Secure By Demand

Challenges in critical infrastructure for emerging technologies
For software or even standard IT systems, changes in technology can be easily managed, and applications and networks can be easily accessed, changed or replaced. In contrast, change in industrial control systems and operational technology (OT) comes with significant consequences. As major infrastructure projects lay thousands of kilometres of fibre, cables, poles, and lines, many may struggle to meet tomorrow’s security standards, let alone future ones.

For example, Snowy Hydro 2.0, a NSW renewable energy megaproject currently under construction, has already excavated around nine kilometres of tunnels to build a power station 800 metres underground. Security is a critical priority, as replacing components deep within the facility could take months and risk disrupting Australia’s energy supply. In such cases, the cost and complexity of upgrading or replacing technology may outweigh the immediate benefits, creating a long-term technology debt trap for future generations.

Major projects like Snowy Hydro 2.0 highlight how interconnected infrastructure creates new layers of vulnerability. Addressing these challenges requires rethinking traditional security models, starting with Zero Trust and the management of concentration risk across critical systems.

Zero Trust:The Next Frontier for Operational Technology

Global adoption of Zero Trust is accelerating.

Zero Trust addresses vulnerabilities through continuous authentication and authorisation processes to protect critical resources. However, implementing Zero Trust is particularly challenging at the edge of OT and systems that were not originally designed for ongoing networked access.

Many of these systems operate in hazardous, ruggedised and/or hard-to-reach environments, requiring reliance on secure remote access rather than direct physical interaction. Australia will need to link cyber resilience explicitly to critical technology resilience, including edge and OT environments with long service lives.

Concentration risk - an industry wide challenge
Concentration risk - the reliance on a limited number of suppliers or service providers - is a persistent challenge across the OT sector.

Many edge devices are remotely accessed or monitored by a mix of third parties, including cybersecurity providers, maintenance firms, and original equipment manufacturers. Increasingly, these devices include built-in 4G connectivity for remote monitoring, often without this feature being clearly documented in their design.

This creates additional, often unknown, points of access, leaving critical systems potentially vulnerable to both accidental misconfigurations and malicious interference.

Navigating systemic risks in critical infrastructure
On a national scale, completely starting from scratch from a rip and replace approach would disrupt essential services for these devices and systems. Blanket bans on specific providers concentrate the supplier landscape, creating unavoidable concentration risks.

Therefore, organisations need a way to retrofit Zero Trust to edge and OT environments with compensating controls and prove that suppliers are managing defined risks, accessing and managing data as agreed.

Vulnerability management often focuses on severity rather than overall risk, leading to uncontrolled backlogs on systems where patching is difficult or unsafe. Data flows, including cross-border transfers, broker activity and model training or scraping, are opaque. Organisations often cannot enumerate who has accesses to critical datasets, where copies are stored and which sub processors or brokers are involved making timely detection difficult. Data localisation regulation globally has supported local access to data held “onshore” for many nations including the PRC and India. For Australian entities – this means data that is processed or stored offshore or accessed by offshore teams may be legally accessible by government officials of that nation - a breach in an Australian context.

Rapid cloud adoption increases the blast radius of breaches and propagates copies of sensitive data across providers and jurisdictions, while AI systems can harvest or learn from datasets that were not intended for that purpose.

Trust in critical datasets depends on identity, encryption and integrity controls that are not consistently applied. Agencies and industries lack a clear, enforceable model for assessing and mitigating foreign influence in technology supply chains without blocking legitimate global solutions.

Proactive security leadership
Many solutions in the OT and critical infrastructure space will come from service providers and manufacturers rather than industry or government alone. However, these solutions must be guided proactively by the “Security by Demand” approach established by the US Cybersecurity and Infrastructure Security Agency and adopted by the Australian Cyber Security Centre.

The Commonwealth can leverage existing legislation to implement a single, risk-based model that integrates Zero Trust principles at the edge, protecting critical data.

Under the Security of Critical Infrastructure Act 2018, a national risk matrix could be applied to edge and OT assets with retrofittable control profiles, avoiding the need for wholesale replacement.

The matrix could also enforce risk-based vulnerability management, including defined timelines, compensating controls, an exception register for unmet profiles, and supply-chain assurance obligations, such as FOCI attestation, transparency, and proportionate mitigating controls.

Co-governance of data and access
Government and industry should co-govern access and data protection through a national data-flow schema and secure reporting/sharing gateway. This would enable lawful sharing of access logs, a common taxonomy, and faster remediation, without increasing legal risk for good-faith participants.

Critical datasets should adopt a Zero Trust model with least-privilege access, continuous verification, integrity checks, and logged access and transfers. Independent archives should preserve backups or images for retrospective examination. Designation should be risk-based and sector-agnostic, with custodians maintaining dataset registers, provenance records, and tamper-evident logs of access and cross-border transfers, including brokers and sub processors.

FOCI and international standards
FOCI treatment should set thresholds for material foreign ownership or influence, require disclosure of ultimate beneficial ownership, and mandate notification of changes, offshore support locations, and lawful access pathways. Alignment with IEC 62443 (OT), NIST SP 800-207 (Zero Trust), and AS ISO/IEC 27001/27002 will support auditing and international interoperability. Commonwealth Procurement Rules can reinforce these baselines through government buying power.

This model aligns with existing goals of Australia’s 2023-30 Cyber Security Strategy:

• Shield 1: baseline uplift and reporting safe harbour
• Shield 4: sovereign capability and supplier assurance
• Shield 5: national threat blocking and incident response
  

Supplier engagement and future-fit security
Secure By Demand initiatives should encourage major suppliers and service providers to share information with industry and government, support right-to-audit initiatives, and identify “future-fit” security requirements for critical infrastructure products and services.

Domestic testing and certification
Finally, Australia should establish a domestic capability to test componentry for specification compliance, hardening, and resilience. This high assurance testing capability could certify suppliers and providers to deliver equipment for sensitive or critical infrastructure projects.

Conclusion
As Australia enters an era defined by rapid technological transformation, the resilience of its critical infrastructure will depend on foresight, collaboration, and adaptable security frameworks.

Building future-fit systems requires integrating Zero Trust principles, managing concentration risk, and ensuring transparency across complex supply chains.

By fostering stronger partnerships between government and industry and embedding security within design and procurement from the outset, Australia can safeguard its technological progress without compromising innovation or national resilience.