairs. (IT Brief Australia)

For critical infrastructure, the mandate is brutal in its simplicity: keep services safe, keep them running, and survive contact with modern attackers.

Inside The Attack

How Attacks Really Unfold in OT & Critical Infrastructure

In OT, attacks rarely look like someone “hacking a PLC from the internet” on day one. More often, they follow a multi-stage pattern across IT and OT:
01

Initial Access On The IT Side

  • Phishing, credential theft, remote access compromise
  • Exploitation of internet-facing services, VPNs or unmanaged assets
  • Compromise of a vendor, integrator or managed service provider
02

Movement Towards OT & Critical

  • Discovery and pivoting through flat or poorly segmented networks
  • Abuse of remote access solutions used for engineering support
  • Targeting domain controllers, jump hosts and shared infrastructure that bridge IT/OT
03

Impact On Operations

  • Ransomware encrypting IT systems that are critical to safe operations
  • Disruption of HMI/engineering stations, file shares or historian systems
  • Data theft and extortion using operational configuration files, network diagrams and sensitive business data

Dragos’s 2025 ransomware analyses show industrial organisations consistently among the most impacted, with ICS-related incidents rising and sectors like manufacturing, energy, transportation and equipment engineering repeatedly targeted. (Dragos)

At the same time, we’re seeing AI-assisted campaigns where generative AI is used to:

  • Craft highly tailored phishing and social engineering targeting engineers and operators
  • Automate reconnaissance across exposed services and remote access infrastructure
  • Coordinate activity across multiple compromised suppliers and partners

The line between “IT incident” and “operational disruption” gets crossed much faster than most organisations expect.

Emerging Risk

AI and OT: A New Kind of Exposure

AI is reshaping operational technology, introducing powerful efficiencies and a new class of cyber and safety risk.
  • Predictive maintenance and anomaly detection on sensor data
  • AI-driven optimisation of energy dispatch, pumping schedules, routing and scheduling
  • Computer vision for safety, inspection and perimeter monitoring
  • Large-language model copilots for engineering, operations and field staff
  • The IBM 2025 breach study highlights an “AI oversight gap”—ungoverned AI systems being more likely to be breached and more costly when they are, with shadow AI breaches costing on average USD 670,000 more than “traditional” breaches, and 97% of AI-related breaches lacking adequate access controls. (IBM)
  • National security reporting in early 2026 points to AI being actively used in “grey zone” campaigns—AI agents conducting much of the reconnaissance and intrusion work against critical infrastructure with minimal human oversight. (Daily Telegraph)
  • Engineers or planners pasting configurations, diagrams and logs into public AI tools
  • AI-assisted optimisation systems making decisions based on manipulated inputs
  • AI-powered reconnaissance of exposed OT remote access, vendor portals and support tools
Futuristic illustration of an AI chip connected by glowing circuits to power, transport, port, and industrial infrastructure at dusk.
If your AI initiatives sit outside your risk and OT safety programs, you don’t have an innovation strategy—you have an uncontrolled experiment on essential services.

Fortura’s stance is that AI in OT must be treated as both an opportunity and a hazard—with threat models, controls and governance to match.

Compliance

Frameworks, Standards and The Compliance Spine

Critical infrastructure and OT security sits at the intersection of safety, cyber and regulation. The stack typically includes:

Australian Regulatory Layer

Cyber and Infrastructure Security Centre guidance under the SOCI Act

Critical Infrastructure Risk Management Program (CIRMP) rules, including 2025 amendments that expand “material risks” to cover business critical data and data storage systems (CISA Website)

Sector-specific regulation (energy, water, transport, health, communications) and state-based obligations

ACSC’s Essential Eight and wider guidance for critical infrastructure entities

OT & industrial standards

IEC 62443 for industrial automation and control systems

NIST SP 800-82 for ICS security

Industry-specific standards (e.g. NERC CIP in power, where relevant for global operators)

Enterprise frameworks

NIST Cybersecurity Framework (NIST CSF)

ISO/IEC 27001 and related controls standards

Safety and reliability frameworks already in use for process safety and asset management

Fortura doesn’t treat these as a checklist problem. We treat them as your minimum licence to operate, then focus on the practical question: what changes in your plant, network and supplier ecosystem tomorrow?

Costs of Compromise

Outage, Safety and Harvest Now, Decrypt Later

In critical infrastructure, the cost of a cyber incident goes far beyond a headline number:

Service Disruption

Power interruptions, water issues, transport delays, port congestion, health service diversion

Safety Implications

Increased operational risk if safety systems, HMI, alarms or procedures are impacted

Economic and Societal Impact

Downstream businesses and communities affected by outages, especially in regional or remote areas

Regulatory and legal Exposure

Investigations, enforceable undertakings, potential penalties under SOCI and sector regulation

Geopolitical leverage

Incidents exploited in information operations or used to signal capability and intent

The global data breach average of USD 4.44 million in 2025 is almost academic compared to the real-world cost of a multi-day outage of electricity, water or transport services, but it does highlight how quickly incident costs have grown. (Baker Donelson)

Overlaying all this is the “harvest now, decrypt later” risk highlighted by national security agencies: adversaries collecting encrypted OT and infrastructure-related data today, intending to decrypt it with future quantum capabilities—particularly sensitive design, configuration and communications data that might underpin critical systems for decades. (Daily Telegraph)

For boards, executives and asset owners, the question becomes: “What is the real cost—in money, safety and sovereignty—if we only find out our assumptions were wrong during a major incident?”

Horizon

The Next 3–5 Years for Critical Infrastructure & OT Cyber

Looking out to 2029–2030, a few trends seem almost certain:
2027

AI-enabled grey zone operations will increase

State-aligned actors will continue to use AI and autonomous agents to probe, map and pressure critical infrastructure without crossing into open conflict.

2028

Regulation will deepen beyond compliance

SOCI and CIRMP obligations will continue to evolve, with more sectors and more “downstream” entities brought into scope, and more emphasis on demonstrable resilience rather than just compliance.

2029

Post-quantum migration planning required

Long-lived OT systems and critical data flows will need crypto-agility and migration plans as standards mature.

2030

Ecosystem defence > isolated security

Shared platforms, cross-border ownership and complex supply chains will force operators to think beyond their own fence line.

Fortura’s commitment in this space is simple:

  • Be honest about your real risk and exposure, not just what’s on a diagram
  • Be clear on which moves matter most for your assets, geography and regulatory reality
  • Be pragmatic about how to get from intent to execution in environments where uptime and safety are non-negotiable

“We’re not here to tell you to shut everything down. We’re here to help you keep the lights on, the water flowing and the nation moving—even when someone is actively trying to stop you.”

FAQ

Cyber Security for Critical Infrastructure & OT

Fortura is a cybersecurity company delivering intelligence-led services today and building security platforms for the future.
Because they underpin essential services and national economies. Disrupting or threatening them gives adversaries leverage—whether for ransom, political signalling, strategic advantage or all three.
AI is boosting attacker capability (better phishing, automated reconnaissance, AI-driven intrusion) and creating new surfaces where AI is embedded into operations. The biggest risks today are ungoverned AI use (“shadow AI”) and AI-assisted campaigns against OT-adjacent IT and remote access.
They’re vital, but not sufficient. Many organisations are “aligned” on paper yet still have flat networks, uncontrolled remote access, weak supplier oversight or ungoverned AI. Fortura helps turn framework alignment into practical changes in plants, networks and contracts.
We involve operations, engineering and safety teams early—walking the plant, mapping processes, and checking that proposed controls won’t break safe operations. The aim is security that respects physical reality, not just network diagrams.
Most start with a combined risk & exposure assessment across IT/OT, a CIRMP-aligned review, and an attack surface and remote-access assessment. From there, we co-design a roadmap and support key moves—architecture changes, AI/OT risk governance, threat-informed testing and incident readiness.
Work with us

Fortura will be Supporting You Across Every Phase of your Security Lifecycle

No Sales Scripts. We'll Talk Through Your Situation.

If you're shaping strategy, assessing risk, or preparing for what's next, we'll help you get clear on priorities and act with confidence. Tell us what you're working through - we'll respond quickly.

Emailcontact@fortura.io
Response TimeWithin 24 hours
Office LocationSydney City/Parramatta/Remote
Phone *

By submitting this form, I understand my personal data will be processed in accordance with Fortura's Privacy Statement and Terms of Use.

Get Insights & Alerts

Get the latest news, research notes, practical guidance, and threat updates written for people making security decisions.

Fortura
Fortura

© 2026 Fortura. Operated by Fortura Labs Pty Ltd.
All rights reserved.