Guard drinking water from cyber threat
A leading expert in drinking water management has expressed concern at the potential threat of cybersecurity attacks on Australian utilities and environmental infrastructure businesses.
National cybersecurity authorities receive reports of attempted cyber attacks every ten minutes on average, and it appears this growing trend is increasing in its sophistication and complexity.
Workgroup Manager for the Drinking Water division of Viridis Consultants Tasleem Hasan said he regularly meets with government and private water enterprises that are assessing their risk management plans and there was a common thread in conversation.
Hasan has close to 20 years’ experience in drinking water quality management, including regulation, sanitation and hygiene. He has worked extensively across Australia and the Pacific Islands identifying and discussing key water supply issues and challenges and provides advice on potential improvements and regulatory compliance.
“With most monitoring needs moving towards cloud-based systems for storage and accessibility purposes, businesses need to be vigilant in knowing how to protect that information in the event of an attempted cyber-attack, and this is something which may be often overlooked during initial design stages,” Hasan said.
“This increased reliance on cloud platforms means that plant operators need to engage cybersecurity advice as early as day one and document measures when drafting risk management plans.”
No longer an afterthought
Audits are a common feature in the utilities landscape, with most executives seeking advice on what systems and processes are needed to protect them from areas of vulnerability.
“I am not surprised by operators thinking about cybersecurity as an afterthought rather than safeguarding their information assets, especially with the many other priorities and challenges presented by the treatment processes,” he said.
“However, engaging experienced water management professionals for risk assessments is so advantageous in supporting the integrity of the company’s data collection and storage capability.”
Australian infrastructure providers have a rare window to lead the world in how they adopt preventative cyber measures in thwarting potential attacks which are increasing each year.
According to PWC Australia, 56 per cent of cyber and business executives say they believe that sponsored attacks on critical infrastructure are likely in the future.
“Every major infrastructure provider has a duty of care to ensure their systems and information are protected in the interests of national health and wellbeing," Hasan said.
“We know from research by the Australian Cyber Security Centre [ACSA] that a number of Australia’s national and economic interests are increasingly under threat from malicious cyber activity, which has continued to evolve in scale, frequency and sophistication.
“Overseas markets have seen attempts and subsequent attacks on large-scale infrastructure and by remaining vigilant and taking necessary steps in barricading assets, our country could present among some of the strongest case-study countries in this field.”
Phishing and spear phishing are still common methods used by cyber hackers to access personal information or credentials to gain access to networks, or in distributing malicious content.
Between 1 July 2019 and 30 June 2020, ACSA responded to more than 2250 cyber security incidents and received nearly 60,000 cybercrime reports, at an average of 164 reports per day — or one every ten minutes.
“Australian businesses need to be aware that malicious cyber criminals are constantly looking for system and network vulnerabilities and weaknesses. Adopting a ‘secure by design’ set of principles is certainly the way forward.”
Successful breaches
Earlier this year, the town of Oldsmar, Florida, grappled with a hacker's successful infiltration of its water supply infrastructure.
News reports said that a malicious cyber attack had occurred, where a person was able to remotely access a computer attached to the city’s water treatment system through the TeamViewer application.
“This hacker could have caused major disruption, widespread health issues or worse,” Hasan said. “He was able to remotely control system levers and managed to increase the amount of sodium hydroxide to 100 times the recommended level.
“Fortunately, a team member became aware of the considerable changes and was able to revert to safe levels virtually immediately, but this could have been a major situation,” Hasan said.
The drinking water expert said that Australian businesses were in a position to take greater control of their safe practices by adopting the principles of ‘secure by design’ as described by The Australian Signal Directorate.
“Daily backups of important data, application whitelisting, patching applications, blocking untrusted Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, and incorporating multi-factor authentication are important safeguards,” he said.
From Hasan’s experience as a leading auditor, he has seen firsthand how cloud-based platforms are being used for system control and monitoring.
He said that cybersecurity measures can thwart attempts from people trying to access control of water supply systems and that due consideration should be given to this in the beginning stages of design.