Queensland's critical water infrastructure is at risk of severe disruption by hackers due to old and insufficiently protected water control systems, the state's auditor has found.
The Queensland Audit Office conducted penetration tests [pdf] on a "selection" of unnamed water operators to identify and exploit security vulnerabilities, and to see how well the operators could detect the breaches and restore systems in the event of an attack.
Queensland has three main categories of water service provider: Seqwater, which sells and distributes bulk water to entities in South East Queensland; Sunwater, which does the same for those outside that region; and local governments, who supply to households and manage wastewater.
The auditors found that all the entities it tested were susceptible to breaches because of weaknesses in processes and controls.
Water control systems had been given a backseat to corporate systems when it came to security, the audit office reported: these assets hadn't been properly assessed, nor had networks been designed to properly protect the systems.
None of the audited entities had security plans or security requirements for their water control systems. Where operators had conducted security reviews and penetration tests, they had only targeted corporate and business systems, the audit office said.
The physical security - as well as technical security - of the control systems had not been considered, meaning there was not much to protect the servers and workstations connecting users to the control systems from attack.
Additionally, integrating their ageing water control systems with corporate networks had resulted in greater risks than the water operators were aware of, the QAO said.
"At the time of our testing, attacks could disrupt water and wastewater treatment services. They could also disrupt other services that relied on the entities' information technology environments," the audit office reported.
"There was a risk to public health and appreciable economic loss in terms of lost productivity, not only to water service providers but also to citizens and businesses. A sewage spill could also have a significant impact on the environment."
The water operators had also not planned or tested how they would respond to or recover from a cyber attack, the audit office said.
Their IT disaster recovery plans for corporate systems did not extend to recovery of water control systems.
"The entities audited reported that they could operate smaller plants or parts of their larger water treatment plants manually in the event of disruption to computer systems, but they had not demonstrated this capability," the QAO reported.
"Only one entity had documented its manual operating procedures, and none had ever tested running their whole plants manually. This places a high reliance on individual knowledge, experience and physical presence to continue water services in the event of an attack.
"Because of the critical importance of clean drinking water to the community, it is vital that water service providers identify and manage the risks associated with this infrastructure. Entities cannot always prevent attackers from attempting to break into these systems, but they can strengthen their systems with appropriate controls to detect and recover from breaches."
Part of the blame lies with the state government: the QAO said Queensland had not - as required by federal guidelines for critical infrastructure systems - helped water operators implement security controls. There's also no central agency that deals with this issue.
However, while it was "unlikely" any of the audited entities would have been able to promptly detect a security breach of their water control systems when the audit office did its testing, the QAO reported that the operators have since "taken steps" to improve ther monitoring processes.
"All entities we audited had either planned or were planning projects that would address information technology security risks," the QAO said.
Attacks on critical infrastructure systems have the potential to cause huge damage to communities, most famously made evident through the 2010 Stuxnet infection of an Iranian nuclear facility that ruined one fifth of the country's nuclear centrifuges.
In Australia a revenge hack by a contractor caused 800,000 litres of raw sewage to overflow into parks and rivers in Maroochy Shire in Brisbane.
And just two months ago, all emergency sirens in the US city of Dallas were set off for about 90 minutes after an external attacker broke into the city's system and activated the sirens. It has been called one of the largest-known breaches of a warning system.
