The Federal Government has released its first Critical Infrastructure Annual Risk Review, which provides a summary of the potential security risks faced by Australia’s critical infrastructure over the last 12 months.
The review has been launched as part of Australia’s inaugural ‘Critical Infrastructure Security Month’ and has been developed by the Cyber and Infrastructure Security Centre (CISC).
Critical infrastructure includes the essential services which are vital to Australia’s prosperity and security.
Earlier in 2023 the Federal Government introduced the Critical Infrastructure Risk Management Program obligation – a set of rules to strengthen the resilience of critical infrastructure and essential services vital to the security, prosperity and sovereignty of Australia.
Recent cyber, trusted insider, supply chain and physical attacks have highlighted the ongoing threat to critical infrastructure around the globe.
Within the Department of Home Affairs, the CISC safeguards Australia’s critical infrastructure regime in partnership with state governments, industry and the broader community.
It also helps Australian critical infrastructure owners and operators understand the risk environment and meet their regulatory requirements – for the shared benefit of all Australians.
The Annual Risk Review found that foreign interference and espionage are principal threats to Australia’s critical infrastructure.
Interest can vary from an intent to obtain critical research and intelligence to details on production and service levels.
The review highlights that trusted insiders are also a significant threat to the critical infrastructure sector. Insiders can deliberately disclose sensitive information to third parties, manipulate systems and networks to cause harm, or be recruited by foreign intelligence services to undermine the capabilities of Australia’s critical infrastructure service delivery.
The Federal Government has said that dark web job adverts targeting “disgruntled employees” are being used as a recruitment tool as more threat actors look to exploit insider access.
The Government also warned that the threat to critical infrastructure from terrorism is also not extinguished and an attack remains possible.
Disruptions to critical infrastructure can have serious implications for business, governments and the community, affecting the security of resources, supply and service continuity.
The pre-positioning of malicious activity in Australia’s critical infrastructure is also a known risk. Such an act could be carried out in preparation for a future attack.
The review also notes that risk levels to critical infrastructure increase during periods of heightened geopolitical tensions.
Earlier in 2023 the Federal Government also launched an updated Critical Infrastructure Resilience Strategy, to protect critical infrastructure. The strategy provides a roadmap for protecting essential services and assets – everything from electricity and water, to healthcare and groceries.
Department of Home Affairs Deputy Secretary of Cyber and Infrastructure Security, Hamish Hansford, said that the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to security, economy and sovereignty.
“This review highlights the serious risks posed to our critical infrastructure and the need for strong public private partnerships to keep pace with evolving threats,” Mr Hansford said.
“The Federal Government through the Cyber and Infrastructure Security Centre has been working closely with industry to develop effective rules to ensure continuity of service in the event of an outage or attack on Australia’s critical infrastructure.”