Cyber security generally refers to activities taken to protect from threat, compromise or attack, both our knowledge and control of our physical systems. Threats within water may include;

  • Loss of client information,
  • Loss of business, commercial or network information,
  • Loss of control of water and sewerage infrastructure leading to damage, public health failure or environmental pollution.

According to the Australian Computer Society, utilities were the 5thmost targeted industries for espionage in 2015.

In 2015, with an attack strongly suspected to have originated from Russia, 230,000 people lost power when 30 sub-stations in Western Ukraine were shut down via a remote attack. Operators at the Prykarpattyaoblenergo control centre were even locked out of their systems during the attack and could only watch it unfold.

In 2017 the Queensland Audit Office undertook a review of the cyber security vulnerability of several Queensland water utilities.  The report found that the water control systems were not as secure as they should have been at the time of our audit testing.

The key issues included;

  • The age of many of these control systems,
  • Integration of control systems to corporate networks,
  • The lack of penetration testing,
  • Weakness in processes and controls.

At the time of our testing, attacks could disrupt water and wastewater treatment services. They could also disrupt other services that relied on the entities’ information technology environments. There was a risk to public health and appreciable economic loss in terms of lost productivity, not only to water service providers but also to citizens and businesses. A sewage spill could also have a significant impact on the environment.

CERT Australia acts as Australia’s national computer emergency response team. They have identified the following cyber security trends;

  • Would-be criminals will grow in number exploiting known vulnerabilities,
  • Increased sophistication will be used to target high-value networks,
  • Supply chain targeting will continue to be popular as third parties prove to be a weak link,
  • Internet of Things (IoT) will create further risks.

The QAO report determined that the utilities need to:

  • clearly articulating and assigning roles and responsibilities for all parties, including any external service providers in securing the systems
  • maintaining a complete and up-to-date list of assets for water control systems and assessing the risk exposure of each asset
  • developing and implementing a security plan for water control systems based on risk assessments
  • implementing appropriate user access and authentication policies
  • using a phased approach to implement, the Australian Government’s ’essential eight’ security controls based on each entity’s risk assessment
  • establishing performance indicators for security and periodically testing these controls to monitor the maturity and strength of defences built into the information technology control environment
  • improving understanding of how to manage information technology risks and how they relate to other forms of operational risks.

The typical cyber security prevention mechanisms in use across water utilities currently include;

  • Audit logs,
  • Cyber security polices, strategies and proactive management,
  • ·End to end encryption,
  • Independent visibility and manual override on all key systems,
  • Isolation of essential assets from public resources,
  • Software / firmware patches,
  • Strong passwords policies,
  • Two-factor authentication,
  • Up to date firewalls, anti-virus/anti-malware software.

Cyber Security is a strategic risk to every organisation and is likely to remain as such over the next 30 years.

David Nixonhas worked the water industry for over 30 years across a variety of utilities, engineering and business consultancies. David currently acts as director and advisor to a variety of organisations across Australia. david@nixonclarity.com

Credit: Australian Computer Society & Queensland Audit Office