(TLP:CLEAR) Australian Risk Advisory for Critical Infrastructure – Water and Wastewater Sector

Summary: The Australian government’s Critical Infrastructure Security Centre (CISC) recently published a series of risk advisory reports, including one on the water and wastewater sector. The advisory is designed to provide guidance to water utility owners and operators on assessing risks to Australia’s Water and Sewerage Sector (Australia’s label for the water and wastewater sector).

Analyst Note: Although CISC wrote the report for Australian water sector stakeholders, the threat information and guidance are extremely relevant for U.S. water and wastewater utilities. This advisory provides information on the following topics: identifying and assessing relevant impact; risk considerations by hazard category; threat and hazard prioritization; and sector interdependencies. The report also closely aligns with WaterISAC’s assessments in its 2025 “Threat Analysis Report.” CISC notes that this specific sector advisory should also be read in conjunction with the risk advisory, “Assessing Risk for Critical Infrastructure” (access the other advisory via the link below).

The advisory begins with a bottom-line-up-front assessment, stating “the international and domestic threat landscapes continue to evolve; natural hazards are becoming more prevalent, with longer-lasting impacts, and critical infrastructure networks continue to be targeted globally by a widening array of threat actors.” On physical security, the report notes threats can manifest in several ways, primarily via espionage, sabotage, and foreign interference. Importantly, the report emphasizes that changes in the global security landscape, such as rising regional conflicts or strained international relations from sanctions and trade disputes, can heighten physical security risks.

On insider threats, which the report labels as personnel security hazards, it states these can manifest as both intentional and unintentional insider threats. According to the report, “trusted insiders are one of the most attractive targets for external threat actors, as they can be recruited for malicious activity through monetary or ideological incentive.” The report notably characterizes supply chain risks as including malicious activities to exploit, misuse, access or disrupt the supply chain; an over-reliance on particular suppliers; and other disruptions from issues in the supply chain, including a failure or lowered capacity of supply. This could include fuel price issues from the Iran conflict. The report also looks at natural hazards and cybersecurity.

Original Sources:

• https://www.cisc.gov.au/resources-subsite/Documents/raa-water-sewerage.pdf
• https://www.cisc.gov.au/resources-subsite/Documents/risk-assessment-advisory-critical-infrastructure.pdf

Mitigation Recommendations:

• (TLP:CLEAR) WaterISAC – TOP ACTIONS to Enhance Your Utility’s Physical Security
• (TLP:CLEAR) WaterISAC – TOP ACTIONS to Enhance Your Utility’s Cybersecurity

Related WaterISAC PIRs: 1 – 18