The water sector is swiftly embracing digital transformation, intertwining Information Technology (IT) and Operational Technology (OT) environments to drive efficiency gains. However, this convergence also exposes water infrastructure to potential cyber threats, both external and internal. Recent cyber-attacks targeting critical infrastructure in Australia underscore the urgency for water authorities to fortify their cyber defences.
Understanding these threats is paramount for safeguarding critical assets.
In May, I had the honour of presenting at Ozwater, delving into the critical connections between digital innovation and cyber security. In this blog, I share the highlights of the report derived from our discussions, from the evolving threat landscape to actionable strategies for safeguarding critical assets.
According to the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) Annual Cyber Threat Report, cyber-attacks on critical infrastructure accounted for 25% of all cyber incidents in Australia. Furthermore, 90% of organisations utilising Operational Technology have encountered cyber incidents.
In this landscape, water providers grapple with extending cyber security requirements mandated by the Security of Critical Infrastructure (SOCI) Act to operational assets. Budget constraints and skill shortages exacerbate the challenge, compelling water authorities to act swiftly and decisively.
2021-22, which was up 13% year-on-year.
The Security of Critical Infrastructure (SOCI) Act imposes legal obligations on entities managing critical infrastructure assets, encompassing large water providers. For water providers to fall under the SOCI Act, they must manage water or sewerage systems serving at least 100,000 connections.
Critical infrastructure, as defined by the SOCI Act, encompasses facilities, supply chains, and communication networks whose destruction or unavailability would significantly impact national wellbeing and security. Water treatment plants, distribution networks, and data systems fall within this scope.
Water providers classified as Systems of National Significance (SoNS) must adhere to Enhanced Cyber Security Obligations (ECSO), necessitating robust cyber security measures.
These include:
In the event of a cyber security breach, the Australian Government offers support through Ministerial intervention, facilitating coordination and resource allocation to mitigate the impact. Establishing communication channels with relevant government agencies is vital for timely assistance during emergencies.
Timely reporting of cyber security incidents is mandated by the SOCI Act.
Water providers must notify authorities about breaches, unauthorised access, or threats affecting critical infrastructure. Estimating the impacts aids coordinated response efforts.
Read more: Navigating the SOCI Act
Even if not bound by the SOCI Act, small water providers must prioritise cyber security.
Key actions include regular assessments, limiting exposure to the internet, changing default passwords, maintaining asset inventories, developing incident response plans, backing up systems, and conducting cyber security awareness training.
Key findings from cyber security implementations include the importance of understanding OT environments, updating skills and processes, acknowledging cyber risk as an organisational issue, and interpreting legislative mandates effectively.
SAGE Group’s Vision, Reality, and Impact methodology offers a structured approach to improving cyber security posture.
Cyber security is imperative for water providers of all sizes, requiring a holistic understanding of assets, risks, and regulatory obligations.
SAGE Group advocates for a proactive approach to cyber security, emphasising the importance of clarity, collaboration, and continuous improvement.
I recommend reading my whitepaper, Navigating Cyber Security in the Water Sector, for the full report including case studies.