For Critical Infrastructure

Critical infrastructure that fails safely.

The blast radius is national. AU SOCI 2018+amendments, EU NIS2, US CIRCIA — the regulators are converging on the same shape: known supply-chain, evidenced controls, fast incident reporting, tested resilience. IT/OT convergence is the hard part: the substrate of one sector can’t pretend the other doesn’t exist.

The regulatory floor — critical infrastructure

  • AU SOCI Act 2018 + 2022 SLACIP amendments · mandatory risk programmes, fast incident reporting
  • EU NIS2 Directive · enforced; expanded scope; board accountability
  • US CIRCIA · covered-entity 72-hour incident + 24-hour ransom-payment reporting
  • IEC 62443 · the OT-security standard floor (industrial control systems)
  • NIST SP 800-82 · OT cybersecurity guidance, latest revision
  • SLSA v1.0 + SSDF · supply-chain attestation for IT/OT integration points

Run first.

The two diagnostics that surface the most critical infrastructure-specific exposure. Each takes 2–4 minutes; results are shareable via URL hash; nothing is stored.

Diagnostic

DevSecOps Maturity

Supply-chain, identity, patching, observability. The SOCI/NIS2 risk-programme conversation reduces to these capabilities for the IT side of the estate.

Open →Diagnostic

SRE Programme

Error budgets, blast-radius, postmortems, runbooks. The resilience-testing obligation in NIS2 + DORA + SOCI is measured against this shape.

Open →

Reference architectures.

Opinionated paved-paths sized for critical infrastructure constraints — data residency, audit, supply-chain attestation, change-control.

Reference architecture

DevSecOps SLSA L3+ Paved Path

Build provenance + signed images + admission control. The IT-side substrate for SOCI / NIS2 supply-chain obligations.

Open →Reference architecture

Platform Engineering IDP

Inherited golden signals + ownership + observability. The substrate that makes incident detection deterministic.

Open →Reference architecture

Regulated GenAI Platform

For operators starting to use GenAI in operational planning / SCADA-adjacent contexts — with the audit pipeline + guardrails the sector needs.

Open →

Where critical infrastructure teams typically get stuck.

The most-common Tier 2 stuck-points in this sector, with the three substrate moves to the next tier.

Stuck tier

SRE — Operational

DORA Medium cluster. Three moves: define + enforce error-budget policy for top 3 services, track + bound toil, build + test runbooks for top 10 alert types.

Open →Stuck tier

DevSecOps — Repeatable

The IT-side gap that SOCI/NIS2 audits expose. Three moves: workload identity, SBOM owner-loop, policy-as-code at admission.

Open →Stuck tier

Platform Engineering — Emerging

Inconsistent observability + ownership across the estate makes incident response longer than it should be. Three moves on the platform side.

Open →

Read next.

The essays and reference content that go furthest in critical infrastructure conversations.

Essay

DevSecOps is supply-chain

The supply-chain framing for SOCI / NIS2 / CIRCIA — why provenance + signing + SBOM-loops are now the conversation.

Open →Essay

Platform engineering is the AI moat

The substrate argument that applies equally to OT-adjacent operators: inherited capabilities compound; bolted-on capabilities don’t.

Open →Annual report

State of Enterprise Tech in Regulated Industries 2026

Board-ready briefing — critical infrastructure section.

Open →

Common anti-patterns in critical infrastructure.

The named failure modes that show up most across critical infrastructure engagements. The catalogue has all 15; these four are the ones that recur here.

Anti-pattern

Vault Theatre

Static creds in IT estates that bridge to OT. The audit triggers for SOCI ML2-equivalent maturity.

Open →Anti-pattern

SBOM Shelfware

NIS2 + CIRCIA expect the loop, not just the artefact, when reporting incidents.

Open →Anti-pattern

PDF Principles

Encoded principles are what survives the 3am incident; documented ones aren’t.

Open →Anti-pattern

KPI Cargo Cult

Reliability metrics presented without policy consequences are reporting theatre, not resilience.

Open →

Working on this in Critical Infrastructure?

If you’re responding to SOCI / NIS2 / CIRCIA obligations, hardening IT-OT integration points, or rebuilding the SRE programme behind a critical-service SLA — I run focused engagements with the architecture / platform / security partners that own this work.

How I work →    contact@hellouchit.com →
Also on this site