Executive summary

Background

Systems used to control critical infrastructure are known as process control systems or operational technology. Previously, these types of systems were isolated from other networks and the security of these systems depended largely on restricting access to their physical infrastructure. However, in the last two decades their interconnectivity with other networks, for operational purposes, has increased the risk of unauthorised users obtaining access to these systems and disrupting reliable operation of critical infrastructure.

To illustrate, in June 2010, an anti-virus security company reported the first detection of malicious software (malware) that attacks process control systems. The malware is called Stuxnet and it has been found on hundreds of systems internationally. In August 2013, a security research company in the United States created a decoy water utility system; it experienced 74 security attacks from more than 16 countries. Ten of the attacks were deemed to have the ability to take complete control of the mock system. In 2000, a disgruntled former employee compromised a control system and caused the dumping of 800,000 litres of untreated sewage into waterways in Maroochy Shire, Queensland.

This audit examined whether the systems used to operate and manage critical infrastructure in the Sydney metropolitan water supply system and the NSW traffic signal network are secure and, if systems go down, whether there are sound recovery arrangements in place. The audit considered whether:

• controls to prevent, detect and respond to security breaches are effective
• the risk to business continuity is being managed appropriately

Due to the sensitive nature of this topic area, detailed findings and recommendations have been provided to agencies in separate management letters.

Conclusions

Roads and Maritime Services and Transport for NSW
Roads and Maritime Services (RMS) and Transport for NSW (TfNSW) have deployed many controls to protect traffic management systems. However the systems in place to manage traffic signals are not as secure as they should be. Established controls are only partially effective in detecting and preventing incidents and are unlikely to support the goal of a timely response to limit impacts to traffic management.

A range of risks are adequately managed, however, there are other risks where control improvements are recommended. For example, there is a potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents in one particular section of the road network.

Management has designed and tested an emergency response capability for the Traffic Management Centre (TMC) for some disaster scenarios and has recently identified and initiated improvements for responding to IT related disasters.

Until the IT disaster recovery site is fully commissioned, a disaster involving the main data centre would have traffic controllers operating on a regional basis without the benefit of intervention from the TMC in managing traffic coordination, which means higher congestion is likely in the short term.

Sydney Water Corporation
Sydney Water Corporation (SWC) is well equipped to deal with the impact of security incidents. It has developed and tested procedures for security incidents and major outages and has provided relevant training to staff. It has established a back-up operations centre which is tested on a regular basis, and also established redundant systems such as additional control units and backup power supplies for selected key facilities.

Whilst SWC’s response capability is good, it is limited by its inability to detect all security breaches. Controls to prevent and detect breaches are not as effective as they could be. Controls have been implemented to limit a number of risks, however, the protection environment requires improvement to defend against targeted attacks. For example, any malicious activity on most of the corporate network is blocked from accessing the process control system environment but control level access is possible from selected low security workstations on the corporate network.