You Can’t Secure What You Can’t See: The Intelligence Stack Beneath Modern Cyber Defence

Before an organisation can validate its exposure, respond to threats, or reduce risk in any meaningful way, it needs reliable, comprehensive telemetry flowing from every layer of its operating environment: not just its endpoints, but its network, its operational technology, its distributed edge infrastructure, and its data supply chain. For most Australian enterprises, significant blind spots exist in one or more of those layers. Closing them is not primarily a cyber problem. It is an infrastructure problem with severe security consequences.

Key Takeaways

• Security tooling is only as useful as the telemetry it receives. Incomplete, siloed, or inconsistently formatted data from across the infrastructure stack produces a distorted security picture, one that generates false confidence rather than genuine insight.
• East-west traffic (lateral movement within the network) is where attackers operate after gaining a foothold, and it remains poorly monitored in many enterprise environments. Endpoint and cloud tools alone cannot provide adequate visibility into this layer.
• For organisations in utilities, resources, and critical infrastructure, IT/OT convergence has significantly expanded the attack surface. Most OT systems cannot support agents, making network-based visibility the primary available mechanism and asset discovery the unavoidable first step.
• Edge computing environments in distributed operations present a growing visibility gap. Security monitoring architectures designed for centralised environments struggle to provide consistent telemetry coverage across geographically dispersed deployments.
• Data sovereignty is not a separate governance issue: it is integral to the intelligence stack itself. For Australian organisations operating under the SOCI Act and the Privacy Act, the location of security telemetry about critical infrastructure systems has direct legal and compliance implications.

Telemetry Integrity: The Foundation That Most Programmes Overlook

The past decade of security investment has been heavily weighted toward tooling: SIEM platforms, endpoint detection and response, threat intelligence feeds, vulnerability management solutions. Organisations have invested significantly in the systems that process and act on security data. They have invested considerably less in the quality and completeness of the data itself.

Telemetry integrity — consistent, comprehensive, and trustworthy data flowing from all relevant infrastructure layers into a coherent operational picture — is the unglamorous prerequisite that determines whether a security programme is working from accurate information or from a partial view. When telemetry is incomplete, delayed, siloed between platforms, or inconsistently formatted across different parts of the infrastructure stack, the security picture becomes distorted. Gaps appear as silence rather than as signal. Threats that exist outside the monitored perimeter are simply invisible.

The consequence is a pattern that ASD’s ACSC has directly observed: organisations being notified of malicious activity in their environments before they have detected it themselves. In FY2024–25, ASD’s ACSC proactively notified entities of potential malicious cyber activity more than 1,700 times, an 83% increase from the previous year (ASD’s ACSC Annual Cyber Threat Report, 2025). These organisations had security programmes. They lacked the telemetry infrastructure to identify activity that was already underway in their environments.

Building a sound intelligence stack means asking a question that precedes tooling decisions: from which parts of the environment is data currently flowing, and from which parts is it absent? The answer is rarely comfortable.

The East-West Gap: Where Attackers Operate and Defenders Are Least Prepared

Most enterprise security monitoring is oriented toward the perimeter: toward north-south traffic, the flow of data between internal systems and the external network. Firewalls, intrusion detection systems, and gateway controls have historically been designed and deployed to manage that boundary. The assumption embedded in that architecture is that the threat originates outside the organisation.

Attackers who have already gained a foothold do not operate at the perimeter. They move laterally across the network, from one system to another, escalating privileges, locating high-value targets, and persisting. That movement occurs within the network, in the traffic that passes between internal hosts, and it is precisely the layer that traditional perimeter-focused monitoring is least equipped to observe. Lateral movement is difficult to detect in part because it mimics legitimate user behaviour, using standard administrative protocols and blending into the background noise of internal system communication.

Research indicates that over 70% of successful breaches leverage lateral movement techniques (Elisity, 2024). Yet most organisations have minimal visibility into east-west network traffic, particularly where they rely on legacy segmentation approaches not designed for modern threat patterns. When lateral movement goes undetected, the attacker gains time — and time spent undetected is time spent expanding access, mapping the environment, and positioning for impact.

Network-level visibility into east-west traffic is not a supplementary capability. It is the layer that reveals attacker behaviour that endpoint and cloud tools will miss entirely, because those tools are oriented toward individual systems rather than toward the traffic that connects them.

IT/OT Convergence and the Visibility Problem Unique to Critical Infrastructure

For organisations operating in utilities, resources, manufacturing, and other critical infrastructure sectors, the security visibility challenge is compounded by the convergence of information technology and operational technology environments. IT/OT convergence has connected systems that were designed to operate in isolation (SCADA systems, distributed control systems, programmable logic controllers) to networks that now carry enterprise traffic. The operational benefits of that connectivity are substantial. The security implications are significant and not yet fully understood in most organisations.

OT systems were designed for availability and reliability, not for security observability. Most cannot support software agents. Many run proprietary protocols that standard IT security tools do not understand. Configuration changes carry safety risk in environments where system behaviour is tied directly to physical processes. Aggressive scanning (routine in IT security practice) can cause unexpected behaviour in OT systems, making conventional asset discovery approaches inappropriate in these environments.

The result is an environment where network-based monitoring is often the only viable mechanism for gaining security visibility. But that monitoring must be passive and protocol-aware, capable of understanding industrial protocols like Modbus, Profinet, and DNP3 without disrupting the operational processes those protocols carry. Orro works with organisations across utilities and resources where the gap between the known IT asset inventory and the actual OT asset footprint is substantial, sometimes including legacy devices that have not appeared in any asset register for years but which are actively communicating on the network.

Dragos’s OT Cybersecurity Year in Review found that in many industrial environments, between 30% and 50% of assets remain unknown or unmanaged (Dragos, OT Cybersecurity Year in Review, 2025). In environments where an undetected compromise could trigger a safety event or disrupt the delivery of critical services, that visibility gap is not a technical shortcoming: it is an operational and regulatory risk.

ASD’s Principles of Operational Technology Cybersecurity, co-published with international intelligence partners in October 2024, makes asset inventory the cornerstone of OT security. The guidance directs operators to identify every OT asset, capture its role, location, and dependencies, and classify it by criticality, with that inventory kept current to inform risk assessments and prioritisation (ASD’s ACSC, Principles of Operational Technology Cybersecurity, 2024). ASD’s CI Fortify guidance, released in 2025, reinforces the same point for operators managing systems under the Security of Critical Infrastructure Act — identifying a complete and current OT asset inventory as the first and most critical preparatory step before any crisis or disruption scenario (ASD’s ACSC, CI Fortify, 2025).

Edge Computing and the Distributed Intelligence Challenge

The growth of edge computing has created a new category of visibility challenge for organisations operating in distributed or remote environments: mine sites, energy substations, water treatment facilities, remote telecommunications infrastructure, and logistics networks. In these environments, compute and data increasingly live at the edge rather than in centralised data centres. Operational decisions are being made closer to the physical systems they affect, and connectivity to central infrastructure is often constrained by bandwidth, latency, or geographic isolation.

Security monitoring architectures designed for centralised environments are poorly suited to these deployments. Telemetry that must traverse long distances or unreliable network paths before it can be processed loses its timeliness. Monitoring that relies on consistent connectivity to a central collection platform will have gaps whenever that connectivity is degraded. Devices at the edge may sit in environments with limited physical security, operating with minimal ongoing management oversight.

For Australian operators of remote industrial infrastructure, this creates a blind spot that grows in proportion to the edge computing footprint. ASD’s ACSC Annual Cyber Threat Report 2024–25 specifically identified edge devices (network components positioned at the network periphery, including routers, firewalls, and VPN products) as a particularly vulnerable category, noting that ASD’s ACSC observed more than 120 incidents associated with edge device attacks, with 96% proving successful (ASD’s ACSC Annual Cyber Threat Report, 2025). The visibility and configurability of these devices remains a significant gap in many enterprise environments. Bringing edge infrastructure into a coherent intelligence picture requires purpose-built telemetry architecture, not an afterthought in the form of intermittent log forwarding.

Data Sovereignty and the Governance Dimension of Security Intelligence

The intelligence stack is not only a technical question. Where security telemetry is processed, stored, and analysed carries legal and compliance weight that Australian organisations operating in regulated sectors cannot treat as secondary.

For organisations that fall within the scope of the Security of Critical Infrastructure Act, security telemetry about their regulated assets, including the operational data that flows through OT monitoring systems, is itself sensitive information. Offshore processing of that telemetry may conflict with obligations under the Act and with the governance frameworks those organisations are required to maintain. Under the amended Privacy Act 1988, including changes that came into effect following the 2024 reforms, the cross-border transfer of personal information (which may be embedded in security event data, particularly in sectors like health and finance) carries specific consent and accountability obligations.

The practical question for security leaders is often invisible until it is asked: where does your security telemetry actually go? Many organisations have deployed security tooling that routes event data to offshore processing environments as a matter of default architecture. In some cases, this includes OT telemetry. The intelligence stack that underpins a security programme may itself be creating a data sovereignty exposure that is distinct from, and compounding, the cyber risk it exists to manage.

Orro’s experience across network and OT environments shows that this question is rarely asked systematically in the procurement and deployment of security tooling. It surfaces, if at all, after implementation, at which point architectural remediation is considerably more complex.

Asset Discovery: The Layer That Precedes Everything Else

All of the visibility challenges described above (east-west traffic gaps, OT blind spots, distributed edge environments, data sovereignty) share a common prerequisite. None of them can be addressed without knowing what assets exist, where they are, and what they are doing.

Asset discovery sounds foundational because it is. And yet it remains an area where most organisations significantly underestimate their actual footprint, particularly in OT environments and following cloud adoption, mergers, or acquisitions that have added systems at pace. Ordr’s 2024 Rise of the Machines Report found that IoT and OT devices account for 42% of enterprise assets, yet the majority are unmanaged and agentless, outside the reach of traditional IT and security tools (Ordr, Rise of the Machines Report, 2024). The same research found that these devices account for 64% of mid-to-high enterprise risk.

Asset discovery in complex environments spanning IT, OT, cloud, and edge is not a one-time exercise. It is a continuous process, because environments are not static. Devices are added, reconfigured, retired, and sometimes persist well past their documented end of life. An asset inventory that was accurate twelve months ago is not accurate today. Continuous discovery, tied to a real-time network monitoring capability, is the mechanism through which an organisation maintains an accurate operating picture and the baseline against which anomalies can be identified.

Evidence Snapshot: Infrastructure Visibility Gaps Affecting Enterprise Security

Asset visibility

• IoT and OT devices account for 42% of enterprise assets but remain largely unmanaged and outside the reach of traditional security tooling, contributing to 64% of mid-to-high enterprise risk. (Ordr, Rise of the Machines Report, 2024)
• In industrial environments, between 30% and 50% of OT assets are estimated to be unknown or unmanaged. (Dragos, OT Cybersecurity Year in Review, 2025)

Lateral movement and east-west visibility

• More than 70% of successful breaches involve lateral movement techniques. East-west traffic monitoring remains a significant gap in traditional perimeter-focused security architectures. (Elisity, 2024)
• Breaches involving lateral movement carry higher costs and longer dwell times than perimeter breaches alone, due to the extended access obtained before detection. (IBM Cost of a Data Breach Report, cited across multiple sources)

Australian critical infrastructure threat context

• ASD’s ACSC responded to over 1,200 cybersecurity incidents in FY2024–25, an 11% increase year-on-year. Attacks on critical infrastructure increased by 111%. (ASD’s ACSC Annual Cyber Threat Report, 2024–25)
• ASD’s ACSC proactively notified entities of malicious cyber activity more than 1,700 times in FY2024–25 (an 83% increase), indicating that organisations are routinely failing to detect activity already present in their environments. (ASD’s ACSC Annual Cyber Threat Report, 2024–25)
• Edge device attacks were observed in more than 120 incidents, with a 96% success rate. ASD specifically notes these devices are often difficult to monitor or configure securely. (ASD’s ACSC Annual Cyber Threat Report, 2024–25)
• ASD’s CI Fortify guidance identifies maintaining a current inventory of OT assets as the cornerstone of OT cybersecurity for critical infrastructure operators. (ASD’s ACSC, CI Fortify, 2025)

Building the Intelligence Stack Is the Prerequisite Work

The theme connecting the visibility gaps described throughout this article is not tooling: it is architecture. The question for security leaders is not which detection platform to deploy. It is whether the underlying infrastructure produces the telemetry quality, coverage, and data integrity that any detection platform requires to be effective.

Security teams that have invested heavily in capability whilst underinvesting in telemetry infrastructure are, in effect, operating advanced analytical systems on incomplete information. The problem is not that the tools fail. The problem is that the tools are only seeing part of the environment, and that partial picture can create a form of confidence that is more dangerous than acknowledged uncertainty.

Closing these gaps (across the network layer, OT environments, distributed edge infrastructure, and the governance dimension of the data supply chain) requires practitioners who operate across all of those layers simultaneously, not specialists who see only one part of the stack. It requires continuous asset discovery, network-based visibility that extends into OT and edge environments, and governance frameworks that treat telemetry integrity as a first-order concern alongside the security tools that consume it.

What comes after the intelligence stack is established is a harder question: how does an organisation move from having better data to knowing, with confidence, what its actual exposure looks like at any given moment? That is where the value of the intelligence work described here becomes testable rather than assumed.

If this article has raised questions about the completeness of your organisation’s telemetry coverage, your OT asset visibility, or how your security programme handles data sovereignty, Orro’s team is available for a confidential discussion. There are no obligations — just a conversation with practitioners who work across these environments every day.

Get in touch with Orro’s security team to discuss your infrastructure intelligence foundations.

Orro works with organisations across network, cloud, OT, and security to build the infrastructure intelligence foundations that make genuine risk reduction possible. Explore Orro’s approach to cross-stack visibility and security.

Sources & Further Reading

• ASD’s ACSC. (2025). Annual Cyber Threat Report 2024–25. Australian Signals Directorate. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
• ASD’s ACSC. (2024). Principles of Operational Technology Cybersecurity. Australian Signals Directorate. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/critical-infrastructure/principles-operational-technology-cybersecurity
• ASD’s ACSC. (2025). CI Fortify: Cybersecurity guidance for critical infrastructure operators. Australian Signals Directorate. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/critical-infrastructure/ot-security
• Dragos. (2025). OT Cybersecurity Year in Review. Dragos Inc. https://www.dragos.com/ot-cybersecurity-year-in-review
• Ordr. (2024). Rise of the Machines Report 2024. Ordr Inc. https://ordr.net/resources/rise-of-the-machines-report-2024
• Australian Government. (2018, as amended). Security of Critical Infrastructure Act 2018. Federal Register of Legislation. https://www.legislation.gov.au/Series/C2018A00030
• Australian Government. (1988, as amended 2024). Privacy Act 1988. Federal Register of Legislation. https://www.legislation.gov.au/Series/C2004A03712
• ASD’s ACSC. (2024). Critical Infrastructure Uplift Program (CI-UP). Australian Signals Directorate. https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/critical-infrastructure-uplift-program