Taking on responsibility for cyber security
In February 2021, hackers broke into the computer system of a Florida water treatment facility and attempted to poison the local water supply.
The event followed a series of attacks in 2020 against water infrastructure in Israel, which also sought to introduce dangerous chemicals into drinking water.
The incidents demonstrate the critical importance of cyber security for the water industry, which was explored by a panel at the Ozwater’21 conference this week.
City West Water Director Tania Fryer told conference attendees that potential amendments to the federal Security of Critical Infrastructure (SOCI) Act could require the boards of water corporations to take responsibility for certain cyber security obligations and even permit the government to take control of the response to attacks on infrastructure in some situations.
The threat landscape of digital security is changing fast, Fryer said. Cybercrime cost the world more than $1 trillion in 2020 — 1% of global GDP.
“Cybercrime is big business,” Fryer said. “Attackers only need to be successful once. Defenders need to be successful all the time.”
“As increasingly digital utilities in an interconnected world, our delivery of safe drinking water and safe treatment of sewerage depend on holistic cyber resilience.”
That is reflected by changes to board obligations. Boards have long had responsibility for financial activities, Fryer said, and financial disclosure expectations are growing. Boards are also being increasingly required to be responsible for people safety.
“Cyber safety has many hallmarks of people safety, and like financial literacy, cyber literacy is increasingly a must-have for all directors,” she said.
“The bill to amend the Security of Critical Infrastructure Act is a major reform. It’s part of a broad strategy to strengthen Australia’s cyber resilience. Like signing off financial statements, SOCI makes it a board-specific task to approve reports to Home Affairs each year.
“Like the introduction of criminal consequences in the people safety space, the bill makes you sit up when you read it. In certain circumstances, the government can authorise the Australian Signals Directorate — the ASD — to intervene to respond to an incident, stepping into your operations. Failing to comply with an action direction could result in two years jail. Criminality would not depend on dishonesty or recklessness.”
The potential legislative changes have received a lot of attention, Fryer said.
“There are also obligations to report security incidents to the ASD within short timeframes — within 12 hours of becoming aware of a critical cyber security incident, which has significant impact on the availability of a critical infrastructure asset, 72 hours for other incidents,” she said.
“The effect of the obligations is to require your incident response plan to quickly assess impact on availability, integrity, reliability, and confidentiality of critical infrastructure assets and notify the government as one of the first steps in your incident response plan.”
The legislation is currently being reviewed in committee in Federal parliament, and is expected to be law, Fryer said.
To adapt to this new environment will require the water sector to shift its culture.
“You will be breached,” Fryer said. “The bad guys are always a step ahead. Ability to quickly respond and recover are key.”
Louise Dudley, CEO, Urban Utilities, said she has adopted a when, not if, approach.
“We're certainly looking at the need to balance what we do to make sure that we're covering not only protection, but detection, having that monitoring visibility, response and recovery,” she said.
“And we're also really conscious that you need to actually balance that with efficiency in your organisation as well.”
Organisations should focus their attention on their most important assets, Fryer said — what she referred to as their “crown jewels”.
“5G is a crown jewel for Australia. SCADA is probably a crown jewel for most, if not all of our water businesses,” she said.
“Who are you depending on?”