Water and transport operators provide
essential services to the community using infrastructure such as
water storages and distribution networks, water and wastewater
treatment plants and transport networks. We found that the systems
used to monitor and control the operation of this infrastructure
were not secure. Unauthorised access to them could affect the
stable delivery of water and transport services.
Historically these systems were
proprietary stand-alone systems operated by staff based at each
infrastructure facility. To introduce efficiencies, these
systems are being replaced with more open systems, linked to
corporate and public networks. These changes expose the systems to
unauthorised access by staff and external parties.
While all operators had developed risk
management frameworks and established many of the framework
components, none had effective processes to manage the risks to
their infrastructure control systems.
Operators do not have comprehensive
up-to-date policies and procedures to manage infrastructure control
Information collected and reported to
management about security breaches,
non-compliance with policies and procedures, ICT risks and
infrastructure control system vulnerabilities, is inadequate.
Operators are not adequately monitoring
and controlling the infrastructure control systems that external
parties manage on their behalf. We found that operators do not have
provisions in their contracts with external parties accessing their
infrastructure, that address security requirements or procedures to
monitor and control external-party access.
With the exception of one out of the
five operators reviewed, security-related design considerations are
not incorporated into operators’ procurement processes for new
infrastructure control systems.
The quality of operators’ emergency
response and business continuity plans varied. Overall, they do not
adequately address issues associated with infrastructure control
Oversight agencies (Department of
Sustainability and Environment and Department of Transport) do
- actively monitor
operator security management of infrastructure control
- have mechanisms to
assure themselves that security breaches and incidents are reported
and acted on
- use suitably qualified and experienced
staff to advise operators about securing infrastructure control
systems and managing cyber risks.