OT Lapses Could Disrupt Australia's Digital Infrastructure

Australia is in the midst of a data centre boom. With almost 300 data centres either operating or planned across the country, there's increased focus on security and resilience. And while securing data and system assets is often at the top of mind, there's more to securing these important pieces of critical infrastructure.

Power, cooling, lighting and other physical systems need to be secured.

Jason Pearce, the Field CTO for Claroty, said a failure to think about the operational technology, or OT, that underpins the operation of these critical assets could lead to issues of national significance.

"Australia is investing in data capacity. We're a country that has a large data requirement across all industries but the risk as we start to build up this capacity is knowing if we have the right cyber resilience in place to ensure operational continuity."

Pearce suggested that the rush to build data centres brings a challenge.

They're industrial facilities, which means there's power, cooling, building management systems, and electrical systems. Physical systems aren't always protected with the same urgency sand that creates risk."

Attacks on industrial systems and OT aren't new. Stuxnet, in 2010, attacked industrial centrifuges in Iran. And in 2013, Target was attacked when a malicious party accessed point of sale terminals by accessing an air-conditioning system and then moving laterally through the network. Pearce said it's inevitable that a data centre will be attacked in the same way.

"I think it's going to happen for a couple of reasons. One is that if we don't know what we are trying to protect in our environments, then we're going to have black holes. I always say to customers, assumption is not resilience. You can't guess what you have in your fleet of assets. You really need to know."

Disruption of critical infrastructure is now seen as a weapon of war. Pearce noted that data centres are a major target in the current conflict in Iran.

"Both sides attacked major data centres in an effort to disrupt critical systems," Pearce said. "It creates a cascade effect. Hitting one major data centre could cripple, hundreds, or even thousands, of organisations. Cloud services, financial institutions and others could all stop. And it doesn't have to be a physical attack. Infiltrating a control system and moving laterally through a network can cause just as much damage."

Securing OT environments starts with visibility. In recent discussions with CISOs, Pearce said many don't have full visibility of remote access connections to industrial systems. In older environments, equipment that was never intended to have external connectivity remain configured with default usernames and passwords. Often, encryption can't be applied at the device level.  But Pearce says it is possible to protect these systems.

You can have an OT asset that's highly vulnerable, but if it's protected with compensating controls such as network segmentation, you change all the default credentials and you've got good access to this control in place, it can still function effectively.

"Very few organisations have and test incident response playbooks," he said. "I was with a large manufacturer recently that was running a tabletop exercise. The first question they asked was, 'What is the impact of this to the business?'. No one knew because they didn't have an OT person in the room. The OT asset owner knows the risk, knows the outcome and knows what remediation is required. If they're not involved in the process the whole process breaks down."

Over recent years, the Australian government has increased focus on the protection of critical infrastructure. The SOCI Act has placed reporting and notification obligations on data centre operators as well as many other sectors. For organisations engaging the services of data centre operators, Pearce says it's important to engage and understand the controls they have in place. He added having a 'kill switch' is important so things can be shut in moments of genuine risk.

For organisations looking to strengthen their OT security posture, there are several standards Pearce recommends considering. While NIST has been a staple for the IT world, its controls for OT environments provide consistency. Others might prefer IEC 62443 which provides specific guidance for industrial automation and control systems.

As Australia accelerates its data‑centre expansion, the stakes of overlooking operational technology are higher than ever. A single overlooked asset can become an open door for attackers. The path forward demands a culture of visibility, rigorous controls and hands‑on incident‑response planning that includes the OT owner at every step.

With the SOCI Act tightening reporting obligations and the reality that cyber‑war now targets critical infrastructure as readily as physical warfare, the only viable strategy is to use practical safeguards such as network segmentation, credential hardening, and a real‑time kill‑switch. Securing OT is critical for keeping Australia's data‑driven economy safe and resilient.