Podcast Synopsis: Critical Infrastructure and Operational Technology Cybersecurity

This episode features Sam McKenzie and Karl Dawson, two seasoned professionals in cybersecurity and operational technology (OT), discussing the convergence of IT and OT in critical infrastructure, and the growing complexity facing asset operators.

Sam McKenzie, head of technology operations at the City of Stonnington, shares his early experiences growing up off-grid, which fostered a lifelong interest in protecting essential services. With a 25-year career across telecommunications, energy, and healthcare, Sam emphasises the vulnerability of modern society's reliance on critical infrastructure. His perspective blends physical asset protection and cybersecurity, drawing parallels between safeguarding farm resources and national infrastructure.

Karl Dawson, a consultant at Cordant with a background in electronics and networking, outlines his journey from technician to cybersecurity professional. With experience in water utilities, energy, and government sectors, he has moved through helpdesk, project management, and penetration testing roles—especially in smart metering systems. Karl highlights the blurred boundary between IT and OT and notes the administrative, rather than purely technical, distinction that often separates the two.

The discussion explores:

• The definition of operational technology as an umbrella term covering industrial control systems (ICS), IoT, SCADA, and building management systems.

• The contrast between IT and OT: IT prioritises confidentiality and data integrity, whereas OT focuses on availability, safety, and physical control.

• The challenges introduced by the Security of Critical Infrastructure Act 2018 in Australia, which redefined the sectors deemed critical and added compliance complexity for operators.

Sam shares insights from his white paper on cyber-physical safety in Australia's critical infrastructure, based on interviews with over 50 industry leaders. He finds a persistent leadership gap in understanding and managing OT risks. This disconnect, he suggests, stems from legacy engineering assumptions being upended by the increasing interconnectivity of formerly isolated systems, often now exposed to insecure networks for operational efficiency.

Karl expands on this with practical considerations:

• Many OT environments remain air-gapped, but increasing digital integration introduces vulnerabilities.

• Legacy systems are often irreplaceable due to vendor constraints, budget limitations, and safety certifications, leaving infrastructure reliant on outdated software (e.g. Windows XP).

• Contractual and operational boundaries often prevent upgrades or the addition of modern monitoring tools, risking security in the name of availability.

The conversation underscores a central tension: the imperative to modernise OT systems versus the practical and financial limitations that inhibit progress. It concludes with reflections on how leadership must evolve its view—shifting from purely technical risk management to safety-focused governance that recognises the physical consequences of cyber events.

This episode delivers a clear warning: many critical systems continue to operate on fragile, outdated infrastructure while the attack surface expands. The burden of modernisation falls not just on engineers but also on executives and regulators to align operational, financial, and safety objectives.