The Queensland Audit Office (QAO) has released a report, assessing whether a selection of entities responsible for critical water infrastructure have processes in place to protect their water control systems from potential attacks, both internal and external.
For the report, Security of critical water infrastructure, QAO carried out tests, known as penetration tests, to identify and exploit security vulnerabilities in order to assess whether these entities could detect the security breaches and restore the systems in the event of an attack.
The audit found that water control systems were not as secure as they should have been at the time of the testing.
The age of many of the control systems, combined with more recent integration with corporate networks, had resulted in higher risks that had not always been recognised and tested by the entities themselves.
Security controls did not sufficiently protect them from internal or external information technology-related attacks.
All entities were susceptible to security breaches or hacking attacks because of weaknesses in processes and controls.
At the time of testing, attacks could disrupt water and wastewater treatment services, as well as other services that relied on the entities’ information technology environments.
All audited entities had the capability to respond to information security incidents if they were detected. However, they were not well prepared for cyber attacks as they had not planned ot tested their response and recovery from this type of incident.
The report recommends water service providers to:
- Identify risks of information security breaches
- Implement controls to protect their systems
- Monitor and review the effectiveness of the controls
Since the audit, critical infrastructure owners have made efforts to mitigate the risk of security incidents, including cyber attacks, on their systems to mitigate the impact of such events.