Analyst firm Takepoint Research has released data detailing that Australia’s critical infrastructure is increasingly vulnerable to cyber-physical threats, with significant real-world safety impacts. Insights from over 50 industry leaders and practitioners reveal serious gaps in risk management, including fragmented IT risk management, opaque OT (operational technology) risk management, workforce shortages, supply chain vulnerabilities, and complex infrastructure lifecycles. Despite regulations like the SOCI Act (2018), many organizations remain unprepared.
To build resilience, the whitepaper titled ‘Securing Society: Insights on Cyber-Physical Safety in Australia’s Critical Infrastructure,’ authored by Sam Mackenzie, associate analyst at Takepoint recommends that leaders integrate cyber-physical risks into enterprise frameworks, foster IT-OT collaboration, and strengthen supply chain security while prioritizing defense-in-depth strategies. The paper seeks to establish a foundational understanding of the cyber threats and leadership challenges confronting Australia’s modern infrastructure. It emphasizes that effective defense can be achieved through strong risk management, intentional collaboration, and clearly defined strategies while offering solutions for improved protection and recovery.
Takepoint highlights the Australian government’s vision to become a world leader in cybersecurity by 2030. Through regulation, structural reforms, and compliance alongside industry engagement, the government has made a significant start in delivering this vision. It also notes that some nations are already working to secure their assets with Singapore leading in the region, however, this is new ground for Australia. Increasing obligations have come into effect particularly for Critical Infrastructure asset owners and operators through the SOCI Act and more recently, the Cyber Security Legislative Package (2024).
Leaders must recognize cybersecurity to prevent cyber-physical threats
The whitepaper underscores the need for business executives to recognize cybersecurity’s critical role in ensuring physical safety alongside protecting digital assets. These cyberattacks that impact the physical world are referred to as ‘cyber-physical incidents’ or ‘negative kinetic outcomes.’
While noting that these incidents are luckily few and far between, particularly in Australia, Mackenzie observed that this nonetheless emerges as a pressing issue for critical infrastructure leaders to better understand and prevent incidents. “We are entering a new age of cyber threat; the age of kinetic impacts. In February 2000, Australia was one of the first nations worldwide to have a kinetic event, occurring in Maroochy Shire, Queensland, where a disgruntled contractor manipulated wastewater treatment systems and released millions of litres of raw sewage into local parkland. Since then, events that have caused physical impacts are in low numbers, and while increasing, most have occurred outside Australia’s borders.”
Mackenzie also detailed that many respondents repeated the view that cyber-physical risk often isn’t clear, or in some cases, it is misunderstood completely. “72% of interviewees acknowledged that cyber-physical risk management remains fragmented, particularly in Australia. All too often, risk assessments focus solely on the safety hazards that can be physically seen. Digital and technology risks, meanwhile, often lack the thorough assessments they demand. Interviewees agreed that cyber-physical risk is a young discipline, having only been developed in the last 15 years,” he added.
Enhancing cyber-physical risk assessment by improving articulation
The Takepoint whitepaper also identified that most cybersecurity teams must improve the articulation and accurate assessment of cyber-physical risks. This is crucial to allow them to initiate the right leadership conversations and make the correct mitigation decisions.
“This flaw demonstrates that lack of risk visibility could lead to spending misallocation, where OT cyber-physical risks are not even registered. In contrast, more highly publicised threats, such as data privacy, get the lion’s share of the mitigation Budget,” Mackenzie wrote. “Over 60% of participants believed their organisations were not fully ready for the updated compliance obligations, citing struggles with maintaining comprehensive asset registers, conducting vulnerability assessments, and meeting SOCI Act’s Positive Security Obligations (PSOs).”
Addressing dramatic changes in cybersecurity threat landscape
Takepoint highlighted that the cybersecurity threat landscape has undergone a dramatic transformation, driven by the rise of state-sponsored actors, proliferation of Cybercrime-as-a-Service (CaaS), and escalating supply chain vulnerabilities. Critical infrastructure and the healthcare sector have emerged as prime targets, with attackers exploiting high-value data and operational disruptions for financial, political, or ideological gains.
Compounding these challenges are severe talent shortages and the inherent risks posed by aging OT systems, which are difficult to secure and maintain. To address these evolving threats, organizations must prioritize strategic cybersecurity investments, foster talent development, and implement holistic, proactive defense strategies to safeguard critical assets and mitigate growing risks.
Mackenzie noted that nation-funded criminal gangs are increasingly targeting critical infrastructure for political or ideological disruption, not just financial gain; while critical infrastructure disruptions have wide-reaching impacts, including hindering government responses to geopolitical events. With the rise of CaaS, cybercriminals leverage pre-made tools like phishing campaigns, exploit kits, and ransomware, lowering the barrier to entry.
Takepoint identified that Australia faces a severe shortage of cybersecurity professionals due to geographic isolation, small population, outsourcing, and complex education pathways. 67 percent of organizations struggle to hire skilled talent, with smaller firms disproportionately affected. Additionally, smaller organizations compete with larger, better-funded peers, often leaving cybersecurity as a part-time task for untrained IT staff.
Covering the supply chain ecosystem, Mackenzie detailed that organizations rely on hundreds of third-party vendors, with fourth-party suppliers adding further complexity. Geographic isolation forces reliance on remote access for system maintenance, creating additional vulnerabilities, while supply chain cybersecurity risk is now mission-critical, shifting focus from operational delivery to robust security measures.
He also highlighted that due to the aging infrastructure, Australian organizations face significant challenges with the lifespan of OT systems. These systems often remain in use for over 30 years, in contrast to the five to eight-year lifespan typical of IT systems, which makes securing them more difficult. Moreover, devices like programmable logic controllers (PLCs) may have critical vulnerabilities but cannot be patched or replaced without costly downtime. Unlike IT, patching OT systems is complex and often impractical due to operational disruptions and high costs.
Risk-based defense, collaboration, layered security key to cyber resilience
Takepoint Research identified that defense is achievable by adopting a risk-based approach, fostering cross-discipline collaboration, enhancing organizational awareness, implementing defense in depth, and utilizing network segmentation.
A risk-based approach emphasizes integrating cyber-physical risks into existing management structures to accurately assess physical safety risks. Tools like risk tiering and the FAIR framework help organizations prioritize their responses, focusing on the most relevant threats. Collaboration between IT, OT, and engineering teams is crucial, as cultural silos hinder effective incident management. Aligning priorities and enhancing security awareness across all levels of the organization can improve cybersecurity outcomes.
Critical infrastructure protection hinges on ‘defense in depth’ and strict network segmentation. These strategies integrate security at every level through multiple protective layers, enhancing resilience and creating a complex barrier that complicates and delays unauthorized access. This delay can expose attackers or deter them from continuing. Employing physical, technical, and administrative controls is crucial. Network segmentation is vital, isolating network segments and limiting access based on least privilege principles, thus containing potential damage and restricting attacker movement.
The Purdue Model, a framework for industrial control architecture, is key, as is maintaining separate directory services for IT and OT. Technologies like VLANs (virtual local area network), firewalls, and DMZs (demilitarized zones) are essential to thwart serious breaches. Together, segmentation and defense in depth form a robust security framework ensuring reliability, safety, and compliance in critical infrastructure.
Beyond the technical and operational aspects, Mackenzie emphasizes that cybersecurity should be viewed as a moral and societal obligation. The consequences of cyberattacks on critical infrastructure extend far beyond financial losses; they can endanger lives, disrupt communities, and undermine public trust. Leaders in the public and private sectors have to prioritize cybersecurity as a fundamental component of societal safety.
Conclusion
In conclusion, Mackenzie identifies that strong critical infrastructure leadership is important to address cyber-physical safety and protect the complex assets modern society relies on. Leaders must adopt a comprehensive and safety-focused approach to combat the ever-evolving threat landscape.
Takepoint highlights the complexity of OT environments and the many and varied challenges risk landscape. It also points out that effective defense is achievable through robust OT risk management, purposeful cross-discipline collaboration, and solid mitigation strategies such as the adoption of defense-in-depth strategies. Ultimately, critical infrastructure organizations must take decisive action to integrate cybersecurity and operational safety, ensuring the resilience and protection of the essential services that modern society relies on.
