1. Home
  2. News
  3. Lote Notes July 2025
  4. Critical Infrastructure Risk Management: Essentials of CI
 

Critical Infrastructure Risk Management: Essentials of CI

Keywords: Critical Infrastructure Risk Management Plan, SOCI Act 2018, Systems of National Significance, CIRMP, risk assessment, risk management plan, infrastructure protection, risk analysis, risk treatment strategies, emergency response protocols, surveillance, CPTED principles, security risk assessment, Cyber and Infrastructure Security Centre, Trusted Information Sharing Network

Introduction

In an era marked by climate volatility, cyber threats and growing interdependencies, the resilience of Australia’s Critical Infrastructure (CI) has never been more vital. Energy, water and transport systems form the backbone of our society through supporting communities, enabling economic activity and ensuring public safety. As we mark NAIDOC week and reflect on the importance of sustainable and inclusive systems, it is timely to explore how we can better protect these essential services.

Why Resilience Matters

The Security of Critical Infrastructure Act 2018 (SOCI Act) is an act which creates a framework for managing risks to national security relating to critical infrastructure (SOCI ACT, 2018). The SOCI Act further mandates that operators of critical infrastructure implement a Critical Infrastructure Risk Management Program (CIRMP). However, compliance is only the beginning. True resilience means anticipating disruption and adapting to change without compromising service delivery or public trust.

The urgency of this has been starkly highlighted by various incidents, both in Australia and globally, demonstrating the profound ripple effects when critical systems fail. For instance, imagine a sophisticated cyberattack targeting Australia's energy grid, not designed to destroy, but to subtly manipulate power distribution over an extended period. Such an attack could lead to intermittent blackouts across major cities, disrupting businesses and compromising public safety by affecting traffic lights and emergency services, while also causing significant economic losses as industries halt operations. The trust in essential services would erode rapidly, leading to social unrest and a profound sense of vulnerability.

Consider the increasing frequency and intensity of natural disasters in Australia. A major flood in a regional area could inundate a key water treatment plant, as well as the transport links used to deliver vital chemicals. This wouldn't just impact potable water supply for the immediate community; it could also halt agricultural production dependent on that water, leading to food shortages and economic hardship for an entire region. Similarly, a severe bushfire could damage essential telecommunication infrastructure, isolating communities and hindering emergency response efforts, as seen in past fire seasons where communication blackouts exacerbated crises.

Furthermore, the interdependencies between critical infrastructure sectors mean that a failure in one can quickly cascade. A cyberattack on a major port's operational technology systems, for example, could paralyse shipping, leading to widespread supply chain disruptions, impacting everything from fuel availability to medical supplies. The economic ramifications would be immense, affecting import-dependent industries and everyday consumers. These scenarios, while hypothetical, underscore the real and growing threats that necessitate robust and proactive critical infrastructure risk management. Building resilience isn't merely about preventing outages; it's about safeguarding livelihoods, maintaining economic stability and preserving national security.

Current Strategies

Australia is actively enhancing the resilience and security of its critical infrastructure through a comprehensive and forward-looking strategy. Central to this effort is the 2023 Critical Infrastructure Resilience Strategy, developed by the Cyber and Infrastructure Security Centre (CISC,2024). This strategy outlines a national framework guiding efforts from 2023 to 2028, emphasising collaboration between government and industry via the Trusted Information Sharing Network (TISN). It integrates legislative and regulatory measures to ensure a unified and robust approach to infrastructure protection.

A key initiative under this strategy is the designation of Systems of National Significance (SoNS). Over two hundred assets across sectors such as energy, communications, transport and financial services have been declared SoNS, subjecting them to enhanced cybersecurity obligations. These include mandatory incident response planning, regular cybersecurity exercises, vulnerability assessments and real-time threat intelligence sharing with the Australian Signals Directorate (Burke, 2024).

CIRMP: A Structured Path to Resilience

Critical Infrastructure Risk Management Programs (CIRMP) need to go beyond compliance. These programs need to be comprehensive, audit-ready frameworks designed to help critical infrastructure operators meet the obligations of the Security of Critical Infrastructure (SOCI) Act 2018. More importantly, they serve as strategic tools for building operational resilience, strengthening stakeholder confidence and ensuring long-term sustainability.

One primary complexity lies in data sharing limitations and sensitivities. The SOCI Act mandates reporting and sharing of certain information, including incident response planning and real-time threat intelligence. However, critical infrastructure operators often deal with highly sensitive operational technology (OT) data and proprietary information. Concerns around intellectual property, commercial confidentiality and the potential for shared data to be misused or fall into the wrong hands can create reluctance. Establishing secure, trusted and efficient channels for sharing this information with government agencies like the Australian Signals Directorate and through networks like the Trusted Information Sharing Network (TISN) requires careful planning, robust agreements and a high degree of trust.

Another significant hurdle is the integration with existing systems and legacy infrastructure. Many critical infrastructure assets were built decades ago and operate using older, proprietary or highly specialised systems (Operational Technology - OT) that were not designed with modern cybersecurity threats or interoperability in mind. Integrating new security frameworks, data collection tools and reporting mechanisms mandated by a CIRMP into these legacy systems can be technically challenging, costly and carry risks of disrupting ongoing operations. This often requires significant investment in upgrades, workarounds or a phased modernisation approach.

Resource constraints, particularly for smaller operators, present a considerable challenge. While large corporations might have dedicated risk management, cybersecurity and legal teams, smaller critical infrastructure entities may have limited budgets and personnel. Complying with the extensive requirements of the SOCI Act and developing a comprehensive CIRMP, which ideally should be "audit-ready" and grounded in standards like ISO 31000:2018, can overwhelm their existing capacity. This includes the human resources needed for ongoing risk assessments, developing detailed mitigation plans, conducting regular cybersecurity exercises and continuous monitoring.

Finally, navigating the evolving threat landscape and regulatory environment adds another layer of complexity. Cyber threats are constantly adapting and climate volatility is increasing. This means CIRMPs cannot be static documents; they require continuous review, adaptation and updating. Keeping abreast of the latest government guidance, amendments to legislation and emerging best practices can be a full-time job in itself, demanding a proactive and agile approach from critical infrastructure operators. Overcoming these complexities requires a strategic mindset, sustained investment and often, collaboration with external experts and government bodies.

There are complexities in complying with the SOCI Act and CIRMP requirements and as such any CIRMP offering should be built on a structured and practical approach to resilience, that is grounded in standards such as the ISO 31000:2018 Risk Management Standards and industry best-practices.

As shown in Figure 1, we begin by clearly defining the scope of your critical infrastructure where we outline the boundaries of your assets and identify what falls under regulatory obligations. From there, we identify potential risks by pinpointing vulnerabilities and threats that could impact operations, including cyber, physical and environmental factors. Once risks are identified, we conduct a thorough risk analysis to evaluate their likelihood and potential impact. This is followed by a detailed assessment of the consequences these risks could have on service delivery, safety and stakeholder trust.


Figure 1. CIRMP Process

Finally, we collaborate with clients to implement tailored risk treatment strategies and develop and execute mitigation plans that are both effective and feasible. This end-to-end process ensures that organisations are not only compliant with the SOCI Act but are also equipped to operate with confidence in an increasingly complex risk environment.

Risk Treatment Strategies: A Deeper Dive

Once risks are identified and analysed, the next crucial step in a CIRMP is to determine the most appropriate risk treatment strategies. These strategies aim to modify risks to an acceptable level and typically fall into four main categories:

  • Avoidance: This involves eliminating the risk altogether by deciding not to engage in the activity that gives rise to it. In critical infrastructure, true avoidance is often difficult given the essential nature of the services. However, it can apply in specific scenarios. For instance, if a proposed new infrastructure project is identified as being highly vulnerable to a specific, unmitigable natural disaster risk (e.g., building a data centre on a known active floodplain without adequate protection), the risk might be avoided by selecting an alternative, less vulnerable location. Another example could be avoiding the use of certain unpatched legacy software or hardware known to have critical, unfixable vulnerabilities by actively decommissioning and replacing it.
  • Reduction/Mitigation: This is the most common and extensive risk treatment strategy in critical infrastructure, focusing on implementing controls to decrease the likelihood or impact of a risk. Examples include:
    • Technical Controls: Implementing multi-factor authentication (MFA) for all remote access to operational systems to prevent unauthorised cyber intrusion; deploying advanced firewalls and intrusion detection systems; encrypting sensitive data; and segmenting networks to limit the spread of a cyberattack. For physical security, this includes robust access control systems, video surveillance and perimeter fencing, often integrated with CPTED (Crime Prevention Through Environmental Design) principles.
    • Procedural Controls: Developing and regularly testing incident response plans; establishing clear communication protocols during emergencies; conducting routine vulnerability assessments and penetration testing; and implementing comprehensive employee training programs on cybersecurity awareness and physical security protocols.
    • Engineering Controls: Building redundancy into critical systems (e.g., multiple power sources, redundant communication lines, backup water pumps) to ensure service continuity even if one component fails; designing infrastructure to withstand specific climate extremes like higher flood levels or stronger winds; and implementing geographically dispersed data centres to protect against localised disasters.
  • Transfer: This involves shifting the financial consequences or operational responsibility of a risk to a third party. The most common form of risk transfer in critical infrastructure is insurance, which can cover financial losses resulting from cyberattacks, natural disasters or other catastrophic events. Another example is outsourcing certain non-core but critical functions (e.g., some IT security operations or disaster recovery services) to specialised third-party providers, thereby transferring some of the operational risk and responsibility to them, governed by service level agreements (SLAs).
  • Acceptance: After applying other treatment strategies, some level of residual risk will almost always remain. Risk acceptance occurs when an organisation makes an informed decision to tolerate this remaining risk, typically because the cost of further mitigation outweighs the potential benefits or the likelihood and impact are deemed sufficiently low as to be acceptable given the organisation's risk appetite. This decision must be formal, documented and based on a clear understanding of the potential consequences. For example, a minor, temporary disruption to a non-essential internal service might be accepted if the cost of achieving 100% uptime is prohibitive and the impact on core operations is negligible.

Continuous Improvement and Monitoring: The Cyclical Nature of Resilience

The process of managing critical infrastructure risk is not a one-time event; it is a dynamic and continuous cycle. While the CIRMP outlines a structured path, true resilience demands foresight, adaptability and a commitment to continuous improvement.

  • Regular Review and Evaluation: CIRMPs, risk assessments and mitigation strategies must be periodically reviewed to ensure their ongoing effectiveness. This involves assessing whether identified risks are still relevant, if new threats have emerged and if implemented controls are performing as intended. Reviews should be conducted on a scheduled basis (e.g., annually), and also triggered by significant events such as major incidents, changes in infrastructure, shifts in the threat landscape (e.g., new cyberattack methodologies) or updates to legislation.
  • Performance Monitoring: Effective CIRMPs incorporate mechanisms for continuous monitoring of key performance indicators (KPIs) related to security and resilience. This can include real-time monitoring of network traffic for anomalies, physical security system alerts, uptime metrics for critical services and tracking the resolution time of identified vulnerabilities. Tools and technologies, including advanced surveillance systems and threat intelligence feeds, play a crucial role in providing the data necessary for informed decision-making.
  • Lessons Learned and Adaptation: After any incident, near-miss or even a routine exercise, it is vital to conduct a thorough post-incident analysis to identify lessons learned. What worked well? What could be improved? These insights should directly feed back into the CIRMP, leading to adaptations in risk identification, analysis, treatment strategies and emergency response protocols. This iterative process ensures that the CIRMP remains agile and responsive to an ever-evolving risk environment.
  • Stakeholder Engagement and Feedback: Continuous improvement also relies on ongoing engagement with internal and external stakeholders, including government bodies like the Cyber and Infrastructure Security Centre (CISC), through platforms like the Trusted Information Sharing Network (TISN). Feedback from these interactions can provide valuable perspectives on emerging risks and best practices, further refining the CIRMP and strengthening collective resilience.

By embedding this cyclical approach of review, monitoring, learning and adaptation, critical infrastructure operators can ensure their CIRMPs are living documents that evolve alongside the threats, continually enhancing their ability to safeguard the systems that underpin our communities and economy.

Conclusion

With Australia’s critical infrastructure increasingly challenged by climate extremes and cyber threats, the urgency for proactive, well-structured and resilient risk management has never been greater. While the SOCI Act 2018 establishes a crucial regulatory framework, genuine resilience requires more than mere compliance. It calls for strategic foresight, adaptability and a sustained commitment to continual improvement.

At Lote Consulting, we believe that Critical Infrastructure Risk Management Programs (CIRMPs) are not just regulatory checklists—they are strategic tools for safeguarding the systems that underpin our communities and economy. Through real-world applications like transport infrastructure projects, we have demonstrated how CIRMP principles can be embedded into infrastructure planning and operations to deliver measurable improvements in security, service continuity and stakeholder confidence.

References

Cyber and Infrastructure Security Centre (CISC) 2024, Our Strategy, Australian Government, viewed 23 June 2025, https://www.cisc.gov.au/about-us/our-strategy.

Burke, T. 2024, Protecting Australia's critical infrastructure, Minister for Home Affairs, Australian Government, viewed 23 June https://minister.homeaffairs.gov.au/TonyBurke/Pages/protecting-australias-critical-infrastructure.aspx.

Australian Government 2025, Security of Critical Infrastructure Act 2018, Federal Register of Legislation, viewed 23 June 2025, https://www.legislation.gov.au/C2018A00029/latest.