Australia: Cybersecurity and Infrastructure Security Agency published guidance on foundations for operational technology cybersecurity focusing on asset inventory guidance for owners and operators

On 14 August 2025, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance alongside international partners, including the National Security Agency, and cybersecurity agencies from five allied nations, pertaining to operational technology (OT) cybersecurity. The guidance applies to OT owners and operators across all critical infrastructure sectors, particularly energy, water treatment, oil and gas, and electricity organisations. The policy requires organisations to implement a systematic five-step framework for developing asset inventories and taxonomies. This includes creating regularly updated lists of OT systems with 14 high-priority attributes including communication protocols, asset criticality, and IP addresses. It also highlights that organisations must develop classification systems based on the ISA/IEC 62443 standards using Zones and Conduits methodology. They must also establish life cycle management policies and cross-reference inventories with vulnerability databases like CISA's Known Exploited Vulnerabilities Catalog. The guidance mandates real-time monitoring systems and includes sector-specific taxonomies developed through industry collaboration.