Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is rated high because the attack has already materialized at two facilities during peak harvest season, demonstrating active threat actor capability and willingness to target agricultural OT environments; the exploitation status remains unconfirmed but operational disruption is confirmed, indicating successful access or effect. Impact is rated very_high because the shutdown occurs during a time-constrained crushing window where sugarcane is a perishable input that cannot be stockpiled, meaning production losses are largely irrecoverable, compounding into direct revenue loss, downstream supply disruption, and potential contractual exposure to cane farmers and buyers simultaneously.
Treatment rationale: The operational and financial consequences are too severe and time-sensitive to accept, transfer alone cannot restore production continuity, and avoiding the business entirely is not viable — structured OT security hardening, network segmentation, and incident response capability investment is the primary treatment path to reduce both likelihood of recurrence and impact severity.
Third-Party / Supply-Chain Risk
Agricultural OT environments commonly depend on third-party industrial control system vendors, remote access providers, and SCADA/HMI platform suppliers whose software and remote support pathways may have served as initial access vectors; under NIST SP 800-161, Mackay Sugar's exposure extends to any supplier with privileged access to mill control systems or shared connectivity across the two affected facilities, and the multi-site impact pattern warrants assessment of whether a shared vendor platform or remote access service is a common dependency across both mills.
Loss Exposure (illustrative)
Magnitude: very high — illustrative $5M–$30M AUD across two facilities for a multi-week shutdown during peak crush season, reflecting lost throughput on perishable cane, idle labour and equipment costs, emergency IR and OT remediation spend, and potential contractual penalties
Frequency: For an agricultural OT operator with confirmed prior targeting and unresolved root cause, an illustrative recurrence frequency of once per 3–5 years is plausible absent material OT security investment; sector-wide targeting of food and agriculture ICS has increased markedly since 2021
Annualized: Illustrative ALE: $1M–$10M AUD per year when amortising a high-severity, lower-frequency event across a multi-year horizon, weighted toward the higher end during harvest-season exposure windows
Basis: Loss magnitude derived from: two mills offline during Australia's June–November crush season (the only viable processing window for perishable cane), illustrative daily throughput revenue loss per facility scaled across a plausible 2–6 week recovery horizon, plus OT IR and forensics costs typical of industrial environments, plus illustrative contractual penalty exposure to growers; frequency derived from confirmed active-exploitation event as baseline, adjusted for unresolved root cause and documented increase in agricultural sector OT targeting; no third-party actuarial or research report figures were used
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Operational shutdown of food and agriculture infrastructure may trigger cyber-insurance business interruption coverage notice obligations — verify with broker immediately given active loss event.
• Contractual obligations to cane farmers and downstream buyers for undelivered crush volumes may constitute breach of supply or offtake agreements — verify with counsel whether force majeure provisions apply.
• If any personal data of employees, contractors, or business partners was accessed during the intrusion, Australian Privacy Act 1988 (Cth) notifiable data breach obligations under the NDB Scheme may be triggered — verify with counsel and the Office of the Australian Information Commissioner.
• As an operator of food and agriculture infrastructure, the incident may attract attention from the Australian Cyber Security Centre (ACSC) and relevant sector regulators — verify with counsel regarding voluntary or mandatory reporting obligations.
