Victorian water utilities still need to improve the security of their industrial control systems, a review of the arrangements at four of state’s water providers has concluded.
The Victorian Auditor-General’s Office today released the results of its investigation of the security architecture and governance arrangements at Barwon Water (BW), Melbourne Water (MW), the Victorian Desalination Plant(VDP), and Yarra Valley Water (YVW).
As part of its audit, a follow-up to a 2010 VAGO investigation, the office conducted a vulnerability assessment and physical security inspection of a number of industrial sites operated by the utilities.
The 2010 report assessed the infrastructure control systems of both water and transport providers, concluding that the risk of unauthorised access to the systems was “high”. It found that the operators of the systems did not have controls in place to detect inappropriate access to their infrastructure, or appropriate governance arrangements.
“Operators are not fully aware of the weaknesses in, and risks to their infrastructure control systems,” the 2010 report concluded.
The new VAGO report finds that since 2010 water providers have sought to improve the security of their corporate IT systems against cyber attacks, including attempting to separate corporate systems from industrial control systems to help protect them.
“However, they have not designed and built security measures for their control system environments based on a comprehensive understanding of security risks at the asset level,” the VAGO report states. “The results of our vulnerability tests demonstrate that significant weaknesses exist in the current approach to securing control systems.”
The utilities “lack a strategic approach to managing cybersecurity risks that integrates their corporate and control system environments and aligns to leading industry security standards for control systems.”
As a result control systems could potentially be the target of a successful attack — particularly from an employee or contractor gone rogue, or an intruder who managed to bypass physical security protections.
“None of the water providers have undertaken comprehensive vulnerability assessments of their control systems at the detailed asset and asset zone levels,” the report states. “Where some risks are known, water providers have not thoroughly documented or communicated these to inform existing and new processes.”
The report calls for a “holistic approach” to security that encompasses both corporate IT systems and control system environments. It also called for control system asset security vulnerabilities and risks to be identified in detail, and for roles and responsibilities for governance to be clarified.
The utilities should “design, build and maintain a security architecture proportionate to risk that is based on leading industry security standards for control systems”