When the Threat Is Organised, Public, and Announced

Most security planning is built around threats that try to be invisible. A thief avoids cameras. A saboteur enters after hours. A hostile actor conceals their intent until the moment they act. The security response is designed accordingly: detect the thing that is hiding.

Planned operational disruption is the opposite problem. The people intending to disrupt your operations are often announcing it publicly. They are coordinating on open platforms, building public followings, publishing timelines, recruiting participants, and generating media coverage as a deliberate part of their strategy. The intelligence you need to prepare is not hidden — it is, in many cases, posted.

And yet, critical infrastructure operators are routinely caught underprepared for planned disruptions that were visible in open-source data weeks in advance. The reason is not a lack of publicly available information. It is that no one has a system designed to find it, interpret it correctly, and translate it into operational preparation with enough lead time to matter.

This is the intelligence problem CRIMP solves better than any other category of threat — because the signals are strong, they are early, and acting on them requires exactly the kind of cross-domain correlation that CRIMP is built for.

The Australian Context

Planned direct action against critical infrastructure operations is not a hypothetical risk category in Australia. It is a documented, ongoing, and in many sectors escalating threat.

Environmental activist groups have conducted direct action campaigns against coal mines, gas terminals, port export facilities, and pipeline infrastructure across Queensland, New South Wales, Western Australia, and Victoria. These campaigns range from lawful protests at facility gates through to unlawful actions: lock-ons to heavy equipment, blockades of access roads, intrusions into operational areas, and interference with plant. In 2022 and 2023, multiple operations across the Queensland resources sector were disrupted by coordinated campaigns that involved participants travelling from interstate and pre-positioning near sites days before the action date.

The critical distinction — between lawful protest and unlawful operational disruption — is legally important and operationally significant. That distinction is almost always visible in the intelligence, if you know where to look and have the time to look before the action date.

What the Intelligence Trail Looks Like

Planned direct action campaigns leave a layered, progressive trail in open-source data. CRIMP surfaces this trail in three stages.

The Multi-Site Coordination Problem

The most operationally challenging variant of planned disruption is a coordinated campaign across multiple sites simultaneously — a tactic used deliberately to overwhelm security resources sized for single-site incidents.

In 2023, coordinated actions at multiple coal export facilities were timed to occur on the same day, with separate participant groups assigned to separate sites. Security teams at each site were managing their own incident without a clear picture that the same campaign was active across several assets simultaneously. The intelligence to see this coordination was present in the open-source environment well before the action date — participant groups discussing separate site assignments, logistics referencing multiple locations, and public communications making the multi-site nature of the campaign explicit.

A security team that knows, 48 hours in advance, that a coordinated action is planned across three facilities on the same day can deploy accordingly. A team that discovers the coordination on the morning it occurs is managing a crisis rather than a prepared response.

CRIMP's monitoring does not operate site by site. It operates across your entire asset footprint simultaneously, against a unified watchlist. When a coordinated campaign is targeting multiple facilities, the signals from each target flow into the same intelligence picture — visible to your team as a whole, not fragmented across separate site security teams.

Translating Intelligence into Action

Early intelligence about planned disruption is only valuable if it is translated into the right operational and stakeholder responses.

Operational preparation. Operations teams need to assess the likely impact on their production or service schedule and prepare contingency options. An action likely to remain at the gate requires different planning than one likely to attempt access road blockades.

Law enforcement engagement. A structured intelligence brief from CRIMP — documenting the campaign timeline, the target assets, the participant coordination, and tactical signals — gives law enforcement the information they need to make resourcing decisions well in advance. A phone call the morning of the action is a fundamentally different request to a briefing delivered three days earlier.

Communications preparation. Organised campaigns are designed to generate media coverage. Operators surprised by disruptions are often caught without a prepared response. Early intelligence gives communications teams time to prepare, brief leadership, and engage proactively with media.

Civil Liberties and Legal Obligations

CRIMP's monitoring is conducted against publicly available open-source data — it does not involve surveillance of private communications or tracking of individuals in ways that engage privacy law obligations. Monitoring public social media posts and public coordination for the purpose of operational safety preparation is lawful and consistent with an operator's duty of care. The legal boundary is clear: acting on intelligence that an unlawful disruption is being planned is appropriate. Using that intelligence to suppress lawful protest or target individuals engaged in protected political activity is not. Under the SOCI Act, the Critical Infrastructure Risk Management Program (CIRMP) requires operators to identify and manage risks from foreseeable threats. Planned direct action by organised groups is, in many sectors, not only foreseeable but recurring.