Victorian Auditor-General's Office

Security of Infrastructure Control Systems for Water and Transport

Tabled: 6 October 2010

Overview

Water and transport operators provide essential services to the community using infrastructure such as water storages and distribution networks, water and wastewater treatment plants and transport networks. We found that the systems used to monitor and control the operation of this infrastructure were not secure. Unauthorised access to them could affect the stable delivery of water and transport services.

Historically these systems were proprietary stand-alone systems operated by staff based at each infrastructure facility. To introduce efficiencies, these systems are being replaced with more open systems, linked to corporate and public networks. These changes expose the systems to unauthorised access by staff and external parties.

While all operators had developed risk management frameworks and established many of the framework components, none had effective processes to manage the risks to their infrastructure control systems.

Operators do not have comprehensive up-to-date policies and procedures to manage infrastructure control system security.

Information collected and reported to management about security breaches,

non-compliance with policies and procedures, ICT risks and infrastructure control system vulnerabilities, is inadequate.

Operators are not adequately monitoring and controlling the infrastructure control systems that external parties manage on their behalf. We found that operators do not have provisions in their contracts with external parties accessing their infrastructure, that address security requirements or procedures to monitor and control external-party access.

With the exception of one out of the five operators reviewed, security-related design considerations are not incorporated into operators’ procurement processes for new infrastructure control systems.

The quality of operators’ emergency response and business continuity plans varied. Overall, they do not adequately address issues associated with infrastructure control systems.

Oversight agencies (Department of Sustainability and Environment and Department of Transport) do not:

  • actively monitor operator security management of infrastructure control systems
  • have mechanisms to assure themselves that security breaches and incidents are reported and acted on
  • use suitably qualified and experienced staff to advise operators about securing infrastructure control systems and managing cyber risks.

Back to top