Victoria’s water utilities have been directed to raise their investment in critical control system security, bringing it into line with what they are putting into protecting corporate systems.
The state’s auditor-general said today [pdf] that water utilities had put “significant investment in enhancing the security of their internet‐facing corporate systems and protecting their control systems by separating them from corporate systems” since its last audit in 2010.
However, the auditor-general noted that separation between control systems and corporate systems is waning, and that will require a rethink of and reinvestment in integrated security arrangements.
Control systems include supervisory control and data acquisition (SCADA) systems, process control systems, and other devices such as programmable logic controllers (PLCs).
These systems are “increasingly the target of cyber attacks worldwide”, the auditor-general’s report said.
“The security of these assets is critical for the efficient and reliable delivery of quality water and sewerage services across the state,” the report said.
The auditor-general found water providers were disproportionately investing in corporate system security.
“Water providers have focused their attention and resources on the security of their corporate systems,” the report said.
“While these systems are important for customer support, communication, and business processes, the interruption of control systems that deliver critical water and sewerage services are equally if not more important.
“In the past year, water providers have acknowledged the convergence of these two environments, and two have responded by integrating their business units responsible for these areas to improve service support for both environments. Their risk assessments have resulted in significant investment in securing corporate systems.
“However, there is opportunity to increase the focus on control systems to address the evolving threat landscape.”
Following vulnerability testing, the auditor-general believed control systems generally were vulnerable to attacks launched by “a trusted insider or an intruder breaching physical security and gaining unauthorised access”.
The auditor-general also encouraged water providers to design security “in a way that coordinates activities across all systems, addressing the root cause of security weaknesses” - instead of deploying reactive solutions in response to detected security issues.
While recognising that the water industry was historically reticent to apply system patches, in case they broke or disrupted critical systems, the auditor-general countered that the posture increased the attack surface.
“Our testing found inconsistent application of system patches across most water providers,” the report said.
“Water providers must balance the risk of system disruption due to patch application with the risk of system disruption due to attackers exploiting weaknesses caused by out‐of‐date software.”
