As Australian councils embrace the promise of smart cities, integrating sensors, Internet of Things devices, and digital systems into transport, water, energy, and public services, the continued threat from cyber-attacks remains.
While these technologies can improve efficiency and service delivery, they also expand the attack surface for cybercriminals, making local governments increasingly vulnerable to disruptive and costly breaches.
Globally, cyber-crime damages are projected to reach USD$10.5 trillion in 2025, and if it were a country, cyber-crime would be the third largest economy in the world behind the US and China.
Local governments are attractive targets for multiple reasons. They store significant volumes of sensitive personal data, manage critical infrastructure, and employ large workforces. Ransomware, data breaches, and attacks facilitated through ‘crime-as-a-service’ platforms mean even less-experienced cybercriminals can target councils effectively. Perhaps mostly importantly, state-sponsored actors also pose a threat to critical services.
Several Australian councils have already experienced attacks. In 2022, a NSW council suffered a ransomware attack on their water infrastructure remote monitoring system, which forced the council to use manual process to manage its infrastructure. Similarly, in 2021 a Victorian council experienced a cyber-attack that forced it to disable a range of online services, including online payments and its call centre.
Australian councils are certainly not alone in facing these challenges. In the UK, Leicester City Council experienced a major ransomware incident in 2024. In the attack, 3TB of data was stolen, and many core services were disrupted, including waste collection and the city’s streetlights, which remained continuously on post-attack.
These cases underline the risk of operational disruption and data exposure, reinforce the need for cyber-security to be treated as a central operational priority, not just an IT concern, and highlight the need for local governments to implement robust and proactive defences to support their cyber-resilience.
Fortunately, there are examples of proactive, cyber-resilient approaches. In Australia, the Australian Cyber Security Centre (ACSC) and Cyber Security NSW offer guidance for councils, encouraging adoption of the Essential Eight mitigation strategies, regular risk assessments, and ongoing staff training. Councils are also advised to integrate cybersecurity into governance structures, service planning, and asset management to ensure resilience is embedded at all levels.
Globally, some local councils are experimenting with innovative strategies to build cyber resilience. The city of Stamford in the US ran an 18-month pilot program in conjunction with the Secure Cyber City initiative and the Center for Internet Security to strengthen its cyber resilience across public services and critical infrastructure. The program combined technical support, threat‑monitoring tools, and community outreach, to build long-term cyber-resilience. Part of the pilot included briefing the operators of Stamford’s public transport and water systems on threats specific to operational technology, and equipped them with tools for continuous monitoring of systems and endpoint protection to help secure vital services against disruptions.
For many local governments and public works professionals, the issue of cyber-security remains challenging. Governments face a difficult juggling act of modernising legacy systems, undergoing digital transformations, coupled with conflicting priorities and financial constraints.
As an initial step to address this issue, a representative from the American Public Works Association (APWA), Evan Pratt, testified in front of the Senate Committee in 2021 on the cyber-security vulnerabilities facing America’s physical infrastructure. He stated “Cyber-security is an issue that still has a very unclear risk assessment profile. On the one hand, not all utilities have remote sensing and controls. On the other, the wide range of solutions do and may result in weak points when deployed, especially with varied levels of agency cyber-awareness.”
Pratt also highlighted that: “Public works professionals must be prepared to not only mitigate potential damage, but they simultaneously may also be called on to respond to and repair any such damage caused physically or otherwise from a cyber breach.”
In response to the increased threat landscape, APWA conducted the first “Foundational Cybersecurity Concepts for Public Works Professionals” course in 2023. It was developed together with guidance from the Cybersecurity Infrastructure and Security Agency (CISA) and aimed to support their members to better avoid, respond to, and anticipate cyber-security threats.
In relation to APWA’s commitment to supporting their members to overcome cyber-attacks and build cyber-resilience in their infrastructure, CEO Scott Grayson has commented: “Our goal at APWA is to equip our members with the knowledge, tools, and frameworks they need not only to mitigate potential risks, but also to respond effectively when incidents occur. Cybersecurity is no longer just an IT concern, it’s a core part of delivering safe and reliable public services.”
As smart cities become more commonplace, local government also needs to adapt resilient cyber strategies to align with the expanding risk profile and attack surface. Without this, smart cities risk becoming fragile, compromising the services they provide to their communities and the data privacy of their citizens.
