Australia, the driest inhabited continent on earth, unsurprisingly, has a water problem.
With the majority of the population being serviced by a handful of utilities, the responsibility of providing fresh and wastewater services in rural and regional areas often falls to local government areas (LGAs). This has created a situation where water management is generally undervalued or underfunded, despite the critical role it plays in ensuring a continuous supply of clean water.
Despite this, in many Australian LGAs, freshwater more or less takes care of itself. Sometimes, it is powered and pumped, but often, water generally flows downhill, needs chlorine and fluoride added, and the freshwater delivery system usually works with minimal intervention. It’s not subject to issues that will make taps stop flowing, other than the occasional drought or environmental issue.
Where freshwater is sourced from rivers, in towns like Dubbo, water extraction and processing is more intensive, but it’s manageable as gravity does the bulk of the work.
Wastewater, however, is different. Instead of working with the forces of nature, wastewater typically needs to be pumped uphill. This adds layers of complexity and requirements from a digital infrastructure perspective, and these processing systems have capacity limits. Further, most of these systems are part of a wider digital network, making them vulnerable to cyber attacks affecting the entire system. This nuance creates a world of difference.
Compounding the issue, many LGAs lack the staff to manage these systems and turn to contractors who may not have the necessary expertise to enshrine security and resilience. The financial pressures of the post-COVID-19 era and a series of poor investment returns have further eroded the budgets of LGAs, leaving them hard-pressed to allocate resources for risk assessment and mitigation.
While Australia hasn’t seen a “rogue state actor” targeted attack on water utilities as has happened in the US, we have seen disgruntled employees infiltrate wastewater systems in a relatively unsophisticated manner. In Maroochy Shire in 2001, a former council contractor used the SCADA (Supervisory Control and Data Acquisition) system to remotely turn the wastewater system on and off, wreaking havoc across the town for over a month.
Securing industrial control systems like wastewater plants is far from simple, and the process differs significantly from updating computer software. The devices that do the work are “un-agentable”, meaning that installing security software or actively monitoring systems is not always an option. Nevertheless, there are fundamental steps that LGAs can take to limit risk and safeguard their wastewater infrastructure.
LGAs should strive to segment and monitor their systems, reducing external communications to the greatest extent possible. By limiting remote access and granting only specific, necessary access — part of a zero-trust model — they can bolster their security posture. In addition, understanding their assets and establishing network baselines will enable LGAs to identify deviations and assess risk, utilising standards such as IEC 62443 to implement and maintain secure industrial automation and control systems (IACS) in tandem with the enterprise risk framework. The excellent AEMO Cyber Security Framework for the energy sector (AESCSF) is also a fantastic resource, and not just for energy assets. These standards have been developed to promote best practices for cyber security, allowing the assessment of the level of security risk, while acknowledging that risk mitigation is a process of maturity climbs.
Treating wastewater plants as isolated network nodes and reviewing communications that breach this principle is also crucial. Even if treatment plants are not segregated, monitoring communications that jump boundaries can reveal security risks. If such risks are to be accepted, they should be closely monitored as an alternate control.
Adhering to the tenets of good industrial control system (ICS) security is essential. LGAs must understand and protect their assets, prioritise software and firmware patching, and detect boundary-hopping communications. Remediation of hygiene issues, such as turning off SMBv1 shares — which have significant security vulnerabilities and are used by hackers to launch severe ransomware attacks on unsuspecting parties — will prevent small problems from escalating into big ones.
Above all, it is imperative for LGAs to detect threats and ensure that if malicious code lands, it cannot expand. By implementing these measures, Australia can work towards securing its water infrastructure and ensuring the continuous supply of clean water in, unclean water out, for its growing population.
Dean Frye is a senior solutions architect at Nozomi Networks.