Secure Infrastructure

CCMM Cyber
Critical Infrastructure Assurance

NOMATEQ · CCMM Cyber · Critical Infrastructure Assurance
Jurisdiction
The question every CISO faces
Scattered signals. Fragmented obligations. One organisation.
CCMM Cyber turns that into one defensible assurance position.
CPS · Cyber Posture Score
00
Posture certificate · Board and regulator
TCI · Threat Convergence Index
00
Live threat state · SOC and operations
ACI · Attribution Confidence Index
00
Incident attribution · Case-specific
Book a scoping discussion → Request information
Posture
00
CPS
Score
CCMM Cyber — Cyber-Physical Assurance for Critical Infrastructure · GABEY Consulting Pty Ltd ACN 121 511 055|Illustrative signals shown for design purposes only|Portfolio dashboard does not constitute regulatory compliance|v1 scope: electricity · water · oil and gas · aviation · industrial IoT|SSRN Abstract ID 6364078 · Submitted 7 March 2026
Methodology status · What exists today
2 of 7
Technical documents complete
Stage 1 Architecture and Stage 2A Formula Specification. Available to verified professionals on request.
6
Red-line auto-fail conditions
Hard-fail conditions defined with evidence requirements. No Gold Standard if any condition remains unresolved.
3
Outputs formally separated
CPS, TCI, and ACI each have distinct cadences, evidence types, and audiences. Never blended into one number.
11
Regulatory frameworks mapped
ISM, PSPF, Essential Eight, SOCI Act, NERC CIP, E-ISAC, NIS2, IEC 62443, NIST CSF 2.0, APRA CPS 230, ISO 27001.
v1 sectorsElectricityWater and sewerageOil and gasAviationIndustrial IoT
Gold Standard eligibility
Six conditions that trigger automatic failure — regardless of everything else.
No Gold Standard certification is possible while any red-line condition remains unresolved.
RL–1
Unmanaged vendor remote access
Active OT remote access paths with no MFA, no session logging, and no revocation process.
RL–2
Flat IT/OT topology
No electronic security perimeter, no zone and conduit separation between corporate IT and OT networks.
RL–3
No safety system isolation
Safety instrumented systems share network segments with general OT or corporate IT environments.
RL–4
Asset inventory below 60%
OT, ICS, and IoT asset discovery covers less than 60% of the known operational environment.
RL–5
Zero threat intelligence consumption
No advisory review, no IOC ingestion, and no sector ISAC participation in the preceding 90 days.
RL–6
No tested recovery plan
No documented recovery or continuity test for any critical process in the preceding 24 months.
Red-line conditions are specified in the Stage 2A Technical Specification · Evidence requirements documented · Available to verified professionals on request
Engagement · What you receive

When CISOs engage CCMM Cyber.
What arrives within 30 days.

The Executive Baseline assessment is designed to move fast. Most critical-infrastructure operators have board or regulatory pressure that cannot wait for a six-month engagement cycle.

When a CISO picks up the phone
Board is asking for a defensible posture view
Directors requesting evidence of OT cyber-physical assurance before the next risk committee meeting.
Regulatory deadline approaching
SOCI Act CIRMP obligations, APRA CPS 230 deferred requirements (from 1 July 2026), NERC CIP changes, or NIS2 timelines.
Insurer or broker requesting stronger assurance
Cyber insurers increasing OT-specific underwriting requirements. Brokers asking for a posture position before renewal.
Near-miss or exercise exposed uncertainty
A security event or tabletop exercise has revealed gaps that cannot be easily explained to leadership or a regulator.
M&A, supplier risk, or vendor access review
Acquisition due diligence, a supplier review, or a vendor remote-access audit requiring a structured OT posture view.
What arrives within 30 days
Executive Baseline — Package A deliverables
Indicative CPS view
Initial Cyber Posture Score across all five dimensions with gap identification.
Day 1–14
Red-line condition assessment
All six red-line conditions assessed with evidence status documented.
Day 1–14
Jurisdiction crosswalk snapshot
Your active regulatory obligations mapped to the assessment findings.
Day 14–21
90-day remediation priorities
Priority list ordered by risk impact and regulatory obligation.
Day 21–28
Executive briefing document
Board-ready summary with regulatory narrative. Formatted for a risk committee.
Day 28–30
Package A fee credited against Package B if the full assessment proceeds within the same engagement year.
Book a scoping discussion →
Positioning · What CCMM Cyber is

Built for board scrutiny.
Structured for operational reality.

A documented cyber-physical assurance method for critical infrastructure — not a generic control review, not an OT monitoring platform, not a compliance checklist.

One method across IT, OT, and IoT
The same analytical method applies to your corporate IT environment, OT process control systems, and industrial IoT devices — with explicit IT/OT boundary scoring.
Three jurisdictions — one common method
Australian SOCI Act, North American NERC CIP, and European NIS2 obligations assessed through one method. Jurisdiction reporting kept separate from the common CPS score.
Three outputs — three different clocks
CPS is your board certificate — annually certified. TCI is your operational view — near real-time. ACI is case-specific — generated per incident. Never blended into one number.
Externally reviewed, documented methodology
Stage 1 and Stage 2A specification documents are available to verified professionals on request — not a slide deck, a citable methodology record.
What CCMM Cyber is — and what it is not
A cyber-physical assurance method that produces a board-defensible score
A GRC checklist or compliance automation platform
A prioritisation tool that respects safety, uptime, and recovery realities
An OT monitoring or managed detection platform
One common method working across AU, NA, and EU obligations without rebuilding the assessment
A generic cyber maturity review applied to OT environments
A portfolio dashboard separating posture, live threat state, and incident attribution
A single blended number that conflates three analytically distinct questions
Method reference
Abeysekera, P. (2026). Conditional Consequence Mapping and the 0.001% Problem. SSRN Abstract ID 6364078. Submitted 7 March 2026, currently under review. Stage 1 and Stage 2A documents available to verified professionals on request.
Methodology · What has been built

An externally reviewed architecture.
Not a concept. A documented specification.

Two formal technical documents are complete and available to verified security professionals on request. The full framework, sector guides, and validation protocol are in active development.

What the specification contains
3 outputs
CPS, TCI, and ACI — formally separated
Three distinct outputs with separate cadences, evidence types, and audiences. Never blended into one number.
5 dimensions
Construct definitions locked with boundary rules
Each dimension has explicit inclusions, exclusions, and nine cross-dimension boundary rules preventing double-counting.
6 red lines
Hard-fail conditions with evidence requirements
Six conditions trigger automatic Critical Exposure band regardless of other scores.
4 classes
Evidence taxonomy — compliance, telemetry, intelligence, expert judgement
Every formula input carries four mandatory metadata fields: reliability, freshness, coverage, confidence.
11 frameworks
Regulatory mapping underway — version-aware
ISM, PSPF, Essential Eight, SOCI Act, NERC CIP, E-ISAC, NIS2, IEC 62443, NIST CSF 2.0, APRA CPS 230, ISO 27001.
3 streams
AU, NA, and EU — precisely defined
Each stream carries an explicit jurisdictional scope statement. Portfolio dashboard does not constitute regulatory compliance in any jurisdiction.
Document development chain
Stage 1 — Architecture Document
Domain framing, three-output model, three-stream model, formula pipeline, external review record, gate confirmations.
Complete
Stage 2A — CPS Formula Architecture
Five-dimension construct definitions, evidence taxonomy, six red-line conditions, gated composite formula, Gold Standard requirements.
Complete
Stage 2B — Control Framework Mapping Tables
ISM, Essential Eight, SOCI Act, NERC CIP, NIS2, IEC 62443, NIST CSF 2.0. Version-aware. Three streams per v1 sector.
In development
Stage 2C and 2D — Likelihood Tables and Sector Guides
P(E|H) tables for OT/IoT. Five v1 sector guides: electricity, water, oil and gas, aviation, industrial IoT.
Queued
Validation Protocol — Companion Document
Back-testing, AHP calibration, inter-rater reliability, sensitivity analysis, version governance.
Queued
Stage 1 and Stage 2A are available to verified professionals on request — security leads, risk advisors, IRAP assessors, and regulators.
Request document access →
Engagement model · Pricing

Advisory-led entry.
Certification-led expansion.

CCMM Cyber is priced as assurance — not software seats. Base fee reflects scope, sector, and jurisdictional complexity. All prices are indicative starting points confirmed after a scoping consultation.

Package A · Land
Executive Baseline
First engagement. Board-ready within 30 days. No CPS certificate — designed to lead to Package B.
Starting at
$18,000 AUD
1 sector · 1 jurisdiction stream · up to 3 sites · ex. GST
Deliverables
Indicative CPS view and red-line condition assessment
Jurisdiction crosswalk snapshot for your active stream
Executive briefing document and 90-day priority roadmap
IT/OT boundary and vendor remote-access review
Package A fee credited against Package B if the full assessment proceeds within the same engagement year. Additional sites from $4,500. Second jurisdiction overlay from $3,500.
Book a scoping discussion →
Package B · Core · Most common
CCMM Cyber Assurance
Annual certification. Full five-dimension CPS assessment. Gold Standard eligible.
Starting at
$45,000 AUD
Annual · 1 sector · 1 jurisdiction stream · up to 5 sites · ex. GST
Deliverables
Full CPS score with certified band assignment
TCI snapshot at assessment date
Jurisdiction-specific regulatory annex for your active stream
Audit-ready evidence pack and remediation roadmap
Attestation-ready board and risk committee report
Second jurisdiction overlay from $8,500. Additional sites beyond 5 from $6,000 per site.
Book a scoping discussion →
Package C · Enterprise
Portfolio Assurance
Multi-site or multinational groups. Parent dashboard. All active jurisdiction streams.
Starting at
$95,000 AUD
Annual · Multi-site · All active streams · ex. GST
Deliverables
Group portfolio dashboard with site-level CPS certificates
Per-stream regulatory annexes for all active jurisdictions
Quarterly TCI updates (2 included) and major-change reassessment (1 included)
Annual portfolio trend pack, board pack, and supplier exposure reviews
Portfolio dashboard does not constitute regulatory compliance. Site-level and jurisdiction-specific annexes are reported separately and never aggregated into a single cross-jurisdiction compliance number.
All three streams active (AU + NA + EU): starting at $145,000 AUD annually.
Book a scoping discussion →
Package D · On-demand
Incident and Exercise
Incident review, near-miss assessment, tabletop scoring, regulatory evidence support.
Starting at
$22,000 AUD
Per defined engagement · scope-bounded · ex. GST
Deliverables
ACI attribution confidence review for confirmed or suspected incident
Tabletop exercise scoring and gap report
Post-incident board memo and regulator-facing evidence support
Post-M&A OT due diligence assessment
Scope and deliverables confirmed in writing before engagement commences. Incident engagements: priority scheduling within 48 hours. Package C clients receive one Package D per year at no additional cost.
Book a scoping discussion →
All prices AUD exclusive of GST · GST applies to Australian purchasers · International clients subject to applicable local tax treatment
Indicative starting points · Final pricing confirmed after scoping consultation · GABEY Consulting Pty Ltd ACN 121 511 055
Operational Assurance · Platform

From point-in-time assurance
to continuous cyber-physical oversight.

The current engagement model delivers certified assurance at defined intervals. The Operational Assurance platform extends this into a programme-level capability — continuous TCI monitoring, automated OT anomaly convergence, and board-ready CPS reporting on a defined cadence.

Real-time TCI monitoring
Threat Convergence Index updated as IT monitoring, OT telemetry, and threat intelligence feeds are ingested. Operational escalation triggers built in.
Automated OT anomaly convergence scoring
TAI-Cyber running against your OT protocol baselines. Cross-boundary IT/OT indicator correlation. Red-line condition monitoring.
Cross-stream regulatory posture tracking
AU, NA, and EU stream posture tracked simultaneously. Regulatory change alerts when mapped control families are updated or superseded.
Board-ready CPS reporting on a defined cadence
Quarterly CPS refresh with trend analysis, certification status, and remediation progress formatted for board and risk committee delivery.
In development — timeline confirmed on request
Request Operational Assurance briefing ← Back to CCMM
CCMM Cyber · Operational Assurance · Dashboard
CPS · Cyber posture score · Current period
72
CPS
Adequate Protection
All gates passed · 1 red-line cleared · CPS-R below Gold Standard minimum
CPS-C
81
CPS-A
74
CPS-T
70
CPS-R
63
CPS-I
77
AU · activeNA · activeEU · scoped
TCI · Threat Convergence Index · Live
0.58
NOMATEQ · CCMM Cyber · GABEY Consulting Pty Ltd ACN 121 511 055SSRN Abstract ID 6364078 · Submitted 7 March 2026 · nomateq.com.au