Control systems running Queensland\u2019s water supply are open to attack, according to a new audit report.\nThe report, compiled by the Queensland Audit Office, found the water control systems operated by water service providers were \u201cnot as secure as they should have been\u201d at the time of audit testing.\nActing Auditor-General Anthony Close said the age of these systems, combined with more recent integration with corporate networks had resulted in higher risks that had not always been recognised and tested by the utilities.\n\u201cSecurity controls did not sufficiently protect them from internal or external information technology-related attacks. Information security is like a chain \u2013 it is only as strong as the weakest link. All entities were susceptible to security breaches or hacking attacks because of weaknesses in processes and controls,\u201d Close said in his report.\n\u201cAt the time of our testing, attacks could disrupt water and wastewater treatment services. They could also disrupt other services that relied on the entities\u2019 information technology environments.\u201d\n \nHe said this was a risk to public health and appreciable economic loss in terms of lost productivity not only to water service providers but also to citizens and businesses.\nAlthough all organisations were capable of responding to information security incidents if they detected them, they were not well prepared to respond to cyber attacks.\n \n\u201cThey had not planned or tested their response and recovery from a malicious or cyber incident. These can occur without notice and can affect availability and integrity of multiple systems,\u201d said Close in his report.\nAudited organisations said that they could operate smaller plants or parts of their larger water treatments plants manually following a disruption to computer systems but they had not demonstrated this capability.\n \n\u201cOnly one entity had documents its manual operating procedures, and none had ever tested running their whole plants manually. This places a high reliance on individual knowledge, experience and physical presence to continue water services in the event of an attack,\u201d Close said.\n\u201cThe results of this audit serve as a timely reminder for any public sector entity managing critical infrastructure. Entities should assess and strengthen defences to protect their systems from information technology and cyber threats, and ensure that manual operation of critical infrastructure is documented and well tested.\u201d\nThe audit office recommended that Queensland\u2019s Department of Energy and Water Supply integrate IT risks and cyber threats into the existing management framework for drinking water services and in Queensland water and sewerage service provider frameworks.\nIt also recommended that the department facilitate information sharing about adopting standards for securing IT amongst entities that manage water control systems.\nMeanwhile, it recommended that the entities audited improve oversight, identification and monitoring of IT risks and cyber threats to water control systems.