Australia’s critical infrastructure: managing systemic risk in a hyper-connected world

Australia’s critical infrastructure is under pressure from a complex and evolving risk landscape. Cyberattacks, natural hazards, geopolitical tensions, supply chain fragility and social instability are no longer isolated challenges. Instead, they interact across sectors, creating systemic risks that are not yet fully visible or consistently managed.  

A key issue is cross-sector dependency. Critical infrastructure assets do not operate in isolation, yet many of the dependencies between sectors remain insufficiently mapped or understood. As connectivity increases, so too does the potential for cascading impacts when disruptions occur.  

These challenges were explored in a recent Thales webinar, Securing Australia’s critical infrastructure: Supply chains, regulation and resilience, which highlighted how growing interdependence is reshaping risk and resilience across critical sectors.   

The webinar was moderated by Zoe Thompson and Mitchell Loughlan from Thales, and featured Dr Marthie Grobler, Principal Research Scientist at CSIRO’s Data61, and John Moore, Director at Ashurst. Discussion focused on what happens when interdependent systems, shared suppliers, and uneven board maturity collide with a fast-moving threat landscape. 

A hyper-connected operating environment

Research led by CSIRO and the Department of Home Affairs has reinforced what many operators already experience in practice: Australia’s critical infrastructure sectors are deeply connected. These interdependencies are not always visible to the organisations involved, increasing exposure to disruption where dependencies are neither fully understood nor actively managed.  

Mapping conducted across Australia’s 11 critical infrastructure sectors found that electricity, communications and data function as foundational “lifeline” sectors for most others. Space-based assets, particularly global positioning systems (GPS) were also shown to underpin activities such as navigation, timing and coordination, despite being rarely included in resilience planning. 

The research also revealed significant blind spots. Some sectors underestimated how heavily others rely on their services, while others overlooked their own dependence on assets such as space systems or payment infrastructure. Crucially, many organisations focused only on who they rely on, rather than also considering who relies on them – a gap that can amplify systemic risk.

Why ‘failure of imagination’ is itself a risk

One concept that resonated strongly throughout the discussion was “failure of imagination” – the tendency to plan for familiar risks rather than plausible future scenarios. 

In the context of critical infrastructure, this can include assumptions that disruptions occur one at a time, underestimating how impacts cascade across sectors, or believing that certain events are unlikely, simply because they have not yet occurred. Such assumptions can lead to preparedness gaps when multiple pressures emerge simultaneously. 

For critical infrastructure operators, resilience increasingly depends on the ability to plan for concurrent events, stressed supply chains and dependencies that extend well beyond organisational boundaries. 

The threat landscape: persistent risks, growing pressure

Insights from the Thales Data Threat Report and the Critical Infrastructure Security Centre’s (CISC) Annual risk Review highlights how longstanding threats are being intensified by scale, connectivity and sophistication.  

Globally, malware, phishing and ransomware remain the most common attack types. The continued effectiveness of phishing underscores that technology alone is not enough: security awareness, culture and basic controls remain foundational.  

Threat actors are similarly diverse. External attackers, nation-state activity and human error all continue to feature prominently. Human error sits at the intersection of cyber risk, process design and organisational culture, and remains a persistent challenge. 

From a systemic perspective, the most significant risks increasingly relate to third-party dependencies, extreme-impact cyber incidents, severe weather events, geopolitically driven supply chain disruption and state-sponsored activity. These risks are often amplified by interdependencies rather than single points of failure.

Governance maturity and board accountability

Effective governance is central to managing these evolving risks. Experience shared during the webinar highlighted a clear divergence in board maturity across critical infrastructure entities. 

Some boards are actively engaged, understand their obligations under the Security of Critical Infrastructure Act 2018 (Cth) and related regimes, and challenge management on resilience and preparedness. Others have limited awareness of the scope of their accountability and only fully appreciate it when incidents or regulatory scrutiny arise. 

Incident response experience reinforces the importance of governance follow-through. In many major cyber incidents, the exploited vulnerability was already known – documented in audits, reviews or risk registers – but had not been adequately prioritised or remediated. Regulators recognise that organisations cannot address every risk immediately, but where known vulnerabilities exist, there is an expectation they will be managed “so far as reasonably practicable”. 

Compliance, therefore, cannot be treated as an add-on. Emerging cyber and AI governance obligations need to be embedded into operational frameworks, integrated into enterprise risk management and treated as core elements of resilience by design. 

Insider threat and asset visibility

Insider threat also emerged as a growing concern. Recent incidents have involved malicious insiders exfiltrating sensitive data, resulting in significant information compromise even where physical infrastructure was unaffected. 

Traditional personnel security approaches often focus on employee protection and wellbeing. What is increasingly required is a complementary focus on protecting the organisation, supported by strong data classification, data loss prevention controls, monitoring of critical data movement and access controls aligned to risk, not just role. 

Asset identification remains another challenge. Persistent ambiguity exists around what constitutes a “critical asset” and how organisations move beyond checklist compliance to genuinely resilient operations. Assets such as subsea cables, which underpin most data-driven services yet sit largely outside current regulatory coverage, are a notable example. 

A practical approach is to begin with critical operations and work backwards: identifying the people, technology, assets and suppliers required to sustain them, along with upstream and downstream dependencies. This helps organisations understand not only what they rely on, but how they fit into the broader ecosystem.

Building collective resilience

The discussion concluded with a clear message: resilience cannot be achieved in isolation. 

Building collective resilience requires shared understanding, trusted relationships and mechanisms for collaboration across government, industry and research. Informal cooperation during major outages has demonstrated the value of these relationships, but they are most effective when established before a crisis occurs. 

Key actions for organisations include understanding their ecosystem, challenging assumptions, clearly documenting risk appetite and operating context, engaging with regulators and peers, and participating in collaborative exercises and resilience programs. 

In an environment characterised by cascading, multi-hazard events, resilience is increasingly a shared responsibility, and one that demands sustained, coordinated effort.