Executive Summary

Australia's Cyber and Infrastructure Security Centre (CISC) has expanded the Critical Infrastructure Risk Management Program (CIRMP) rules to mandate explicit treatment of artificial intelligence exposure, legacy system risk, supply chain dependency, and insider threat across responsible entities. For OT operators the consequential change is that unsupported legacy controllers and opaque vendor dependencies are now a documented compliance liability rather than an accepted operational reality.

Technical Exposure Breakdown

This is a regulatory action, not a single CVE, but the engineering implications are direct. The enhanced CIRMP framework forces responsible entities to identify and treat four hazard classes that have historically been hand-waved in OT risk registers. Each maps to a concrete failure surface.

Legacy systems. The rules now require documented treatment of end-of-life and unsupported assets. In OT this means the Windows 7 and Windows XP engineering workstations, the unpatchable PLCs from the 1990s, and the serial-to-Ethernet gateways bridging field devices to routable networks. These devices cannot be patched, and in many cases cannot be safely scanned. Active scanning of a legacy industrial component can exhaust its TCP stack, corrupt its protocol state machine, or trip a safety function. Across our visibility into 175,000+ OT products and 25,000+ ICS CVEs, the legacy tier is where exploitability and physical consequence overlap most heavily.

Supply chain. The provisions demand visibility into hardware, firmware, and software dependencies. For OT this includes vendor remote access tunnels, firmware delivered through opaque update channels, and third-party integrators with persistent credentials into the control environment. The mechanism that breaks here is trust assumption. An integrator's compromised laptop becomes a path to the DCS.

AI exposure. The new AI obligations matter less for control logic and more for the analytics, predictive maintenance, and decision-support layers now bolted onto OT. Any system that ingests process historian data and produces operational recommendations is an integrity target. Poisoned input or manipulated model output can drive an operator toward an unsafe action while appearing authoritative.

Insider risk. The framework requires personnel hazard treatment. In OT the insider does not need malware. A disgruntled engineer with legitimate HMI access and knowledge of interlock bypasses can cause physical damage with sanctioned credentials.

OT Impact and Compliance Risk

The physical consequences are familiar to anyone running a plant. Legacy controller failure during a scan stops a process. A compromised vendor update channel can push malformed firmware to a fleet of relays or RTUs. The CIRMP changes mean these scenarios now carry documented regulatory exposure under Australia's Security of Critical Infrastructure Act framework.

For operators with cross-jurisdiction footprints, CIRMP aligns conceptually with IEC 62443 zone and conduit segmentation and with the supply chain and access control expectations seen in NERC CIP and TSA SD-02C. Entities already mapping to IEC 62443-3-3 system requirements will find the gap analysis tractable. Those treating compliance as a document exercise will find the legacy and insider provisions difficult to satisfy with paper alone.

Compensating Controls

Patching is not the answer for the asset classes CIRMP targets, because most of them cannot be patched. The defensible approach is compensating control around the device.

BreachSpider Intel

BreachSpider tracks vulnerability and regulatory developments across 350,000+ CVEs and the OT product fleet so operators can map CIRMP obligations to real exposure before an auditor or an attacker does.