Cybersecurity on the map for DASB Councils
Date: 04-Aug-2021
A recent event in a small regional community in the United States put the spotlight on the risks from cybersecurity attacks when a hacker gained remote access to a water treatment plant in the town of Oldsmar, raising the concentration of lye in the water by a factor of 1,000. Fortunately, an employee noticed the discrepancy a few hours later and avoided any harm to the local community, but it did raise the alarm more generally about the risks involved as we pursue the digital transformation of our water assets and the delivery of water services.
Cybersecurity has been treated as a risk by the water sector for some time and the priority was raised in Queensland when the Queensland Audit Office briefed the qldwater Strategic Priorities Group on their “Security of Critical Water Infrastructure Report”, which was released in July 2017.
In May 2018, qldwater hosted a workshop to provide an improved understanding of risks and to hear from the Regulator how the report would impact on drinking water risk management and KPIs. The workshop also included experiences from 8 qldwater members at different stages of maturity, providing some ideas to approach security improvements. One recommendation was to facilitate regional-scale collaboration.
Downs and Surat Basin Group Response
The Downs and Surat Basin (DASB) QWRAP group decided to tackle the challenges through a joint Cybersecurity Audit project. According to DASB Coordinator Alan Kleinschmidt, key drivers for the project were the Councils’ recognition that they needed to better understand the cybersecurity risks they faced, and the legal requirement for councils to consider cybersecurity threats in their risk assessment and management as part of their Drinking Water Quality Management Plans.
“In 2019/20, the Queensland Government announced further requirements for Councils to report against a number of KPIs relating to cybersecurity including whether they have organisational responsibilities in place and whether cybersecurity features in their risk assessment,” Alan said.
“The first aim of the project was to complete a cybersecurity audit of all the Councils’ water businesses – both water and sewerage – and included things like SCADA and telemetry for treatment plants and network operations that could, for example, fall prey to disgruntled former employees changing settings.”
“The second objective was to provide some support for Councils, especially smaller ones, in terms of incorporating cybersecurity as part of their Drinking Water Quality Management Plans.”
Part of preparing or reviewing DWQMPs is to undergo a detailed risk assessment, and while it is easy to identify hazards on site, it can be difficult for water industry workers to fully understand the risks of cybersecurity because they are not experts in the field.
Understanding Risk
According to Alan, the project helped participating Councils to identify significant credible risks that are real and likely to have an impact, and to provide advice on how to address or mitigate those risks.
“One of the key things you need to understand is the likelihood of something happening in the cybersecurity sphere and what the consequences are of it happening. Cybersecurity attacks don’t have to be through the internet, sometimes they can involve physically accessing a water or sewerage facility and making changes using an on-site computer or control system. This can be a real problem for small or remote systems where staff aren’t able to visit frequently, and that’s where good remote monitoring is important.”
Risks could include interruption of supply (for example by cutting power, turning off pumps or closing valves) as well as chemical contamination, although there is probably a greater risk from turning off a disinfection system or online monitoring which can lead to public health risks.
According to Alan, the audits have now been completed and detailed reports have gone to the individual Councils. Because of the sensitivity of these reports, the detailed reports have only gone to the individual councils while a summary report was made available to the whole group.
The group will discuss the outcomes and Councils are already taking on board the recommendations.
“All of the DASB Councils will need to review their DWQMPs by 1st October of this year, and they will be able to incorporate the audit findings into their review. This will ensure that they meet the regulatory requirements, and it also provides them a high level of protection and gears them to better respond to emerging federal changes around critical infrastructure,” Alan said.
Alan believes the project also gives credibility at an organisational level because the water business can produce an independent audit and provide recommendations back to their Councillors and senior management to show what the risks are and what needs to be done. It’s a great tool to secure funding and to get recognition of their needs operationally.
The project followed an earlier QWRAP project for the group which aligned SCADA standards across the region. Having access to a set of specifications makes it easier for smaller councils to deal with their suppliers to ensure they buy gear that is well supported, that is maintainable and will have long-term sustainability.