Cyber Security and Water Utilities
There is more and more talk about cyber security and critical infrastructure. Not that long ago SCADA systems were on separate networks to prevent malicious attacks. However, with the changing operating environment, being connected is now essential for innovation and growth. Utilities are adopting technology such portable computing, big data, smart meters and internet of things (IoT) devices, which can offer significant benefits. However, with these benefits and increased levels of accessibility, also comes a vulnerability that can be exploited. Many companies have linked critical SCADA systems to broader external networks through these technologies and many of the older systems do not have the security required to operate in this connected environment.
There are essentially two types of threat, cybercrime where the main interest is to make money and cyber espionage where adversaries want to damage Australian's economic prosperity and national interests.
Government agencies and utilities are a prime target for cybercrime due to the vast amounts of personally identifiable information (PII) that is held in a single location. As little as name, date of birth and address is enough information to impersonate a person. Also, the advent of the hacktivist has seen incidences of 'hack and release' where huge amounts of PII has been released to embarrass governments and private organisations.
There is a subset of cyber espionage, which is insider actions. Some of the more public incidents have been the result of disgruntled employees. In Queensland an employee of the old Maroochy Shire Council released 800KL of raw sewage causing environmental harm and economic damages.
The Australian Cyber Security Centre 2017 Threat Report states that advanced malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, sophistication and severity. The reach and diversity of cyber adversaries are expanding, and their operations against both government and private networks are constantly evolving. Foreign states are increasing their level of investment in cyber capabilities and pose the greatest threat.
Major attacks on critical infrastructure have already occurred in the US, Israel, Ukraine and Germany. As far back as 2010, the Stuxnet virus came to light, which had been designed to ruin hundreds of centrifuges used in Iran’s uranium enrichment program. It was the first time a digital weapon was intentionally used by a nation-state to physically damage an adversary’s infrastructure.
Australia's cyber security is generally well developed and actors are looking at more sophisticated means to access government and private networks. Social engineering and the targeting of managed service providers (MSPs) are becoming more prevalent as a means to overcome defences. Social engineering provides a way to manipulate human trust and elicit information that can help overcome network defences. These range from broad phishing emails to targeted spearphishing. Spearphishing is increasing in prevalence and is where an email or electronic communications are targeted towards a specific individual, organisation or business, often appearing to be from a trusted source. MSPs are often a soft target to compromise the networks and data of their customers. Compromising MSPs can be lucrative, providing access to many customer networks in one action. When outsourcing activities, an organisation must consider security. When providing access to your network, your network is exposed to the security posture of the contractor.
On 11 July 2018 the federal government passed the Security of Critical Infrastructure Act 2018. The Act is administered by the Critical Infrastructure Centre, within the Department of Home Affairs. This Act is to ensure the Australian Government knows who owns and operates our most critical infrastructure assets and is able to mitigate any identified national security risks. The measures are asset-specific and ownership neutral and apply to both domestic and foreign owners. This Act introduces three new measures:
an asset register, which gives the Government visibility of who owns and controls the assets, enabling better targeting of risk assessments (not to be made public)
the ability to obtain more detailed information from owners and operators of assets in certain circumstances to support the Centre's work
the ability to intervene and issue directions in cases where there are significant national security concerns that cannot be addressed through other means.
Owners and operators of critical water infrastructure assets must be aware of what the Act means for them and their associated obligations. A critical water asset is defined as one or more water or sewerage systems or networks that:
(a) are managed by a single water utility; and
(b) ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections.
Although water is critical infrastructure, it is targeted much less than utilities such as electricity and telecommunications. If the power grid is disabled it can shutdown the water, communications, transport networks etc. The figure below shows the private sector incident response by sector.
*CERT Australia has had an increase in voluntary reporting from sectors that have not been traditionally targeted, such as the accommodation, automotive and hospitality sectors. This shows the expanding scope of targets for adversaries and cybercriminals.
The Australian government is taking the threat from foreign powers seriously and recently banned Chinese telecommunication companies Huawei and ZTE from providing 5G technology to Australia. They were seen to present too great a security risk. A government statement read "The government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorised access or interference."
It is essential that water utilities assess the risk of cyber attack and put in place the required defences. The Australian Signals Directorate (ASD) have developed the Essential Eight strategies that are considered to be the cyber security baseline for any organisation.
The Strategist - Rethinking the security of our critical infrastructure
Australian Cyber Security Centre 2017 Threat Report
Sydney Morning Herald - China's Huawei, ZTE banned from 5G network
Department of Home Affairs - Security of Critical Infrastructure Act 2018 commences
Security of Critical Infrastructure Act 2018
Kaspersky - What is Spear Phishing?
Water & Wastewater International - Cyber Security: How Water Utilities Can Protect Against Threats