CISC's New Rules: AI, Legacy Systems & Supply Chain Risks

Australia's Cyber and Infrastructure Security Centre, known as CISC, has unveiled new rules to strengthen protections for the nation's critical infrastructure. These Enhanced Critical Infrastructure Risk Management Program Rules 2026 aim to improve resilience against evolving threats. The updated requirements focus on a more robust security posture for critical infrastructure operators. They help bolster preparedness and protection against disruptions to nationally significant assets and services. What's interesting is that these rules introduce targeted uplifts to existing risk management requirements. This ensures critical infrastructure owners are better equipped to address a complex threat environment across specified asset classes. These include critical energy, electricity, gas, liquid fuel, water, broadcasting, and freight assets. Regarding cybersecurity, the new rules require entities to assess risks from legacy systems and new technology, including AI. They also mandate phishing-resistant multi-factor authentication for critical systems and the segregation of critical from non-critical systems. The rules also address offshoring critical staff or data, insider threats, and supply chain risks. This matters because it aims to protect essential services from a wide range of potential disruptions.