Cordant’s DevSecOops podcast brings together trio Tom, Scott, and James for what turned into a timely, thoughtful discussion about the intersections of cloud technology, operational technology (OT), and critical infrastructure.

With recent news out of the US and Australia about the US regulatory crackdown on Chinese smart vehicle tech due to national security concerns, versus Australia’s more open arms of electric vehicles plugging directly into the energy grid. This contrast perfectly sets up the core dilemma…how do you regulate technology that moves faster than governance structures can adapt?

Scott draws from his own recent experience; he replaced his petrol guzzling Mustang with his Tesla Model 3. He’s gone ‘all in’ on the Tesla ecosystem…the car, the solar panels, the battery storage, the charging. Scott admits part of his decision is about trusting Tesla’s (perceived) superior security. But, as he and James point out, most car owners won’t set up dedicated home firewalls, leaving them reliant on manufacturer standards that are often opaque and unreliable.

Tom plays ‘the Luddite’ foil, opening up a frank discussion about people’s resistance to giving up direct control to software, whether in vehicles or the move to cloud in IT. Cloud forced operational teams to loom large changes in control and visibility, so too does the proliferation of connected vehicles and home power management systems. Today’s electric vehicles and home power systems (like Tesla’s Powerwall) blend consumer tech, OT, and IoT, which are already highly internet dependent. Scott illuminates a wrinkle with his Powerwall 3; the latest updates force remote, cloud-based management. If the internet goes down, so does his ability to control his battery in real time.

The trio agreed that “third leg” (internet connectivity) fundamentally changes the legacy OT model of being physically and logically air-gapped. James notes that as the definition of critical infrastructure expands (healthcare, transportation, education, etc.), ‘air gapping’ is no longer realistic. Industries must blur legacy lines between IT and OT, with frameworks and responsibilities adapting accordingly. But only about a quarter of organisations using cloud with critical OT/IoT feel skilled enough to manage it safely.

Regulatory frameworks lag behind. In Australia, for example, some health data can’t leave a single state, which might prevent disaster recovery. Global cloud distribution offers resilience but runs up against jurisdictional and sovereignty challenges. Scott argues that frameworks should serve as a baseline, not a final goal. Many organisations do the minimum, interpreting guidelines inflexibly. Real security posture comes from intelligent, ongoing risk assessments tailored to real world needs, supported by independent testing (not just ‘checkbox compliance’). Scott references cases where ‘air gapped’ environments turned out far less secure because of manual processes like USB updates.

OT and IT teams should share tools, observability, and threat modelling. The skills gap in OT security will only widen as more devices come online. Disaster recovery and business continuity plans need regular, realistic testing, not just documentation. The impact of failure in OT (‘lives at stake’) is fundamentally different from IT. Frameworks must adapt to this reality, not just enforce uniform standards. The best organisations embrace regulator standards as a starting point, striving to exceed them with mature, pragmatic information security programs. This often means setting higher internal standards than what is currently required by law.

Tom notes tech can augment, rather than replace human vigilance. Automation (in EVs, home energy, or SCADA systems) can help reduce dangerous complacency, but only if organisations are realistic about new attack vectors and remain ready to respond.

Cloud, IoT, and OT are inseparable, and the biggest risk may be underestimating the pace of change. Whether you’re a homeowner with solar, an IT decision maker, or just a pragmatist looking to stay afloat as tech grows, frameworks are a guide, not a guarantee. True resilience and security come from constant, context aware risk assessment plus a willingness to let regulation inform, not dictate, your security posture.