Queensland utilities slammed for leaky systems, hacking risk
Auditor-General Brendan Worrall has criticised government-owned corporations for not doing enough to prevent cyber attacks
A Russian gang is believed to be behind the biggest single ransomware attack on record. (Photo: ABC)
In a report tabled in State Parliament, Worrall said a routine audit of government-owned electricity corporations had already uncovered “high-risk issues relating to the security and authorisation of online payments”.
The vulnerabilities were considered so serious the GOCs were ordered to rectify them immediately, not simply wait for recommendations in the audit report.
While the GOCs responsible were not named, Worrall said the issue reflected a broader complacency around information security and the threat of cyber crime.
In 2019-20, there were 28 deficiencies identified across the sector, nine relating to Energy Queensland’s rollout of a new computer system due to be finalised by next financial year. That system has already had a budget blowout and was found to lack strong password and access controls.
“We recommend all entities strengthen the security of their information systems,” the report concludes.
“They rely heavily on technology, and increasingly, they have to be prepared for cyber attacks. Any unauthorised access could result in fraud or error, and significant reputational damage. Their workplace culture, through their people and processes, must emphasise strong security practices to provide a foundation for the security of information systems.”
It is not the first time Worrall has raised such issues. Last week, after a routine audit of transport GOCs, he recommended four out of seven entities be more protective of the information they hold, “particularly their management of who can access the system, how they access it, and what they can do in it.”
After an earlier audit of water GOCs, Worrall reported a similar rate of non-compliance.
“This year there has been a significant and sustained increase in external attacks, as cyber criminals attempt to take advantage of changes in working arrangements necessitated by the COVID-19 pandemic,” that report stated.
“This has emphasised the importance of secure information systems.”
Last year, the Australian Cyber Security Centre warned of the potential for cyber attacks on critical infrastructure such as power, transport and water networks.
“We are continuing to see attempts to compromise Australia’s critical infrastructure,” the centre’s Abigail Bradshaw said at the time, noting that some hackers were trying to find vulnerabilities in working from home arrangements.
“A cyber incident involving critical infrastructure can have serious impacts on the safety, and social and economic wellbeing of many Australians. If these systems are damaged or made unavailable for any length of time, it can cause significant disruption to our lives.”