The first edition of CISC’s Critical Infrastructure Annual Risk Review provides a summary of the key risk-driven issues that have been affecting the security of Australia’s critical infrastructure over the last 12 months.
The review presents risk issues under each of the threat and hazard categories outlined in the Security of Critical Infrastructure Act 2018 (SOCI Act 2018) and accompanying rules for the Critical Infrastructure Risk Management Program (CIRMP).
As the Commonwealth regulator for critical infrastructure security, it is important for us to support critical infrastructure providers adapt their existing risk practices; and help organisations understand risks within the broader national security context.
Risk in the context of national critical infrastructure is related to our national and societal resilience. Disruptions to critical infrastructure can have serious implications for business, governments and the community, affecting the security of resources, supply and service continuity, and damaging our economic growth.
Critical infrastructure providers face a wide range of disruptors to the continuity of operations. Risks with the greatest impact on Australia’s social or economic stability, and on its defence or national security, also need to be considered and framed within the existing risk management strategies of critical infrastructure entities.
Australia is likely to see an increase in the frequency and severity of natural hazards, and a future punctuated by more complex, cascading or compounding disasters. As Australia enters another El Niño weather cycle, in 2023 we witnessed record heatwaves and catastrophic natural hazard events in the Northern Hemisphere. Severe weather events are becoming more frequent and with longer recovery times, putting pressure on the delivery and resilience of critical infrastructure systems.
Foreign involvement is permeating into all areas of the delivery of critical infrastructure. Australia’s critical infrastructure is a complex network of facilities, personnel, outsourcing, offshoring and supply chain dependencies. Foreign involvement is across all nodes of this network and has the potential to create risks to national security if the nature of this interaction is not properly managed.
Australia’s critical infrastructure sectors are a deeply interconnected system of systems; significant disruption in one sector will affect other sectors. The increasingly interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security and sovereignty.
Increasing digitalisation and implementation of new technologies are adding new entry points for cyber incidents. Over the last 12 months there Australia has witnessed the reporting of cyber incident against high profile targets, including Australian critical infrastructure providers.
Rapid advancement and implementation of new technologies can severely hamper efforts to create a uniform cyber defence, in line with lower levels of cyber literacy.
Risk levels are very likely to increase during periods of heightened geopolitical tensions. Critical infrastructure remains an enduring target of interest for threat actors seeking to cause harm. Across different geopolitical conflicts, pre-positioning and grey zone cyber operations are used alongside conventional military activities for extensive targeting of critical infrastructure networks.
Supply chain resiliency is a multi-faceted strategy of proactive defence and efficient response to disruption. Australia remains vulnerable to international supply chain disruption and single source supply for critical components and services. Critical infrastructure providers need to develop adaptive supply chain resilience plans, driven by risk analysis, to withstand disruption to global supply chain networks.