Australia’s critical infrastructure operators are being urged to reassess how they manage cyber risk from drones, as new research points to limited detection capability, low awareness, and minimal guidance that could affect operational resilience and insurance exposure. A report from Innovation Central Canberra at the University of Canberra, produced with counter‑drone company DroneShield, examined how unmanned aircraft could be used to support cyber intrusions across sectors such as energy, water, telecommunications, and data centres. The work combined a review of the threat environment with interviews and discussions involving Australian critical infrastructure operators.
The study found no publicly documented cases in Australia where drones had been used as part of a cyberattack. The authors said, however, that a lack of recorded incidents does not remove the threat, pointing to growing drone usage, more capable platforms, and limited local reporting on drone-enabled cyber activity. Professor Frank den Hartog, Cisco Research chair in critical infrastructure at the University of Canberra, said drones are already considered in wider security and defence planning and argued that cyber strategies need to reflect their role. “We know how drones have changed traditional warfare, but are we oblivious of the role they play in cyber security? That’s a worry, and an opportunity for our drone and cyber industry,” den Hartog said, as reported by Security Brief.
The report described drones as widely available technology whose cost, endurance, and payload options have shifted over time. According to the researchers, these trends broaden the scenarios in which drones could support cyber operations, including delivering hardware close to facilities, assisting with wireless interception, or helping attackers gain proximity to networks not directly connected to the public internet.
The research team outlined three main factors behind what it called a growing exposure:
Surveyed organisations often reported only basic or informal approaches to drone detection, typically framed around aviation safety or privacy rather than cyber intrusion. Respondents also indicated uncertainty about how to evaluate threats that involve both physical access and digital compromise, such as a drone dropping a device near a network segment or positioning a sensor close to a restricted area. The report referenced overseas incidents in which malicious actors have tested drone-borne cyber approaches. While those examples have not yet been widely replicated in Australia, the authors suggested they may indicate tactics that could be adopted locally as equipment and tools become easier to obtain.
Over the next five years, the researchers expect Australian operators to revisit their assumptions about both the likelihood and relevance of drone-enabled cyber scenarios, as more international case studies emerge and as drone hardware, software, and offensive cyber techniques continue to develop. For insurers writing cyber and property programs for critical infrastructure and large corporates, the findings point to potential blind spots where conventional perimeter controls and network monitoring may not fully account for small, mobile platforms operating at the edge of facilities.
The report called for greater information-sharing and coordination across critical infrastructure sectors, especially where organisations share locations or dependencies, such as industrial precincts, common carrier networks, or multi-user data facilities. It recommended that operators:
“This research highlights the need for greater education, more industry collaboration, improved knowledge-sharing, and broader consideration of counter-drone capabilities across critical infrastructure sectors,” den Hartog said. Rather than building a separate framework for drones, the authors advised embedding drone-related considerations into existing security governance, risk registers, and resilience programs. “We need to encourage operators to periodically and critically review how drones are used within their operations, assess the cybersecurity implications of increased adoption, and explore strategies to integrate drone risk into existing security and resilience programs,” den Hartog said.
The project was conducted under Innovation Central Canberra, a collaboration between the University of Canberra and Cisco. The team included Professor den Hartog and Innovation Central Canberra students Andrew Giumelli and Simone Chitsinde, combining targeted analysis with interviews of operators. DroneShield participated in the project alongside university and research partners. The company supplies systems used to detect and counter drones and autonomous platforms for government, defence, law enforcement, and infrastructure customers. The organisations involved said future joint work is possible as drone use, regulation, and associated risks change.
Alongside drone-related concerns, vendors and analysts are highlighting broader changes in Australia’s cyber threat landscape that are likely to influence underwriting for cyber, technology errors and omissions, and business interruption covers through 2026. Barracuda Networks has pointed to the emergence of autonomous, AI-driven attack systems as a shift from models that rely heavily on manual attacker decision-making. Under the emerging approach, automated systems are expected to run campaigns and adjust tactics in response to defensive measures. Such activity may be harder to detect using pattern-based or signature-based tools, and incident responders may find it more difficult to reconstruct how intrusions unfolded. For insurers, that may translate into more complex claims investigations and challenges in identifying specific control failures.
At the same time, phishing infrastructure is consolidating under more formalised “as-a-service” arrangements in criminal markets. Barracuda’s threat analysis suggests that by 2026, phishing kits are likely to be offered under tiered subscription models, ranging from basic templates to more advanced, AI-supported services that tailor messages at scale and use methods such as token theft and authentication relays to bypass multifactor authentication. Barracuda projects that by the end of 2026, more than 90% of credential-based breaches will involve phishing kits, which it expects to account for over 60% of phishing attacks overall. These trends are expected to keep email security, authentication controls, and user awareness training central to cyber underwriting discussions.
Third-party access remains a significant contributor to breach activity in Australia. Research by Claroty indicates that 46% of organisations experienced at least one breach in the previous 12 months that was linked to third-party access. In critical infrastructure, remote access for vendors is still often managed through legacy mechanisms such as virtual private networks and jump boxes, sometimes without comprehensive governance or visibility. Attackers have been observed targeting these connection points to move around perimeter defences and gain a foothold inside networks. Some organisations are beginning to move toward internally managed remote access platforms, reducing reliance on vendor-controlled tools and tightening how and when external parties can connect. From an insurance standpoint, the maturity of third-party risk management and remote access governance is likely to remain a core underwriting focus, especially for higher-risk industries.
The composition and motivation of threat actors are also shifting. Gerry Sillars, Semperis vice president for Asia-Pacific and Japan, has observed greater involvement of younger individuals in cybercrime, often starting in gaming communities and online forums where hacking tools and techniques are normalised. Criminal groups use targeted messaging that emphasises status and belonging to attract potential recruits.
Geopolitical dynamics are further narrowing the gap between state-sponsored and financially motivated actors. States facing economic pressure and sanctions are reported to work more closely with criminal groups or rely on them to generate revenue. In November, Australia joined the UK and the US in imposing sanctions on two Russia-based cybercrime service providers, Media Land LLC and ML, along with associated individuals including Aleksandr Alexandrovich Volosovik and Kirill Andreevich Zatolokin. Analysts have cautioned that such coordinated sanctions may increase the likelihood of retaliatory campaigns directed at Australian government systems, critical infrastructure, and commercial entities through 2026. For Australia’s insurance market, the intersection of drone-enabled threats, autonomous attacks, phishing-as-a-service, third-party access risk, and evolving threat actor structures underscores the need to reassess aggregation risk, refine wording around state-linked activity, and ensure that cyber underwriting frameworks reflect both current and emerging attack methods.
