​Most people thought that cybersecurity is all about data breaches, suspicious links, or adversaries trying to get access to your accounts. But in recent years, the space has gone beyond computers and firewalls. Today, cybersecurity also means keeping the power on, the water safe, and hospitals operational.

Recently on the DevSecOops podcast, hosts Tom Walker and James Vincent sat down with Sam Mackenzie, Management Committee Member at Australian Control Room Network Association, and Karl Dawson to explore one of the most pressing yet often overlooked challenges in the industry: protecting Australia’s critical infrastructure, especially now that OT and IT are no longer in separate lanes.

For years, IT and OT operated in separate worlds. IT looked after the digital side of things, such as emails, networks, and data security; while OT kept the physical world running, from factory floors to power stations. Simply put, IT is concerned with digital assets and information, while OT deals more with critical infrastructure.

As organisations wanted to achieve more efficiency, these two distinct worlds started to overlap, blurring the lines between them. The problem? It opened the door for new and greater risks, making it harder to protect the space. That said, a breach in IT could not only affect the reputation and financial capacity of an organisation. It could also cut across into OT, potentially shutting down critical infrastructure and causing more complex problems.

Sam and Karl also gave another reality check: much of Australia’s critical infrastructures, like MRI machines that run on Windows NT or Windows 95, are old and reliant on legacy systems. This may look like poor planning, but the two explained that these were deliberate choices. Updating one machine or system alone is costly, risky, and oftentimes impossible due to contractual or security constraints.

When asked how the OT space kept pace with security risks, Sam shared that it’s a real challenge, especially now that state-sponsored actors are well-funded. But for him, Australia has made progress with more legislation, the recent mandatory reporting requirement, and the involvement of its cybersecurity defence agency.

The group also discussed how IT and OT teams are structured in an organisation. Some organisations kept their teams completely siloed, while others merged them to encourage collaboration. As Tom pointed out, structure alone was not enough to address the divide between IT and OT teams that is largely cultural.

So what needs to be done now? As Sam pointed out, cybersecurity is a team sport, making cross-floor collaboration necessary. For Karl, it’s collaborative security policies and industry standardisation. These will allow both IT and OT to work together, reduce complexity, and minimise risks in the space. After all, they need to do it together to protect the organisation’s assets and the country’s critical infrastructures.