Cyber crime experts say Queensland should get ready for a future attack within 10 years on critical infrastructure such as public transport, water treatment and power generation.
Public transport in Brisbane’s CBD went into meltdown at peak hour on Wednesday when a power problem at a radio station at Mt Coot-tha triggered a communication breakdown between Queensland Rail’s control room and the network.
A cyber attack causing disruption in energy, public transport or water treatment could hit Queensland in 10 years. Photo: Michelle Smith
QR on Thursday ruled out cyber attack on its communication network.
However two Brisbane cyber-security experts told Fairfax Media that while the risk of a cyber attack in Brisbane or Queensland was low, the international focus on next year’s Commonwealth Games made it a high priority for cyber activists who may wish to advertise a protest to a big audience.
The warning follows a Queensland Auditor General’s report on Tuesday which showed Queensland’s water grid was already at risk of a cyber attack and operators Sunwater and Seqwater needed to do more to protect the state’s water supplies.
Queensland University of Technology cyber crime expert Dr Ernest Foo said Queensland should prepare for an inevitable cyber attack on energy, water or transport infrastructure.
“I don’t think it will be 10 years’ time; I don’t think it will be that long,” Dr Foo said.
He believed a cyber attack on key infrastructure was “becoming a lot more realistic”.
The 2018 Commonwealth Games organising committee had recently awarded a cyber-security tender, he said.
Cyber-security expert Phil Cole from University of Queensland’s Australian Cyber Emergency Response Team agreed the 2018 Commonwealth Games was the highest risk for Queensland and Australia, and another risk would be a protest over the Great Barrier Reef’s health.
“The Commonwealth Games are definitely a risk,” Dr Cole said.
The Commonwealth Games are definitely a risk. There are a lot of high-priority events there with a high media coverage.
Phil Cole, UQ Australian Cyber Emergency Response Team
“There are a lot of high-priority events there with a high media coverage,” he said.
He said international protest agencies would realise the Games would garner global coverage.
“It’s not just Aussies at the Commonwealth Games, there are a lot of other nationalities there as well.”
However Dr Cole said he doubted that activists would have the technical skills or staffing to be able to develop a sophisticated cyber attack against water, or energy or public transport infrastructure.
Dr Foo said the current theatre of war between Russia and the Ukraine showed examples where cyber attacks affected public services.
“They have had lots of attacks on critical infrastructure. Taking down power stations and that sort of thing.”
He said a large number of power stations were built by very few manufacturers – and although he conceded it sounds like an espionage film plot – their information systems could be learnt.
“So it is likely that it could happen here, but we are just lucky because we don’t have anyone who is picking on us at the moment like they (the Ukraine) does.”
Dr Cole said the risk of this category of cyber attack was still low.
“It is not as if it is a situation where you have the local kid in a garage hacking into something and bringing it crashing down,” he said.
However he pointed out that a South Korean web-posting business, Nanyana, this week paid $1 million in ransom to cyber-criminals to allow their business to continue operating.
Dr Cole said Australians were familiar with “malware attacks” or “phishing attacks”, but he did not think there was real motivation for a critical infrastructure attack in Queensland.
“So, I think it is probably not that likely that you will see a cyber attack in Queensland or Australia within 10 years or so,” Dr Cole said.
Dr Foo said the recent ransomware cyber attacks could be varied to attack infrastructure.
The most recent examples hit Russia’s oil producer Rosneft, France’s biggest bank BNP Paribas and India’s Jawaharlal Nehru Port Trust, as well as Australian businesses, the Cadbury’s chocolate factory in Hobart and TNT Express.
Dr Foo said criminals were yet to work out how to make money out of it, aside from identification theft from stolen credit cards.
He said the idea of the “smart grid” – where energy does not come from one or two power generation plants but from myriad connected, local generators with intelligent vehicles linked to the network – made cyber crime easier.
“These kinds of systems are going to be more connected,” he said.
“And because they are more connected they are going to be more vulnerable to attack.”
The Australian government opened its latest cyber security centre in Brisbane in February.
Queensland’s Department of Science, Information, Technology and Innovation said $12.5 million was supporting a whole of government Cyber Security Unit, which was set up in February 2016.
The unit electronically scans more than 39,000 government information technology assets weekly, but does not scan Queensland’s water, gas and electricity assets.
That work is done by Australia’s national computer emergency response team, CERT Australia.