The NSW Auditor-General's Office has produced a report on Security of critical IT infrastructure, examining whether the systems used to operate and manage critical infrastructure in the Sydney metropolitan water supply system and the NSW traffic signal network are secure and, if systems go down, whether there are sound recovery arrangements in place.
The report notes
Systems used to control critical infrastructure are known as process control systems or operational technology. Previously, these types of systems were isolated from other networks and the security of these systems depended largely on restricting access to their physical infrastructure. However, in the last two decades their interconnectivity with other networks, for operational purposes, has increased the risk of unauthorised users obtaining access to these systems and disrupting reliable operation of critical infrastructure.
To illustrate, in June 2010, an anti-virus security company reported the first detection of malicious software (malware) that attacks process control systems. The malware is called Stuxnet and it has been found on hundreds of systems internationally. In August 2013, a security research company in the United States created a decoy water utility system; it experienced 74 security attacks from more than 16 countries. Ten of the attacks were deemed to have the ability to take complete control of the mock system. In 2000, a disgruntled former employee compromised a control system and caused the dumping of 800,000 litres of untreated sewage into waterways in Maroochy Shire, Queensland.It goes on the conclude
Roads and Maritime Services
Roads and Maritime Services (RMS) and Transport for NSW (TfNSW) have deployed many controls to protect traffic management systems. However the systems in place to manage traffic signals are not as secure as they should be. Established controls are only partially effective in detecting and preventing incidents and are unlikely to support the goal of a timely response to limit impacts to traffic management.
A range of risks are adequately managed, however, there are other risks where control improvements are recommended. For example, there is a potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents in one particular section of the road network.
Management has designed and tested an emergency response capability for the Traffic Management Centre (TMC) for some disaster scenarios and has recently identified and initiated improvements for responding to IT related disasters.
Until the IT disaster recovery site is fully commissioned, a disaster involving the main data centre would have traffic controllers operating on a regional basis without the benefit of intervention from the TMC in managing traffic coordination, which means higher congestion is likely in the short term.
Sydney Water Corporation
Sydney Water Corporation (SWC) is well equipped to deal with the impact of security incidents. It has developed and tested procedures for security incidents and major outages and has provided relevant training to staff. It has established a back-up operations centre which is tested on a regular basis, and also established redundant systems such as additional control units and backup power supplies for selected key facilities.
Whilst SWC’s response capability is good, it is limited by its inability to detect all security breaches. Controls to prevent and detect breaches are not as effective as they could be. Controls have been implemented to limit a number of risks, however, the protection environment requires improvement to defend against targeted attacks. For example, any malicious activity on most of the corporate network is blocked from accessing the process control system environment but control level access is possible from selected low security workstations on the corporate network.Key recommendations are
RMS and TFNSW, by July 2015, should:
1. Extend the Information Security Management System (ISMS) to oversee the security of the complete traffic management environment, including operational level risks.
2. Develop a comprehensive security plan for the whole environment.
3. Improve the identification, assessment and recording of security risks.
4. Improve logging and monitoring of security related events regarding access to applications, operating systems and network access.
5. Improve security zoning to better protect the system from potential threats.
SWC, by July 2015, should:
6. Extend the Information Security Management System (ISMS) to oversee the security of the process control environment, including the management of operational level risks and controls.
7. Develop a comprehensive security plan for the whole environment (building on SWC’s SCADA security policy).
8. Document and undertake additional risk mitigation to reduce risks to acceptable levels, and clearly document what levels of risk can be tolerated.
9. Obtain current documentary evidence to indicate that the risks associated with the security of process control systems at Prospect Treatment Plant are mitigated to acceptable levels.
10. Determine the appropriate controls to limit unauthorised access to computer accounts including SCADA application software and computer operating systems.
Other government agencies with critical infrastructure should seek to determine whether there are lessons from this audit that may apply to their area of government services/business. This includes ensuring:
11. The organisation’s ISMS covers business processes and technology including systems used to control infrastructure.
12. Compliance with the NSW Government Digital Information Security Policy (DISP). For State Owned Corporations, this requirement should be incorporated into their Statements of Corporate Intent.
13. A comprehensive security plan is maintained for technical systems supporting critical government services where the system requires additional protection above the baseline controls utilised for the remainder of the agency’s systems.
14. Management receives and acts on information security/availability risk assessments that define the current and target risk levels.
The Office of Finance and Services, NSW Treasury, should:
15. Ensure lessons learnt in this audit are communicated to all relevant government agencies
16. Undertake regular reviews to ensure that relevant agencies are complying with the Digital Information Security Policy and that the policy is meeting its objectives.