Verified Credentials
Holding industry-recognised certifications that underpin every engagement.
What I Deliver
Cybersecurity Management Systems (ISMS & CSMS)
I specialise in defining, implementing, and assessing cybersecurity management systems, including ISO 27001 Information Security Management Systems (ISMS) and IEC 62443-2-1/ISA99 Cybersecurity Management Systems (CSMS), ensuring comprehensive protection for your business. An ISMS governs information security across your IT environment; a CSMS extends this into OT/ICS environments where operational continuity and safety are critical.
Compliance & Framework Alignment
With proven experience aligning organisations with NIST and AESCSF frameworks, I provide both local and remote assessments of compliance with best practices, aligned with the ACSC Essential Eight and corporate policies. My approach includes detailed rectification reports, actionable remediation plans, and hands-on implementation to minimise risk to your operations. I also support SOCI Act Risk Management Program (RMP) development for operators of critical infrastructure assets.
Risk Assessment & Security Design
I bring extensive expertise in conducting risk assessments and security threat analysis, with solution design based on IEC 62443-3-2 (zone and conduit model) and IEC 62443-3-3 standards, or TS50701 for the transport sector. Risk management is conducted in accordance with IEC 31000 principles. My services also encompass design and deployment of security technologies, from antivirus and firewalls to NIDS, WAF, encryption, and SIEM for real-time detection and monitoring.
OT/IT Network Segmentation & Architecture
Effective separation of OT and IT networks is foundational to industrial cybersecurity. I design and implement network segmentation architectures aligned with the Purdue Reference Model and IEC 62443 zone and conduit principles — including DMZ design, data diodes, unidirectional gateways, and firewall rule sets tailored to OT protocol requirements (DNP3, Modbus, OPC-UA).
Cybersecurity Awareness Training
I offer tailored cybersecurity awareness training to build a strong security culture, educating your team on common threats and reinforcing best practices — especially for Operational Technology (OT) environments where staff may not have traditional IT security exposure. Training is designed to be practical and sector-relevant, not generic.
Compliance Landscape
Engagements are routinely aligned to the following frameworks depending on your sector, regulatory obligations, and risk appetite.
IEC 62443 — Industrial Cybersecurity
The primary international standard series for securing Industrial Automation and Control Systems (IACS). Covers security management (Part 2), risk assessment methodology (Part 3-2), and system-level security requirements (Part 3-3). Certified ISA/IEC 62443 Cybersecurity Expert.
AESCSF — Australian Energy Sector
The Australian Energy Sector Cybersecurity Framework, developed by AEMO, provides maturity assessment and improvement pathways for electricity and gas market participants. Assessments align with AESCSF profiles and identify prioritised improvement actions.
ACSC Essential Eight
The ACSC's eight prioritised mitigation strategies, assessed against Maturity Levels 0–3. Covers application control, patching, macro settings, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups.
SOCI Act — Security of Critical Infrastructure
The Security of Critical Infrastructure Act 2018 (and amended) requires operators of critical infrastructure assets — electricity, water, gas, transport, and more — to register assets, report incidents, and maintain Risk Management Programs (RMPs). I assist organisations to scope, develop, and maintain compliant RMPs.
Frequently Asked Questions
What is the AESCSF and who does it apply to?
The Australian Energy Sector Cybersecurity Framework (AESCSF) is a voluntary framework developed by AEMO and industry partners to assess and improve cybersecurity maturity for Australian energy sector organisations. It applies to electricity and gas market participants, network service providers, and other entities within the National Electricity Market (NEM).
What is the difference between an ISMS and a CSMS?
An ISMS (Information Security Management System), defined by ISO 27001, is a systematic approach to managing sensitive company information for IT environments. A CSMS (Cybersecurity Management System), defined by IEC 62443-2-1, is the OT/ICS equivalent, designed for industrial control system environments where safety and operational continuity are critical alongside information security.
What is an Essential Eight assessment?
The Essential Eight is a set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to protect against cyber threats. An Essential Eight assessment evaluates an organisation's implementation of these controls — including application control, patching, multi-factor authentication, and backups — and rates maturity across four levels (0–3).
How long does an OT security risk assessment take?
The duration depends on the size and complexity of the OT environment. A targeted assessment for a single facility can take 1–2 weeks, while enterprise-wide assessments covering multiple sites and systems may take 4–8 weeks or more. A scoping discussion is the best starting point to estimate the effort required.
What does SOCI Act compliance mean for OT operators?
The Security of Critical Infrastructure (SOCI) Act 2018 (as amended in 2022) requires operators of critical infrastructure assets in Australia — including electricity, water, gas, and transport — to register assets, report incidents, and implement Risk Management Programs (RMPs). OT operators must demonstrate they have adequate cybersecurity controls protecting their industrial control systems.
Discuss Your Cybersecurity Requirements
Contact Adam to arrange a scoping discussion for your assessment or implementation project.