Australian infrastructure systems are at risk as managers and organisations are struggling with a changing cybersecurity landscape, a new report has found.
Takepoint Research's paper, Securing Society: Insights on Cyber-Physical Safety in Australia’s Critical Infrastructure, found more than 60 per cent of operational technology managers believe their organisations are not fully ready for today’s compliance environment and 70 per cent are concerned about the widespread fragmented approach to cybersecurity.
Based on his interviews of more than 50 cybersecurity practitioners across Australian industry, report author Sam Mackenzie warns the nation must move quickly to address vulnerabilities across sectors such as water, energy, and healthcare.
“Over the course of my career, I’ve watched technology evolve rapidly and embed in essential service delivery.” Mackenzie said.
“That lived experience compelled me to test a hypothesis I couldn’t ignore: that much of our modern-day critical infrastructure is running on a precarious stack of technological Jenga.
"It’s often seen as stable, yet recent unpredictable weather and technology events demonstrate that it’s not.
"I conducted this research to test a hypothesis: 'securing society: we aren’t ready'.
"And to bring urgency and clarity to this uncomfortable truth.”
Cybersecurity has traditionally been framed as a data protection issue, Mackenzie told Information Age.
But, as digital systems increasingly control physical industrial processes, cyber incidents are now creating real-world risks.
A turn-of-the-century attack in Maroochy Shire, Queensland, where a rogue contractor manipulated sewage systems to spill waste into public areas, serves as a stark early example of cyber-physical sabotage.
The attack in 2000 was an early warning of what was to come, the report points out.
A recent ransomware campaign in the US forced a water facility offline, while hospitals in the UK had to cancel procedures following a cyber assault on diagnostic services.
These incidents underline the escalating threat to public safety.
Threats from all sides
According to the Australian Signals Directorate (ASD), cyber incidents targeting the nation’s critical infrastructure rose from 95 in 2021–22 to 143 in 2022–23, before slightly easing to 121 in 2023–24.
The most targeted sectors remain water, energy, and healthcare.
Sam Mackenzie, researcher and author of the 'Securing Society' report. Photo: Supplied
While major breaches like those affecting Medibank and Optus have captured headlines, Mackenzie warns of more serious, often unseen risks.
“Many operational technology environments often allow remote access or are exposed to the internet — often unnecessarily, sometimes mistakenly," he said.
"These gaps create direct paths for exploitation."
But technology is just one part of the problem.
“There’s a governance risk too.
"Cyber-physical risks are all-too-often buried beneath more headline gripping data privacy concerns.
"This leads to misaligned funding and priorities, with cyber-physical threats missing out on crucial investment,” he added.
A system strained by silos
The report highlights how most organisations still separate IT and operational concerns.
More than 70 per cent of interviewees said their organisations had not integrated cyber-physical threats into their enterprise risk frameworks.
This siloed approach limits effective incident response, prioritisation, and communication between departments," Mackenzie said.
“We’ve spent so much time in the early stages — identify, detect, protect — and not enough exercising our muscles in recovery and restoration."
“We know cybercriminals are getting in, yet we still focus the majority of our effort and resources at the front of the lifecycle.
"This all adds up to a leadership failure.”
In Mackenzie’s view, businesses need to be proactive at the highest levels.
“Boards and executives must both step up and double down," he said.
"Engineering and cybersecurity teams don’t need a seat at the table, but they do need active support to surface these risks and embed them into enterprise risk frameworks for treatment.
“These operational systems aren’t peripheral; they’re the backbone of our economy, safety, and wellbeing.
"Addressing these challenges is no longer just strategic; it’s a moral and societal obligation.”
A rising tide of complexity
The report notes the growing sophistication of cyber threats.
Nation-state actors and financially motivated cybercriminals are increasingly targeting OT (operational technology) systems, often through exposed remote access points or supply chain vulnerabilities.
The rise of Cybercrime-as-a-Service means attackers no longer need deep technical expertise to launch devastating campaigns.
Healthcare remains a particularly high-risk sector.
With electronic health records reportedly ten times more valuable than credit card details, hospitals have become key targets.
Meanwhile, Australia’s cyber skills shortage is exacerbating the problem.
Many OT roles demand a hybrid skillset that’s hard to find — and even harder to retain.
What Australia must do next
To harden its critical infrastructure, Mackenzie says Australia must invest in cross-sector and cross-discipline collaboration.
“We need deeper cross-sector, cross-discipline collaboration — from intelligence sharing through initiatives like CI-ISAC, to grassroots efforts like Cybersecurity for Critical Infrastructure (CS4CI),” he said.
He also highlights the importance of public-private partnerships, including those facilitated by Home Affairs, the Trusted Information Sharing Network (TISN), and industry-led groups.
Above all, Mackenzie calls for a broader cultural shift.
“We must raise awareness of cyber-physical impacts with boards, executive leaders, and even the public.
"This needs a whole-of-industry response, where we focus beyond data breaches to counter physical impacts, improve safety, and protect the modern-day services we all rely on.”
The report concludes with a clear message: Australia must treat cybersecurity as an extension of operational safety — not a separate domain.
That means embedding cyber risk into the governance, safety, and continuity frameworks that already exist for essential services.
Mackenzie puts it plainly: “Most critically, we must stay focused on life-impacting scenarios.
"The first loss of life due to cyberattacks on hospitals has already occurred overseas.
"Australia must act now — we cannot allow that to happen here."
