Australia’s 2024 Critical Infrastructure Annual Risk Review covers emerging threats, safeguarding national security

Australia’s Cyber and Infrastructure Security Centre (CISC) has released the second edition of the Critical Infrastructure Annual Risk Review as part of Critical Infrastructure Security Month. The version focuses on current and emerging risks to Australia’s critical infrastructure throughout 2024, which faces constant threats of disruption that, if unaddressed, could significantly impact essential services relied upon by Australians. It also addresses the threats and hazards to Australia’s critical infrastructure, tackling emerging and ongoing national security and economic stability risks.

The latest Annual Risk Review examines hazards affecting national critical infrastructure, including persistent cyber incidents, instability in global supply chains, ongoing workplace skills shortages, and disruption from severe weather events. Incidents affecting critical infrastructure can cause consequences for national security. The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could significantly affect national security, economy, and sovereignty. 

The review aims to support owners and operators of critical infrastructure installations in developing a better understanding of the risks they face. It also outlines the importance of assessing the potential impacts of these risks across each sector. The purpose is to build higher levels of resilience in service delivery.

Through the Annual Risk Review, and other guidance to stakeholders, the CISC will continue to raise risk tolerance, as well as identify and reduce vulnerabilities in systems, operations, and supply chains caused by the vast number of interconnected devices; call out security risks; and improve information sharing capabilities. The work supports Australia’s critical infrastructure owners and operators to make informed decisions now and into the future.

“This Critical Infrastructure Annual Risk Review serves to support a greater shared understanding of the risks faced by critical infrastructure owners and operators which, if not addressed, could impact the essential services all Australians rely on,” Tony Burke, Australia’s Minister for Home Affairs and Cyber Security, wrote in the document. “Owners and operators of critical infrastructure need to maintain clear visibility of the extent of risks they face, including from cyber, personnel, and physical threats, and from supply chain hazards and natural disasters. This review was designed to reach a diverse audience across all levels of enterprise, government, and the broader community.”

Burke noted that the CISC collaborates in the spirit of genuine partnerships with governments, industry, and the broader critical infrastructure community, to safeguard Australia’s critical infrastructure and to help critical infrastructure owners and operators augment their understanding of the risk environment while meeting their security obligations. 

“Following extensive collaboration, I have also introduced the Cyber Security Legislative Package to parliament, which serves to address legislative gaps and take the next step to ensure Australia is on track to become a global leader in cyber security,” Burke said. “Subject to the passage of this legislation, Australia will have its first standalone Cyber Security Act, and the package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act).”

He added that “industry partners should be applauded for the steps already taken to enhance the security of their critical infrastructure assets through targeted investments to recognize and address vulnerabilities, harden their systems, and secure their data. Through strong industry partnerships, we will enhance risk maturity, meet regulatory obligations, and achieve our vision of becoming a world leader in cyber security by 2030.”

The Annual Risk Review noted that the CISC remains committed to the continued improvement of the nation’s regulatory and policy approach to securing Australia’s national critical infrastructure and is collaborating with industry to achieve the best security and resilience posture. Effective compliance activities support an objective of the SOCI Act to provide a framework for managing risks relating to critical infrastructure. Also, helping industry understand the implications of these obligations, and ensuring compliance, is not just a matter of legal obligation; it is necessary to protect the essential services all Australians rely on.

Over the last 12 months, the CISC has been working on legislative reform to strengthen the SOCI Act to ensure it is fit for purpose and includes the telecommunications sector security obligations under one Act; and legislative reform that will strengthen Australia’s aviation, maritime, and offshore facility security settings against current and emerging threats, and enable government to regulate in a flexible, risk-based and scalable way. This includes the introduction of all-hazard security obligations to existing security legislation.

CISC has also been working on guidance to critical infrastructure providers to carefully consider risks to operational and information technology networks; promoting greater consideration of the impact of risk on assets, and how this cascades to other entities or sectors; and positioning Australia’s SOCI compliance regulatory posture, over the next 12 months, to provide balanced educational and awareness raising activities and compliance activities.

The Annual Risk Review also provided detail on continuing frequent cyber attacks targeting critical infrastructure have exposed the nexus between national security and business risk; underestimating the pre-positioning threat will leave critical infrastructure vulnerable to capability disruption or attempts to influence decision-making; large portions of industry are still not meeting basic levels of cyber literacy and awareness; and lack of security coordination between information technology (IT), operational technology (OT) and internet of things (IoT) technologies can make systems more vulnerable to malicious activity.

The report also pointed to cyber security governance for third-party risk lagging behind levels of risk awareness, and rapid uptake of artificial intelligence is enabling more persuasive and individually targeted cyber attacks, complicating mitigation.

On the supply chain side, the Annual Risk Review focused on geopolitical issues is expediting a need for a supply chain shift; the clean energy transition will drive demand and increase competition for the required technology and materials; Australia’s dependence on global maritime supply lines leaves Australia highly vulnerable to impacts outside of the nation’s control; and Australia’s high reliance on road and rail for domestic supply compounds any disruption to this infrastructure.

Addressing physical issues, the Annual Risk Review detailed espionage and foreign interference, along with politically-motivated violence, are the Australian Security Intelligence Organisation’s (ASIO) principal national security concerns; vulnerability to grey zone tactics is heightened in areas outside Australia’s direct control, such as the undersea and space domains; and geopolitical issues have intensified issue-motivated activity, and actors threaten to shift their tactics to infrastructure disruption. 

It also covered next-generation technology and defense program initiatives that will cement foreign state interest in domestic research; sabotage of critical infrastructure to create destabilizing impacts is being used outside of conflict zones to some effect; and the need to depend on international parties for growth exposes entities to greater risk from foreign involvement.

The Annual Risk Review also noted that critical infrastructure operators should not underestimate the espionage and foreign interference threat to their workforce; insider activities, malicious or negligent, continue to cause critical infrastructure outages in Australia and overseas; and misidentification of critical roles increases levels of vulnerability for malicious insider activity. 

It also identified that artificial intelligence has enhanced tools for social engineering, increasing the vulnerability of personnel with critical access and responsibilities; changes in workforce skills and ongoing workforce shortages demand an increased focus on effective insider threat management to manage personnel risk; and external global and domestic divisive issues can potentially heighten some workforce disquiet, leading to malicious activity. 

Looking forward, the Annual Risk Review pointed to a couple of trends and technology drivers that will likely impact the risk profile of Australia’s critical infrastructure over the coming years. These include rapid technological change creating skill and staffing shortfalls, including for skilled cyber security professionals; more and more critical operational decisions will be automated; and supply chain disruptions continue to affect domestic and international supply chains. Additionally, the race to 6G use cases is likely to make the technology far more critical in an infrastructure context. 6G may be rolled out commercially by around 2030, but there is ongoing research necessary to achieve its full potential.

The Annual Risk Review also identified that traceability will present new risk challenges; competition and conflict in space, as the number of objects in low earth orbits, an increase in the use of shorter lifespan spacecraft, and ongoing congestion of geosynchronous orbits; and ongoing moves to onshore or near-shore supply will gradually redraw the transportation map.

Last week, the Australian CISC announced the designation of 46 additional critical infrastructure assets as Systems of National Significance. The initiative is part of the Australian government’s ongoing efforts to enhance the cyber resilience of the nation’s vital infrastructure. With this latest declaration, the total number of such systems now exceeds 200, spanning sectors like energy, communications, transport, financial services, food and grocery, and data storage or processing. This collaboration between the government and businesses aims to strengthen national security.