Vic water authorities vulnerable to cyber attack

A state government audit into Victoria's water authorities has revealed much of the critical infrastructure towns and cities rely upon remains vulnerable to electronic attack.

The Victorian auditor-general John Doyle today warned many of the 19 water bodies would remain oblivious if a breach of their core systems was to occur.

The findings follow the alarming discovery made by Doyle's peers in Queensland, who found that Brisbane’s traffic management systems were littered with security holes just 12 months out from the G20 leader’s summit.

In most cases, each instance of privileged access to core agency systems was at least recorded, despite the feed not being monitored to detect inappropriate intrusions, Doyle found.

“Monitoring processes varied from regular reviews, ad hoc or ‘as required’ reviews to no review," the report said. “We identified six instances where privileged user accounts were not managed appropriately.”

Doyle also took issue with sloppy maintenance of software patches by a handful of the audited bodies.

“Generally water entities maintained patches for software. However, we observed two instances where such patches were not maintained,” he said.

Overall the audit picked up on 33 new control weaknesses across the 19 water authorities.

The vulnerabilities the auditor-general expressed the greatest concern about were 22 issues raised in previous reports which had still not been fully addressed – one of which is still outstanding despite being first called to attention by the audit office in 2010-11.

The failure to address the issues reflected poorly on both the organisations and their management, the report said.

“The water entities can strengthen their controls to protect information from unauthorised access, theft or manipulation, to ensure the continuity of service provision and to guard against the emergence of external threats and new security risks.”

Doyle handed down a more comprehensive review of the strength of Victoria’s information defences and disaster recovery capabilities in November, which found that - alongside Western Australia - the Victorian state government accounted for the highest rate of cyber security incidents affecting Australian governments.

In one instance penetration testing allowed the audit team to intrude on an agency bank account located offshore.

Just days before the report was tabled, technology minister Gordon Rich-Phillips announced a government wide cyber security strategy was under development, which is intended to address the absence of a coordinated plan for an attack on a number of agency systems in unison.