A Victorian Auditor-General report released last week has found major security deficits in the State’s water and transport ICT infrastructure, including a lack of protection from unauthorised access.
The Security of Infrastructure Control Systems for Water and Transport report assessed the security capabilities of the Supervisory Control and Data Acquisition (SCADA) system used by the water and transport oversight agencies, the Department of Sustainability and Environment (DSE) and the Department of Transport (DoT).
It identified major security issues with unauthorised access, remote access, and separation of networks, as well as issues with the development process for new infrastructure control systems and delivered three key recommendations to improve security controls.
The report found that “the risk of unauthorised access to water and transport infrastructure control systems is high.
“Security controls to protect the systems reviewed are not enough to prevent unauthorised access to operator information and communication technologies and infrastructure control systems.
“Operators are not fully aware of the weaknesses in, and risks to their infrastructure control systems.”
Systems security was reported to be compromised by deficiencies in security architecture in the set up of firewalls, separation of networks, and remote access.
A firewall configuration at one operator was discovered to be vulnerable to common network attacks, including service denial, malicious code and spoofing attacks.
“We found that the firewall configuration could not detect and withstand these common network attacks.
“Generally, controls are sufficient to detect and prevent modern and evolving threats from malicious software, although infection and anti-virus programs are not always current,” states the report.
The separation of networks was also found lacking. Corporate users were discovered to have access to infrastructure control systems, while members of control staff were found to be accessing the infrastructure control system from the corporate network in order to perform administrative functions.
“We found some operators had connections between the corporate network and infrastructure control systems, without firewalls to isolate them from corporate users,” states the report.
Remote access vulnerabilities were also noted, with auditors able to use the public telephone networks to access infrastructure control systems.
Some remote access software used to administer control system servers was also said to expose the system to remote security vulnerabilities. Software was found to have file transfer capability that allows for “accidental, or intentional, introduction of viruses or malicious code.”
The development process for new infrastructure control systems for transport and water was found to lack adequate consideration of security measures.
“When developing or acquiring new systems, operators focus on operational requirements and capabilities, with only limited regard for security considerations. In most cases it is only after these systems have been in place for some time that security deficiencies are identified and addressed,” states the report.
As a result of these security considerations, the report found that it is possible for staff and external parties to access the control systems that operate infrastructure, and that “it is possible that someone has breached these systems without operators realising.”
The report delivered three recommendations aimed at reforming the ICT security weaknesses outlined.
Firstly, it suggested that “operators should rigorously review the security of their infrastructure control systems against the relevant state and international security standards and implement improvements, where required.”
Secondly, “the Department of Sustainability and Environment should increase its monitoring of operator ICT and infrastructure control system risk, and business continuity management and use suitably qualified and experienced staff from within the department to provide advice to operators on infrastructure control system security and risk, and business continuity management,” states Recommendation Two.
The third recommendation was that “the Department of Transport should establish an ICT security team. It should be comprised of suitably qualified and experienced staff to provide advice to operators on infrastructure control system security and risk, and business continuity management.”