Designing Defensible Architecture for Critical Infrastructure: Key Insights from Our Latest Architecting for Innovation Session

Critical infrastructure is entering a new era — one where resilience matters more than ever, and where the old assumptions about air‑gapped safety no longer hold. At our recent Architecting for Innovation lunch‑and‑learn, we were joined by Daniel Castillo, founder of  Skadi Solutions and one of Australia’s leading voices in operational technology (OT) security. Daniel brought a rare blend of engineering depth, cyber experience, and national‑resilience insight to a topic that’s becoming central to every architect’s toolkit: defensible architecture for critical infrastructure.

This session was dense, practical, and at times confronting, exactly what our community shows up for.

Why Defensible Architecture Matters Now

Daniel opened with a clear message: critical infrastructure environments can no longer rely on air‑gaps or hope. Modern operations demand connectivity, predictive maintenance, remote operations, centralised control, and that connectivity introduces risk.

As Daniel put it, resilience means “the capacity to continue operating even when threats are present” . With state‑sponsored groups like Volt Typhoon and the rise of OT‑specific malware, the threat landscape is shifting fast.

Legislation is shifting too. Guidance such as CL Fortify’s three‑month isolation requirement and “rebuild from scorched earth” scenarios are already influencing regulatory expectations.

Five Principles of Defensible Critical Infrastructure Architecture

Daniel walked us through a structured approach to designing environments that can withstand compromise without halting operations.

1. Establish OT Sovereignty

OT must retain a minimum level of independence from corporate IT.

Why? Because IT is the largest threat surface.

This starts with asset classification, understanding where configuration occurs, and identifying boundary points between management tiers and control systems .

2. Restrict Interfaces and Data Flows

Firewalls become not just security devices but isolation choke points.

Daniel emphasised pull‑based data flows, OT should be the authoritative source, Pulling from or pushing to lower trust systems rather than the other way around .

3. Operationalise “Shields Up”

Isolation isn’t a panic move, it’s a planned capability.

Key isolation points include:

• IT → OT
• IT → Internet
• OT → OT (East‑West segmentation)

Rather than “ripping out the big red cable,” Daniel advocated for granular, deterministic degradation based on mapped dependencies.

4. Prioritise Safety, Reliability, and Performance (SRP)

SRP is the language of engineers, and determinism is the heart of defensible architecture.

If you disconnect a host or isolate a zone, you must know exactly what will happen. Predictability is everything.

5. Plan Proactively, Not Reactively

Architectural change in critical infrastructure is slow and often triggered by incidents. Daniel argued for embedding improvements into asset life cycles, greenfield tenders, and brownfield upgrades.

A practical starting point: SANS Top Five Controls, backups, logs, remote access, patches, and asset visibility, which provide 1–2 years of foundational uplift .

Anti‑Patterns to Avoid

Daniel didn’t hold back on the pitfalls he sees repeatedly:

• Shared identity or domain trust between IT and OT, the biggest threat of all
• IT tooling pushing patches directly into OT
• Configuration management performed from IT zones
• “God user → God server” management bypasses

His advice: break up privileged functions and enforce separation of duties across engineering workstations, network devices, and identity systems.

Isolation Scenarios: What Good Looks Like

Daniel presented a three‑tier “trench” model,  IT, OT management, and local site control, and walked through real‑world scenarios:

• Internet‑borne threat: island IT from the internet while maintaining critical partner connectivity
• OT management compromise: isolate the site; local control logic keeps operations running
• Site‑local compromise: isolate the affected site to prevent lateral movement while protecting SIS and upstream control planes

This is resilience in action: the ability to degrade safely, not collapse.

AI, LLMs, and the Future of OT Security

AI came up repeatedly, both in terms of risk and opportunity.

Daniel’s view:

• OT’s AI maturity is currently low
• SOC‑driven agentic workflows will trickle down
• The fundamentals still matter: permissions, credentials, and data classification
• Before integrating LLMs, organisations must first establish trusted, upstream data flows out of OT and into corporate data lakes

He also recommended starting with:

• A clear AI policy
• A GRC supplier questionnaire
• Contractual guardrails like Zero Data Retention (ZDR)
• Technical controls such as DLP inspection for outbound LLM traffic

Trusted Data Sharing and Industrial Clusters

When asked about secure data sharing across industrial clusters with inconsistent security maturity, Daniel’s advice was pragmatic:

• Define minimum requirements
• Uplift environments to meet them
• Capture deviations in an OT exception risk register
• Use standardised streaming mechanisms (MQTT, Kafka)
• Align all sites to a common blueprint
• Standardised architectures that support uniform and central transfer of data

Where Organisations Should Start

When I asked Daniel what the first step should be, he pointed to the looming regulatory environment — including the proposed three‑month isolation mandate expected by 2028.

His recommendation:

Start with the control systems, then uplift the SANS Top Five. This creates the foundation for everything that follows.

To view the session

Daniel’s slides

What’s Next for the Community

We closed the session just over the hour mark, with a lively discussion on controls, AI, and the practical realities of modern OT environments.

Next up, we’re shifting gears to a topic that’s becoming impossible to ignore: Great Architects Don’t Get Hired Anymore — They Get Seen. In this online lunch‑and‑learn, Trevor Churchley, Founder & Chief Talentologist at Talentology, will unpack why professional branding is no longer optional for architects who want true career sustainability, and how to stay visible, trusted, and in demand without feeling like you’re “selling yourself”.

If you want to future‑proof your architecture career and build a real pipeline of opportunities — permanent, contract, and fractional — this one’s worth making time for. RSVP Here

📅 Thursday, 11 June 🕧 12:30 PM – 1:30 PM AEST (Online)

A huge thank you to Daniel Castillo for sharing such deep, actionable insights, and to everyone who joined us for the conversation.