Australia Releases “CI Fortify” Guidance for Critical Infrastructure Operators

The Australian Signals Directorate (ASD) and its Australian Cyber Security Centre (ACSC) have released a new publication, CI Fortify, outlining cybersecurity recommendations for Australian critical infrastructure (CI) operators. The document is designed to help organizations strengthen their security posture and resilience before a crisis or major service disruption occurs.

Read the guidance on cyber.gov.au ›

ASD and ACSC released CI Fortify in response to a rapidly evolving threat landscape for operational technology (OT) systems that underpin critical services such as energy, water, transportation, and communications.

The publication notes that state-sponsored actors are actively targeting Australian CI networks—both for espionage and to establish potential footholds for disruption in times of conflict. Cybercriminals continue to exploit these same systems for ransomware and data theft. With most CI environments relying on interconnected IT and OT systems and complex supply chains, even a single compromise can cause cascading effects on essential services.

CI Fortify provides high-level, actionable steps for operators to build readiness before an incident occurs. It focuses on preparation, isolation, and recovery, helping organizations ensure that vital OT and enabling systems can be maintained, disconnected, and rebuilt safely during periods of disruption.

At Industrial Defender, we welcome the release of CI Fortify and its clear call for stronger OT resilience. The guidance starts exactly where every effective cybersecurity program should, with an accurate, up-to-date inventory of OT assets and enabling systems.

This principle aligns closely with our long-standing view that visibility is the foundation for security, reliability, and recovery. Without knowing what assets exist, how they connect, and what configurations they depend on, it’s impossible to isolate or rebuild critical systems effectively.

We’re encouraged to see ASD and ACSC reinforce this approach and believe that CI Fortify gives operators a practical roadmap for strengthening their environments in line with global OT security best practices.

A Closer Look at the CI Fortify Framework

CI Fortify is organized around three preparatory steps and two planned actions—a structure that emphasizes building the fundamentals first, then developing advanced resilience capabilities.

Preparatory Steps

1. Maintain an up-to-date inventory of OT assets and enabling systems.
   ASD calls this the cornerstone of OT cybersecurity. Operators should identify every OT asset, capture its role, location, and dependencies, and classify it by criticality. The inventory must remain current to inform risk assessments and prioritization.
2. Identify vital OT and enabling systems.
   Once critical services are defined, operators must determine which systems are essential to maintaining those services. This distinction ensures protection efforts and rebuild plans focus on what truly matters during a disruption.
3. Identify isolation points.
   With vital systems known, operators should determine where isolation can be enacted to contain an incident. Isolation planning allows for continuity of critical services even when portions of a network must be segmented or disconnected.

Planned Actions

1. Be capable of isolating vital systems for up to three months while maintaining critical services.
   Operators are encouraged to build the capability to separate essential OT and enabling systems from other networks and the internet in response to a persistent threat or active compromise. This requires defined thresholds for action, pre-planned manual workarounds, and clear operational procedures to maintain continuity.
2. Be capable of rapidly rebuilding vital systems.
   CI Fortify stresses the need to maintain trusted, offline backups of firmware, configuration, and processes to restore operations quickly and safely. Rebuild planning includes identifying minimum operating requirements, pre-positioning spare components, and testing procedures to validate recovery under realistic conditions.

Parallel Benefits

ASD notes that building these capabilities delivers value beyond cyber incidents. Organizations that plan for isolation and recovery are also better prepared for natural disasters, safety events, and supply-chain disruptions. Regularly testing these processes reduces downtime and financial loss while improving confidence in operational continuity.

Moving From Guidance to Action

CI Fortify gives Australia’s CI operators a clear strategic direction for improving OT security maturity. Turning that strategy into daily practice begins with visibility—the same foundation Industrial Defender was built on.

By maintaining a complete and trustworthy inventory of OT assets, tracking configuration changes, and preserving historical baselines, organizations can confidently plan for isolation and rebuild scenarios. These are the same building blocks that enable compliance with international frameworks like IEC 62443 and national standards such as the AESCSF.

As ASD and ACSC make resilience a national priority, Industrial Defender stands ready to help CI operators operationalize those principles—starting with the accurate visibility that CI Fortify identifies as step one.