Audit finds Vic SCADA systems vulnerable

Victoria's public water facilities have been slammed and government agencies criticised in a searing audit report into IT security released yesterday.
Written by Darren Pauli, Contributor on

Victoria's public water facilities have been slammed and government agencies criticised in a searing audit report into IT security released yesterday.

The auditor criticised (PDF) the state's water organisations for failing to secure critical water infrastructure against network threats.

Unprotected Supervisory Control and Data Acquisition (SCADA) systems are at risk from network attacks that may target critical infrastructure including electricity and water supplies. The still active and now infamous Stuxnet worm has made headlines by targeting vulnerable SCADA systems, which lie at the heart of controlling critical infrastructure.

A Dam

(Salmon Dam image by John Parrish, CC2.0)

The report stated that Victoria's water agencies lack an effective means to manage or avert the risks posed to central infrastructure control systems. It says the security of SCADA systems is inadequate and must be upgraded to meet the threats posed by networked environments, which had not previously been a consideration when the systems were offline and isolated.

"These systems are being replaced with more open systems, linked to corporate and public networks. These changes expose the systems to unauthorised access by staff and external parties," the report stated. "While all operators had developed risk management frameworks and established many of the framework components, none had effective processes to manage the risks to their infrastructure control systems."

Auditor-General Des Pearson called for the creation of an ICT security team within the Department of Transport to advise operators on infrastructure control system security and risk, and business continuity management.

In the report, Pearson said that the Victoria Police service is not interested in IT security despite its role as a security consultant to operators.

"Victoria Police believes that the threat of a terrorist-based attack on ICT infrastructure control systems does not warrant its specific attention. Priority is given to terrorist threats with a higher likelihood," said Pearson.

"Victoria Police needs a good understanding of operator businesses, risk management, and ICT and infrastructure control system security [and it] acknowledges that it does not have this knowledge and capability and believes that relevant government departments are responsible for the broader oversight of operators."

The Department of Sustainability and Environment and the Department of Transport provide differing levels of monitoring, guidance and support, but oversight of critical infrastructure protection is identical under the act.

"The portfolio agencies have not effectively monitored and supported operators to manage the risks to these systems. The government's terrorism protection framework is not effective in securing infrastructure control systems."

The report found some of the five state water operators audited had "several deficiencies" in security architecture around firewalls, separation of networks, and remote access, but noted operators are aware and moving to address the problems.

Security risks were also found in IT procurement and development of control systems, which is conducted "without guidance from an existing security standard".

The operators had failed to comply with relevant industry standards including ISO 27001 and 27002, and lacked contractual provisions to monitor the activities of external companies or to force them to abide minimum security levels.

The facilities also hadn't properly reported security breaches, or maintained internal security policies.

The report comes ahead of the release of a separate vendor security report, which suggests 53 per cent of critical infrastructure providers have been attacked an average of 10 times since 2005. Of these, the average cost of serious attacks was placed at a whopping $850,000.

Editorial standards