The Australian Cyber Security Centre (ACSC) recently provided advice to help critical infrastructure providers protect themselves from cyber-attack. This is particularly important given that key staff are working remotely during the COVID-19 pandemic.
Opportunistic cyber-threat attacks to critical infrastructure are particularly concerning during the current pandemic. Facilities such as power and water distribution networks, transport and communications grids are potential targets for malicious cyber adversaries in Australia and globally.
CSO Australia recently reported the failed Stuxnet-like attack on Israel’s water supply, highlighting the danger associated with assault attempts on control systems of wastewater treatment plants, pumping stations and sewers.
Water Facility Attacks
As Cynthia Brumfield from CSO Australia points out, “although cyber-attacks on the electric grid grab the lion’s share of attention, attacks on water facilities typically generate little press coverage or public focus, making the (Israeli) directorate’s public statement of an attack something of an anomaly”.
The low profile of water companies when it comes to cybersecurity is surprising, given the significant damage a water supply attack could pose. According to Lesley Carhart, principal threat analyst at Dragos, “water has always been the one industry that is least resourced and the most capable of causing impact to life and safety”.
In order for Industrial Control System (ICS) attacks to be successful, adversaries need significant knowledge of the systems to plan an attack. These systems usually combine digital, analogue and mechanical programs and processes, including SCADA systems. However, the requirement for in-depth knowledge does not make them impervious to cyber-threats.
Strategic Approach Lacking
To highlight local vulnerability, Victoria alone has 19 state‐owned water authorities and a privately operated Victorian Desalination Plant (VDP). The May 2019 Security of Water Infrastructure Control Systems report by the Office of the Victorian Auditor General concluded that “water providers lack a strategic approach to managing cybersecurity risks that integrates their corporate and control system environments and aligns to leading industry security standards for control systems”.
The report states that although the audited water providers have improved their cybersecurity, the “evolving threat landscape requires water providers to now increase their focus on assessing and significantly strengthening their control system security”. Notably, it is believed that their control systems are vulnerable to the risk of a successful cyber-attack, “particularly by a trusted insider or an intruder breaching physical security and gaining unauthorised access”.
As there are currently no Victorian or Australian security standards specific to control systems[5], cybersecurity threats to water control systems can pose significant risks to public health and safety, the environment and business operations.
Ensuring that critical infrastructure providers have current, fit-for-purpose Business Continuity Plans, Disaster Recovery Plans and Emergency Management Plans in place is essential, particularly during periods of heightened risk.
Agilient consultants have the expertise and are available to assist executive teams in mitigating cyber risks. Contact us to discuss how we can help your business.