Water is a man-made marvel in Canberra: artificial Lake Burley Griffin is regulated by Scrivener Dam and three other dams keeping water levels in check. In times of drought the dams keep water irrigating along the length of the water system, and in times of rain sluices are opened to keep communities from being overwhelmed by flood.
The recent La Nina seasons have seen the dams go from below 50 per cent with the risk of drought, to nearly 100 per cent capacity. Due to this immediate risk, cybersecurity has typically not been a major priority. But this is changing.
As our attention is drawn to major cyber incidents affecting telcos, retailers, and other essential industries, and as the water sector continues to adopt an array of automation, technology and digital environments, cyber protection has become a priority issue for Canberra's water leaders and engineers.
The risks to physical assets, including utilities, pipes, tanks, dams and storage, are well understood. But the cyber risks are still not despite this enhanced focus.
Water utilities rapidly adopted remote working systems during the COVID pandemic, allowing crucial work to continue safely from beyond the dams and sluices. However, many utilities are yet to adjust their cybersecurity protocols to address this new environment.
Further, the tools used in water utilities have become standardised; what affects one type of utility will inevitably affect another, in Australia or abroad. It's for this reason that cybersecurity must become a collective imperative for the sector.
Canberra's operators don't need to look far to see the potential fallout from an attack - up north in 2000, Maroochy Shire famously became one of the first examples of a hacked water utility. A disgruntled former employee infiltrated the supervisory control and data acquisition (SCADA) system and released millions of litres of sewage into the streets, parks, rivers, and the grounds of a hotel.
Further afield in the United States, a New York dam was hit by Iranian hackers which fortunately were not able to access the sluice gates. If this were to happen in Canberra while the dams were at full capacity, the consequences could be dire.
In the years since, hackers have targeted dams and water treatment plants attempting to extort money or disrupt local communities. All the while cybersecurity defences have not kept pace as threats have festered.
Australian Cyber Security Centre data suggests one quarter of cyber security incidents in Australia were targeted at critical infrastructure and essential services.
Many would also be surprised to realise just how much data a water utility holds. Private employee information, including from other connected utilities, and secure asset data are all prime targets for hackers. A malicious state or state-sponsored actor may be seeking to do maximum physical and political damage - and Australia's capital would be an attractive target in this regard - but ransomware, phishing and distributed denial-of-service (DDoS) attacks can also cost a utility millions of dollars.
The recently expanded Security of Critical Infrastructure Act offers some solutions. Critical water assets now include wastewater, desalination plants, bulk water providers and more. These assets are required to maintain a risk management program and report all assets and cyber incidents.
SOCI offers an avenue for the federal government to step in when cyberthreats become unacceptable to the community, an important step in modernising Australia's cybersecurity response.
However, the lack of a minimum standard of security leaves sectors which have not yet raised their cyber posture at risk, such as water and dams.
The Water Sector Coordinating Council warns many water utilities do not adequately invest in cybersecurity. In 2021, a third of water utilities allocated only one per cent of their budget to cyber. Because of this, risk assessments, cybersecurity specialists, internal threats, and mitigation and recovery remain neglected.
As digital and physical investment in the ACT's utilities continues - such as Icon Water's $15 million ICT operations environment and $700 million physical infrastructure upgrades - cybersecurity must be a vital component.
The water sector continues to evolve rapidly and security mindsets must keep pace. Increased connectivity has vastly improved the ways services are delivered to the community and allows better control over flood and drought events. The adoption of remote technologies is here to stay and has solidified network and cybersecurity as just as important as physical security.
Canberra's dam system has multiple physical redundancies built in along its length. To better secure Canberra's water supply and safety from malicious actors, cyber redundancies must be considered in the same way.
