The Critical Infrastructure Annual Risk Review, published by the Critical Infrastructure Security Centre (CISC), provides an in-depth analysis of the key risks impacting Australia’s critical infrastructure in 2024.
This second edition of the report highlights cyber threats across various sectors, underlining the urgent need for improved risk management frameworks such as the Security of Critical Infrastructure Act (SOCI Act) and the Critical Infrastructure Risk Management Program (CIRMP) to safeguard Australia’s vital systems.
Key Highlights from Critical Infrastructure Annual Risk Review
One of the most pressing challenges for Australia’s critical infrastructure in 2024 is cybersecurity. With frequent cyberattacks targeting critical sectors like healthcare, communications, and energy, there is a growing concern about the potential for these incidents to compromise the integrity, availability, and confidentiality of vital services.
Foreign interference and state-sponsored cyber operations, such as those carried out by groups like Volt Typhoon, are seen as persistent threats, exploiting vulnerabilities in both private and public infrastructure. Additionally, the SOCI Act mandates a proactive approach to managing these risks, urging infrastructure providers to integrate robust cybersecurity measures into their operational frameworks.
Another significant concern is political violence. In 2024, the Australian Security Intelligence Organisation (ASIO) raised the national terrorism threat level to “Probable” due to increasing risks from extremist ideologies. These threats, coupled with foreign espionage, have prompted a reassessment of the vulnerabilities in sectors like energy, telecommunications, and transportation, where disruptions could have cascading effects across the nation.
The report also highlights the impact of geopolitical tensions, such as regional instability in the Middle East, on supply chains and infrastructure operations.
The Interconnected Nature of Infrastructure
A central theme of the Critical Infrastructure Annual Risk Review is the interdependency of various infrastructure sectors. A failure in one area, such as the energy grid, can quickly trigger disruptions in other sectors, including water supply, transport, and communications.
For instance, a power outage could halt transportation networks, interrupt data storage services, and affect the provision of water and sewage systems, demonstrating the ripple effect of infrastructure failures. As CIRMP outlines, infrastructure owners must assess material risks—both direct and indirect—and prioritize risk mitigation strategies accordingly.
The review also stresses that Australia’s critical infrastructure is not immune to natural hazards. Severe weather events, including floods and storms, continue to disrupt services, as seen in 2024 when major flooding delayed freight transport across key routes. This is compounded by the supply chain vulnerabilities, especially for critical resources like lithium, rare-earth metals, and urea, which are crucial for industries ranging from energy to agriculture.
Evolving Threats and Risk Mitigation
A growing concern for infrastructure operators is the increasing sophistication of cyber threats, including the use of artificial intelligence (AI) by attackers. The rapid rise of AI technology has enabled more adaptive and targeted cyberattacks, which can evade traditional defenses.
The review points to the convergence of IT, operational technology (OT), and Internet of Things (IoT) systems, which has expanded the potential attack surface for malicious actors. Infrastructure providers are urged to improve coordination between IT and OT teams to detect threats early and respond effectively.
In addition to cybersecurity, supply chain risks are an area of increasing focus. The global demand for critical materials, coupled with supply chain disruptions triggered by geopolitical events or natural disasters, have accentuated the need for resilience in Australia’s infrastructure systems. Workforce shortages, particularly in sectors like healthcare, aviation, and construction, further exacerbated vulnerabilities, with skilled labor increasingly in demand to fill essential roles.
Strengthening Risk Management Frameworks
To address these challenges, the SOCI Act has evolved over the years, tightening security obligations for sectors like telecommunications, aviation, and maritime. The CIRMP encourages infrastructure owners to establish comprehensive risk management programs that adhere to best practices for safeguarding against a wide range of hazards.
These frameworks support the identification of risks across five key categories: cybersecurity, supply chain disruptions, physical security threats, natural hazards, and personnel security. The Australian government, in collaboration with industry stakeholders, has also worked to improve awareness and compliance with the SOCI Act.
