The water sector is swiftly embracing digital transformation, intertwining Information Technology (IT) and Operational Technology (OT) environments to drive efficiency gains. However, this convergence also exposes water infrastructure to potential cyber threats, both external and internal. Recent cyber-attacks targeting critical infrastructure in Australia underscore the urgency for water authorities to fortify their cyber defences.
Understanding these threats is paramount for safeguarding critical assets.
In May, I had the honour of presenting at Ozwater, delving into the critical connections between digital innovation and cyber security. In this blog, I share the highlights of the report derived from our discussions, from the evolving threat landscape to actionable strategies for safeguarding critical assets.
According to the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) Annual Cyber Threat Report, cyber-attacks on critical infrastructure accounted for 25% of all cyber incidents in Australia. Furthermore, 90% of organisations utilising Operational Technology have encountered cyber incidents.
In this landscape, water providers grapple with extending cyber security requirements mandated by the Security of Critical Infrastructure (SOCI) Act to operational assets. Budget constraints and skill shortages exacerbate the challenge, compelling water authorities to act swiftly and decisively.
Graphic: The Cyber Environment in Australia; 76,000+ cyber crime reports for the financial year
2021-22, which was up 13% year-on-year.
What is the SOCI Act and who does it apply to in the water sector?
The Security of Critical Infrastructure (SOCI) Act imposes legal obligations on entities managing critical infrastructure assets, encompassing large water providers. For water providers to fall under the SOCI Act, they must manage water or sewerage systems serving at least 100,000 connections.
Critical infrastructure, as defined by the SOCI Act, encompasses facilities, supply chains, and communication networks whose destruction or unavailability would significantly impact national wellbeing and security. Water treatment plants, distribution networks, and data systems fall within this scope.
Graphic: 3 tips to achieve cyber security compliance
Enhanced Cyber Security Obligations (ECSO) for water authorities
Water providers classified as Systems of National Significance (SoNS) must adhere to Enhanced Cyber Security Obligations (ECSO), necessitating robust cyber security measures.
These include:
- Regular risk assessments
- Incident response planning
- Access controls
- Network segmentation
- Patch management
- Threat intelligence, and
- Employee training.
Government assistance measures
In the event of a cyber security breach, the Australian Government offers support through Ministerial intervention, facilitating coordination and resource allocation to mitigate the impact. Establishing communication channels with relevant government agencies is vital for timely assistance during emergencies.
Reporting cyber security incidents
Timely reporting of cyber security incidents is mandated by the SOCI Act.
Water providers must notify authorities about breaches, unauthorised access, or threats affecting critical infrastructure. Estimating the impacts aids coordinated response efforts.
Read more: Navigating the SOCI Act
What should water providers do if they don't fall under the SOCI Act?
Even if not bound by the SOCI Act, small water providers must prioritise cyber security.
Key actions include regular assessments, limiting exposure to the internet, changing default passwords, maintaining asset inventories, developing incident response plans, backing up systems, and conducting cyber security awareness training.
Graphic: Cyber security actions for all water providers.
Discussion and result analysis
Key findings from cyber security implementations include the importance of understanding OT environments, updating skills and processes, acknowledging cyber risk as an organisational issue, and interpreting legislative mandates effectively.
SAGE Group’s Vision, Reality, and Impact methodology offers a structured approach to improving cyber security posture.
Managing cyber security in the water industry
Cyber security is imperative for water providers of all sizes, requiring a holistic understanding of assets, risks, and regulatory obligations.
SAGE Group advocates for a proactive approach to cyber security, emphasising the importance of clarity, collaboration, and continuous improvement.
I recommend reading my whitepaper, Navigating Cyber Security in the Water Sector, for the full report including case studies.
.webp?width=457&height=173&name=Sage-Group-Embedded-Expertise-Logo(1).webp)