Water utilities set to tackle cyber security

Posted 28 November 2016

Cyber securityRapidly rising levels of digitisation of water utility operations are delivering enormous efficiency gains but also means utilities are grappling with a major new risk – cyber attacks.

The past year has seen some high-profile instances of hackers exploiting cyber vulnerabilities to control or damage physical infrastructure. 

Just before last Christmas, suspected Russian hackers plunged more than 80,000 people into darkness after a well-planned attack crippled at least two power companies and wiping out automated systems, forcing the utilities back to manual controls for weeks.

In March, it emerged that hackers had taken control of the SCADA system of a Syrian water treatment plant and altered chemical dosing levels.

At home, Water Corporation alone fends off more than a dozen probes every second, said Chief Financial Officer Ross Hughes. “We have 1.2 million connection attempts per day. Those numbers are just eye-watering,” he said. “Of the 1.2 million attempts, there are 7000 malicious attempts per day that we need to protect ourselves against or capture.” 

While Australian utilities have been largely unscathed to date, EY’s Offer said the risk was too big to ignore. “When we talk about risks we talk about likelihood and impact,” he said. 

“Likelihood here may be low to medium, but the impact is potentially enormous and that alone is enough to make this a significant business risk.”

The risk has been rising in tandem with the digitisation of the water grid. “Back in the day, every asset – every pump, valve, dam, pipe, water treatment plant – was managed by onsite field staff,” Offer said. 

“But over time those systems have become increasingly internet-enabled and managed remotely and the reality is, if you’re connected to the internet, an attack can be launched.”

In response, utilities are building cyber risk and information asset management into 
every aspect of their business, said Sydney Water Chief Information Officer George Hunt.

“Our primary enterprise risk is protecting public health, the second is to ensure employee and contractor safety, the third is reputational risk. A cyber security or data breach incident would impact all of those things,” he said.

An obvious first line of defence is technological protection. Many utilities, such as Yarra Valley Water, are working to the International Organization for Standardization’s specifications for information security management systems (ISO 27001). 

“Strong defence requires things like internal and external firewalls, intrusion prevention and reverse proxy devices, segmenting our networks, and ensuring we have good protection against malware and viruses across all our systems,” Yarra Valley Water Managing Director Pat McCafferty said.

Effective network segmentation is vital as it becomes increasingly challenging to maintain the (pre-digitisation) physical gap between IT and operational technology networks. 

As Sydney Water’s Hunt said: “As we open up customer and employee self-service, enable cloud-based customer functionality, embrace smart metering and smarter asset management services – all things that we need to do to better serve our customers – we are also enhancing our security in parallel.”

“The dilemma is: if you look at this through a security lens you’d try to close everything down, but if you focus on customer value and efficiency, you want to open things up.”

To learn more, read the full feature in the latest edition of Current magazine.