Control systems running Queensland’s water supply are open to attack, according to a new audit report.
The report, compiled by the Queensland Audit Office, found the water control systems operated by water service providers were “not as secure as they should have been” at the time of audit testing.
Acting Auditor-General Anthony Close said the age of these systems, combined with more recent integration with corporate networks had resulted in higher risks that had not always been recognised and tested by the utilities.
“Security controls did not sufficiently protect them from internal or external information technology-related attacks. Information security is like a chain – it is only as strong as the weakest link. All entities were susceptible to security breaches or hacking attacks because of weaknesses in processes and controls,” Close said in his report.
“At the time of our testing, attacks could disrupt water and wastewater treatment services. They could also disrupt other services that relied on the entities’ information technology environments.”
He said this was a risk to public health and appreciable economic loss in terms of lost productivity not only to water service providers but also to citizens and businesses.
Although all organisations were capable of responding to information security incidents if they detected them, they were not well prepared to respond to cyber attacks.
“They had not planned or tested their response and recovery from a malicious or cyber incident. These can occur without notice and can affect availability and integrity of multiple systems,” said Close in his report.
Audited organisations said that they could operate smaller plants or parts of their larger water treatments plants manually following a disruption to computer systems but they had not demonstrated this capability.
“Only one entity had documents its manual operating procedures, and none had ever tested running their whole plants manually. This places a high reliance on individual knowledge, experience and physical presence to continue water services in the event of an attack,” Close said.
“The results of this audit serve as a timely reminder for any public sector entity managing critical infrastructure. Entities should assess and strengthen defences to protect their systems from information technology and cyber threats, and ensure that manual operation of critical infrastructure is documented and well tested.”
The audit office recommended that Queensland’s Department of Energy and Water Supply integrate IT risks and cyber threats into the existing management framework for drinking water services and in Queensland water and sewerage service provider frameworks.
It also recommended that the department facilitate information sharing about adopting standards for securing IT amongst entities that manage water control systems.
Meanwhile, it recommended that the entities audited improve oversight, identification and monitoring of IT risks and cyber threats to water control systems.