Sloppy recruitment processes at Western Australia’s government-owned electricity provider Horizon Power risked cyber-attacks against its IT network and systems, the state’s auditor has found.
The finding was contained in the eleventh annual Information Systems Audit Report [pdf] released on Wednesday, which assessed four key applications across the state’s public sector.
All four systems were found to contain “weaknesses” most commonly relating to “poor contract management, policies, procedures and information security”.
One of those was Horizon’s Advanced Metering Infrastructure, which is used to record and bill the 100,000 residents and 10,000 businesses the company serves for the consumption of electricity.
Although the report found no issues with the AMI system itself, it did uncover wider concerns around “inadequate background checks and contractor access management” at the electricity provider.
Horizon Power was found not to have performed criminal history checks on new staff, despite those staff having access to “critical power infrastructure and systems”.
This is despite conducting checks of references and qualifications as part of standard recruitment processes.
“Horizon’s policies and processes do not require criminal history checks to be undertaken for staff,” the audit states.
“We found new staff employed without criminal history checks had privileged access to critical power infrastructure and systems.
“Without appropriate screening processes, staff may be assigned to positions of trust for which they are unsuitable.”
Poor screening checks of existing staff were also identified, which the report said was “concerning” given their “access to the network electricity management and other key systems”.
Inaccuracies with HR records were similarly found, meaning the management of third-party contractor staff was lacking.
“Horizon has outsourced most of its ICT functions and over 300 contractors have been given access to the network and key systems to perform their work,” the report states.
“Without an effective process to revoke contractor access, there is an increased risk that these accounts could be used to attack Horizon’s IT network and systems.”
Those contractors were also found to be able to access the Horizon’s network and systems between quarterly reviews of network access.
The security of critical infrastructure was thrust into the spotlight last year after the federal government passed new legislation aimed at protecting Australia's "highest-risk" electricity, water, gas and port infrastructure.
In response to the audit’s findings, Horizon Power said it has already “implemented improvements to the employee and contractor on- boarding and off-boarding processes, including criminal history checks prior to appointment to positions of trust”.
The report also identifies weaknesses with other key public sector applications, including the whole-of-government recruitment advertisement management system at the state’s Public Sector Commission and the New Land Register at Landgate.
Security weakness at government entities persist
Elsewhere in the audit, 547 general computer control issues were identified across 47 state government entities, slightly more than the 539 issues identified last year.
However, only 47 percent of entities met the auditor’s benchmark of effective information security,
“It is clear from the basic security weaknesses we identified that many entities lack some important security controls needed to protect systems and information,” the report states.
“The trend across the last 11 years shows little improvement in entities’ controls to manage information security.”
The report said weaknesses ranged from non-existent, outdated or unapproved information security policies to a lack of processes to find and fix security vulnerabilities and poor password management.
In one instance an entity had not patched WannaCry vulnerabilities five months after being identified, while another was storing passwords in plain text on a shared network drive.