Australia is still treating critical infrastructure as if it belongs to a narrow group of industries.

Electricity, water, transport, and telecommunications remain essential, yet these sectors are no longer the only systems capable of causing nationwide disruption.

In reality, everything from automated logistics centres to industrial control systems to speciality suppliers now sit at the heart of national stability.

If you work in cyber, operations, engineering, or supply chain, you probably already know this.

You see how reliance on digital networks and operational technology (OT) has transformed the landscape.

A weakness in one small part of the system can escalate far beyond its immediate footprint, yet our national definitions have not evolved to recognise this shift.

However, threat actors certainly have.

They target the links between systems, not just the obvious high-value assets.

Many of the technologies that keep industrial operations running were never designed for hostile environments.

When these environments are unsecured or unencrypted, they create pathways for compromise that can spread quickly across a sector.

As organisations modernise, the level of standardisation is increasing. We use similar platforms, architectures, and OT stacks.

This is efficient, however, it also means one successful exploit can affect dozens of sites.

I have seen how a single vulnerability in a shared system can cascade across multiple facilities.

The risk is no longer isolated.

It is systemic.

Compliance alone does not produce resilience

The Security of Critical Infrastructure Act (2018) recognised that cyber, physical, and environmental threats are interconnected.

It pushed Australia closer to an all-hazards mindset.



Telecommunication remains essential but is no longer one of the only systems that sit at the heart of national stability. Photo: Shutterstock

However, compliance requirements do not guarantee operational readiness. They are a starting point, not a safeguard.

If you rely only on compliance, you risk assuming that meeting minimum standards is the same as being resilient. It is not.

A secure internal environment offers limited protection if a supplier uses outdated OT protocols or if environmental damage to a remote asset breaks connectivity across a region.

Resilience requires understanding how your operations depend on outside systems, not just the ones you control directly.

This is where many organisations struggle.

They recognise the importance of security but underestimate the scale of the dependencies they rely on.

Critical infrastructure is no longer about what you own. It is about what you depend on.

Industry frameworks exist for a reason.

IEC 62443, TS50701 for rail, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework for energy all address sector-specific interdependencies and risk paths.

If you overlook them, you introduce gaps that attackers can exploit.

A resilient organisation treats these frameworks as essential architecture, not optional guidance.

Small failures now have national consequences

One of the biggest shifts we face is that small components can now create largescale disruption.

A compromised industrial sensor can shut down a production line. A failure in logistics coordination can delay essential goods nationwide.

A vulnerability in a widely adopted vendor platform can expose many organisations at once.

Supply chain convergence has made this problem more immediate.

Many Australian organisations rely on fewer vendors and more shared platforms than ever before.

While this increases efficiency, it also reduces the margin for error. If a key supplier is compromised, you will feel the impact almost instantly.

Supply disruptions can be felt across Australia when critical infrastructure fails. Image: Shutterstock

If one cloud service or shared platform fails, the disruption will propagate far faster than traditional models assume.

If a system can meaningfully disrupt operations, revenue, or public safety when it fails, then that system is critical.

It does not matter if it fits into the traditional list of critical infrastructure sectors. The criteria must be based on real-world consequences, not historical labels.

A realistic baseline for a connected nation

Australia needs a new baseline for critical infrastructure – one that reflects how the country actually functions, how disruption spreads, and where the real points of failure lie.

This baseline must be grounded in several truths:

· criticality depends on downstream impact, not industry labels

· standardisation has created shared exposure across organisations

· operational technology (OT) systems still contain protocols that prioritise availability over security

· supply chains form part of national infrastructure and must be treated accordingly

· minimum compliance standards do not stop cascading failures.

You cannot protect what you have not identified. You cannot build resilience around outdated assumptions.

If we continue to rely on a narrow definition of critical infrastructure, Australia will be caught off guard by disruptions that appear small yet have far-reaching consequences.

Resetting the baseline is not optional. It is the only way to prepare for the pressures that modern connected systems will inevitably face.

The question is no longer whether those pressures will come.

It is whether we will recognise what is truly critical before the moment of failure arrives.