The challenges of applying the Essential Eight to Critical Infrastructure Protection

Developing an Essential Eight Compliance Checklist for Critical Infrastructure and OT Environments

The evolution of Australia's Security of Critical Infrastructure Act (SOCI Act) in 2024 and 2025 amendments set out additional rules and practices to clarify the original 2018 legislation.

Where 'specified responsible entities' were required to develop and maintain a Critical Infrastructure Risk Management Program (CIRMP) for their critical infrastructure assets, 2025 dated amendments came into force a year ago to specify the requirements of a CIRMP and provide further details about hazards to be considered.

The national Critical Infrastructure Security Centre (CISC) provides detailed guidance on the growing body of compliance requirements for operators, the handy Guidance for the Critical Infrastructure Risk Management Program, packing the selected highlights into a 16 page summary.

Complying with a broad range security requirements

The CIRMP Rules specify that a Responsible Entity must comply with the frameworks contained in the following documents:

• Australian Standard AS ISO/IEC 27001:2015,
• At least Maturity Level 1 of the Essential Eight (E8-MM) Maturity Model published by the Australian Signals Directorate
• Framework for Improving Critical Infrastructure Cybersecurity published by the US’s National Institute of Standards and Technology (NIST)
• At least Maturity Indicator Level 1 of the Cybersecurity Capability Maturity Model published by the US Department of Energy
• At least Security Profile 1 of the 2020-21 AESCSF Framework Core published by Australian Energy Market Operator Limited (ACN 072 010 327).

The Essential Eight security controls have been around for almost a decade and marked the evolution of the original 'Top Four', a prioritised set of mitigation strategies to protect against cyberattacks. Well understood, they remain hard to implement in an operational technology (OT) environment that does not share the same threats and risks when it comes to daily operations.

The Essential Eight controls were designed with corporate enterprise IT in mind, not OT environments featuring industrial control systems, SCADA, etc. where limitations and rapid patching can be impractical or even risky.

After all, the intent of the CIRMP and the SOCI Act overall is risk reduction without disrupting safety or availability of critical systems and services.

Applying the Essential Eight to the OT reality

There are specific challenges with implementing Essential Eight in environments with SCADA systems, air-gapped networks, legacy PLCs, and operational technology that cannot  be maintained according to IT patching cycles.

Overcyte are experts on security controls and global frameworks, so here’s our view on where the biggest E8 gaps usually show up, and what organisations actually do in practice.

We've numbered the E8 controls, then listed what's hard to do in OT encvironments and workarounds toachieve the overall spirit of the control:

1. Application Control

Why it’s hard in OT:

• Legacy HMIs, PLC engineering workstations and vendor software often rely on unsigned binaries or dynamic execution
• Systems may run outdated OS versions where modern allowlisting tools don’t exist or function
• Vendors may prohibit changes to system configurations

Workarounds:

• Implement network-based controls: only allow approved systems to communicate with OT assets.
• Lock down engineering workstations physically and logically (gold images, no internet)
• Use jump servers with strict controls instead of enforcing allowlisting directly on fragile endpoints

2. Patch Applications & Operating Systems

Why it’s hard in OT:

• Downtime can be unsafe or expensive and patching may require shutting down production (or finding a brief window to try)
• Vendors certify specific OS/application versions and patching can void support arrangements
• Some systems are effectively unpatchable and end-of-life platforms

Workarounds:

• Move from the E8 mindset of “patch everything” to risk-based patching where you prioritise internet-facing or highly exploitable vulnerabilities
• Use virtual patching via firewalls or IPS to block known exploits
• Establish agreed maintenance windows aligned with operational cycles
• Segment and isolate unpatchable systems as a compensating measure

3. Multi-Factor Authentication (MFA)

Why it’s hard in OT:

• Legacy systems may not support MFA
• Shared accounts are common in control rooms where operational uptime and safety first is priotitised
• Real-time operations can't tolerate authentication delays or failures

Workarounds:

• Enforce MFA at trust boundaries via remote access (VPNs), jump servers or bastion hosts
• Use MFA for IT/OT boundary crossings
• If possible, replace shared accounts with named accounts and compensating controls such as logging or session recording

4. Restrict Administrative Privileges

Why it’s hard in OT:

• Many OT systems require persistent admin rights to function
• Vendors often require admin-level access for support
• Role separation concepts (RBAC) are minimal in legacy or opertaional systems

Workarounds:

• Implement privileged access management (PAM) at the perimeter rather than on-device
• Use time-bound access, where necessary via procedures rather than techbnical controls
• Monitor and log all privileged sessions - especially vendor access
• Separate engineering vs operator roles where possible

5. Application Hardening

Why it’s hard in OT:

• Disabling features - the E8's corpoarte IT world of macros, scripting engines, browser components, etc - can break vendor software
• Many OT apps embed outdated web or scripting components by design

Workarounds:

• Harden only non-critical components where feasible
• Remove or restrict internet access entirely from OT assets
• Use network segmentation to prevent exploitation paths to fragile OT systems rather than relying on host and application hardening

6. Restrict Microsoft Office Macros

Why it’s hard in OT:

• Engineering workflows can rely on Excel macros for configuration or reporting
• Older versions of MS Office will lack modern macro controls

Workarounds:

• Allow macros only on specific trusted systems
• Use signed macros where feasible
• Then block macros everywhere else, especially on systems that bridge IT and OT worlds

7. User Application Hardening (Web Browsers, etc.)

Why it’s hard in OT:

• OT systems often run outdated, EOL browsers or embedded web interfaces long forgotten in IT
• Browser hardening controls may not exist or function

Workarounds:

• Eliminate browsing from OT systems entirely
• Route any required web access through isolated, hardened proxy systems
• Use data diodes or one-way gateways where appropriate or feasible

8. Regular Backups

Why it’s hard in OT:

• Backing up PLCs, RTUs, and proprietary configurations is non-standard
• Restoration procedures are often untested and could break operational systems
• Downtime constraints limit backup verification based on risk outcomes

Workarounds:

• Focus on key configuration backups (PLC logic, SCADA configs), not just file systems
• Store backups offline and immutable for faster, safer recovery
• Regularly test restoration in a lab environment, not production
• Document manual recovery procedures where automation isn’t possible to avoid a knowledge gap or keyworker SPoF

Getting practical in OT for CIRMP compliance

Instead of attempting to force the specifics of Essential Eight practices directly onto OT:

1. Apply Essential Eight fully in IT environments and note that Maturity Level One is pretty basic in a 2026 threat landscape
2. Apply an adapted version in OT environments by:

• Focusing on network segmentation
• Providing strict access pathways with MFA applied
• Having effective monitoring and detection in place
• Ensuring a robust asset inventory and visibility over key systems

At E8 Maturity Level 1, you’re aiming only for basic hygiene, protection against opportunistic attacks and demonstrable control intent. In IEC 62443 terms, that roughly aligns with Security Level 1 (SL1): Protection against casual or coincidental compromise.

To go further, think about cross-mapping your security controls to every applicable (or required) framework and treat the Essential Eight (E8) as outcome-based intent mapped to the more OT-native structure of IEC 62443 or the well-respected AESCSF Framework for ernergy operators.

Overcyte excels at providing a platform ready to help you measure and manage your ongoing alignment and compliance with the necessary SOCI Act CIRMP requirements.