Sydney Water Corporation audit: ICS security lessons for all

I read over the New South Wales (Australia) cyber security audit. I liked the fact that the audit is publicly available. I liked the fact that it included a close look at the industrial control systems of Sydney Water Corporation (SWC). This helps the average citizen understand where security improvements might need to be made.

NSW audit

I thought the auditors made some concise observations that could well be applied to a number of critical infrastructure operators:

  • SWC has an established Information Security Management System (ISMS), but it only covers the corporate data centre and not the engineering systems.

Comment: So the systems that control the service that the corporation exists to provide are not covered by the security management system?

  • SWC’s risk management process documents risks and controls at a strategic level but does not cover all operational level risks, such as the potential introduction of USB-based malicious software.

Comment: Ahh, no one has decided how to secure the SCADA. And the strategy they have is so high level that it does not reflect proven threat vectors.

  • A range of common specific risks and their mitigating controls have not been documented, including risks associated with non-expiring engineering passwords.

Comment: One password… forever…. for your SCADAs. Because you don’t want passwords getting in the way of the engineers doing their job. (but what about former employees?)

  • SWC indicated that an assessment is conducted for every SCADA related alert from national computer emergency response team (CERT Australia), with emails received on a regular basis by several managers whose job it is to assess impacts. However the assessment process was not defined and the analysis documentation that was provided to support this assertion was limited to a minority of the security advisories released by the US Government.

Comment: At least they say they are looking at vulnerabilities, right?

Those may sound easy enough, but the truth is that they require a change in mentality reaching from corporate management to operations engineers. Will they do it?

And what about your water provider?