Published Wednesday, June 17, 2026 at 11:22 PM PT

BREAKING: Australia Mandates Enhanced Critical Infrastructure Security Rules β€” AI, Legacy OT, Supply Chain, and Insider Threats Now Explicitly Covered

BLUF: Australia’s Cyber and Infrastructure Security Centre (CISC) has announced Enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules, expanding mandatory security obligations for critical infrastructure operators to explicitly address AI systems, legacy OT environments, supply chain risks, and insider threats. Operators subject to the Security of Critical Infrastructure (SOCI) Act should review compliance obligations immediately.

DETAILS

  • CISC has formally unveiled Enhanced CIRMP Rules targeting four previously underspecified risk domains: artificial intelligence integration, legacy system vulnerabilities, supply chain integrity, and insider threat management within critical infrastructure environments.
  • Scope applies to regulated critical infrastructure sectors under Australia’s SOCI Act framework β€” exact sector-by-sector applicability and enforcement timelines have not been confirmed in available reporting and should be verified directly with CISC.
  • Legacy OT systems are explicitly called out as a risk category, consistent with broader industry recognition that aging operational technology remains a persistent, high-exposure attack surface in sectors including energy, water, and manufacturing.
  • Supply chain and AI risks are now formally embedded in regulatory requirements β€” a significant expansion reflecting the evolving threat landscape, including AI-enabled attack vectors and third-party dependency exploitation.
  • Specific technical controls, compliance deadlines, and penalty structures are not confirmed in available source material β€” treat details beyond the announcement as unverified until CISC publishes full rule text.

IMPACT

  • Who: Australian critical infrastructure operators regulated under the SOCI Act β€” sectors likely include energy, water, transport, communications, financial services, and data infrastructure.
  • Scope: National. Regulatory in nature; non-compliance risk is administrative and legal, not an active exploit event.
  • Indirect exposure: Third-party vendors and supply chain partners to regulated entities may face downstream contractual or audit obligations as operators move to comply.
  1. Obtain and review the full Enhanced CIRMP Rule text directly from CISC (cisc.gov.au) β€” do not rely solely on media summaries for compliance decisions.
  2. Conduct a gap assessment against the four named risk domains: AI systems in use, legacy OT asset inventory, supply chain vendor risk posture, and insider threat program maturity.
  3. Engage legal and compliance counsel to determine sector-specific applicability and any revised submission or attestation deadlines.
  4. Accelerate legacy OT visibility efforts β€” asset discovery and network segmentation are foundational and typically long-lead activities.
  5. Brief executive leadership β€” CIRMP obligations carry board-level accountability under the SOCI Act.

SOURCES

  • Industrial Cyber β€” CISC CIRMP Enhanced Rules announcement (primary)
  • CISC / Australian Government (authoritative source β€” verify rule text directly)

⚠️ UNCERTAINTY FLAG: Specific compliance deadlines, sector applicability details, and technical control requirements are NOT confirmed in available reporting. This alert reflects the announcement only. Treat implementation specifics as pending until official rule documentation is reviewed.