Australia’s private and public institutions remain vulnerable to malicious cyber activity, with threats arising from both financially motivated and state-sponsored actors, according to the Cyber and Infrastructure Security Centre’s (CISC’s) first Critical Infrastructure Annual Risk Review.

The review has underscored the ongoing threat posed by ‘trusted insider’, supply chain and physical attacks to critical infrastructure across the globe, with foreign interference and espionage identified as principal threats to Australia’s critical infrastructure.

Interest from threat actors can vary from an intent to obtain critical research and intelligence to seeking details on production and service levels.

The review also determined that ‘trusted insiders’ pose an increasingly significant threat to critical infrastructure.

Insiders may, the report said, deliberately disclose sensitive information to third parties, manipulate systems and networks to cause harm or be recruited by foreign intelligence services to undermine the capabilities of Australia’s critical infrastructure service delivery.

At the same time, as more threat actors look to exploit insider access, dark web job adverts targeting “disgruntled employees” were increasingly being used as recruitment tools.

“Australia’s critical infrastructure presents further layers of target attractiveness beyond the theft of personal identification information. A broad range of critical infrastructure can be tangibly disrupted, manipulated or destroyed as a result of malicious cyber activity,” the review said.

“Cyber actors will also look for weaknesses in our systems to obtain valuable sovereign research and gain insights into our social, economic or technological vulnerabilities.”

The report also identified vulnerabilities in the convergence of operational technology (OT) and information technology (IT), and the rollout of Internet of Things (IoT) devices.

Ultimately, with the increasing sophistication of cyber incidents, such as the lateral movement of a cyber incident between systems, a single breach could trigger catastrophic cascading consequences.

The review cited the 2021 Colonial Pipeline cyber incident in the US, which started as a ransomware attack on a corporate system, and ultimately led to a decision to shut down operational systems to mitigate the risk of cross-system compromise.

“This resulted in cascading supply chain impacts, most notably to the distribution of gasoline and jet fuel to the Eastern United States,” the review warned.

“OT and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.”

Further, the adoption of IoT in critical infrastructure can increase the integration of, potentially compromised, third-party inputs for information, data sharing and data analytics. These interconnected critical infrastructure networks (which include remote access and management solutions) and third-party providers effectively expand attack surfaces for supply disruption.

The CISC review also noted that risk levels to critical infrastructure assets are strongly correlated with periods of heightened geopolitical tensions.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our security, economy and sovereignty,” said Hamish Hansford, deputy secretary, cyber and infrastructure security at the Department of Home Affairs.

“This review highlights the serious risks posed to our critical infrastructure and need for strong public-private partnerships to keep pace with evolving threats.

“The Australian Government through the Cyber and Infrastructure Security Centre has been working closely with industry to develop effective rules to ensure continuity of service in the event of an outage or attack on Australia’s critical infrastructure.”