Reliance on third-party providers highlighted as major critical infrastructure risk

Third-party providers, interconnected operational systems and a need to move beyond compliance-based models are just a few of the cyber and information security hazards that the Critical Infrastructure Security Centre (CISC) has highlighted as risks to the country’s critical infrastructure.

The third edition of the CISC’s Critical Infrastructure Annual Risk Review outlined key risk-driven issues that have impacted the security of Australia’s critical infrastructure in 2025 and included a total of five risks under the ‘cyber and information security hazards’ section.

Cyber and information security hazards include where a person, whether authorised or not, improperly accesses or misuses information or computer systems about or related to the critical infrastructure asset; or uses a computer system to obtain unauthorised control of, or access to, the critical infrastructure asset that might impair its proper functioning.

The review said that while external providers play a critical role in many organisations and reliance on their digital services is unavoidable in many areas of modern critical infrastructure operations, in 2025, data breaches impacting multiple Australian critical infrastructure operators were caused by cyber-attacks exploiting vulnerabilities in third-party platforms.

“Critical infrastructure operators must ensure that any external parties with access to their data or systems meet cyber security standards that are at least as strong as their own. Third-party risk should be managed to a standard equal to, or higher than, that applied within the organisation,” the report stated.

Critical infrastructure operators were also told that they need to move beyond compliance-based models and adopt a holistic, risk-based approach to cybersecurity.

“Many operators already take cybersecurity seriously, yet relying solely on compliance risks creating a false sense of security,” the CISC said.

“As technology evolves, resilience is no longer just about having the resources to detect and recover from attacks. Truly resilient digital systems must also prevent incidents where possible and maintain robust continuity plans to ensure service delivery when cyberattacks occur.”

Interconnected operational systems a “concerning vulnerability"

The review advised that due to operational technology (OT) systems being a valuable target for both state-backed and financially motivated threat actors, upgrading and securing digital systems is crucial for critical infrastructure, because many legacy OT systems were not designed to withstand today’s cyber threats.

“The widespread use of internet -of-things devices, together with new AI based tools has made digital infrastructure more interconnected than ever. While this interconnectedness can boost efficiency, it also demands a stronger understanding of how to manage varying risk priorities across different platforms,” said the report.

“This is a challenge for risk management and regulation alike. If not properly understood and managed, growing interconnectivity will expose other critical assets to security vulnerabilities from other platform and systems.”

Other cyber and information security hazards spotlighted by the CISC were that a disproportionate focus on mitigating high-volume, low-impact cyber-attacks can leave infrastructure operators under-prepared for a potentially catastrophic incident.

AI-based tools were also in the crosshairs, with the report noting that while AI-based tools can provide enhanced monitoring, detection, and analysis of threats to cyber environments, they can also magnify the capabilities of threat actors and increase the vulnerability of connected systems and information.

"Malicious actors are expected to act quickly to exploit any vulnerabilities in AI-integrated systems. It is vital that critical infrastructure operators proactively manage both the opportunities and risks introduced by AI-enabled tools," the review noted.