By staff writer.
Isaac Regional Council in Central Queensland is the latest local council to face a cyberattack. The central Queensland council publicly confirmed the attack late on Sunday, April 2, saying they had flown in external cybersecurity experts over the weekend to help manage it.
“We are taking this matter very seriously as cybersecurity is part of our day-to-day business,” said council CEO Jeff Stewart-Harris. “At this stage, we do not have any evidence of large data uploads out of our system. However, this is still being fully investigated, so it can’t be guaranteed.”
Isaac Regional Council services almost 21,000 residents living to the southwest of Mackay. The council’s operational base is in Moranbah. It is responsible for several pieces of critical infrastructure, including waste disposal, sewerage, local roads, and water.
Stewart Harris did not specify what council systems were down but indicated that some “separate” systems continue operating as usual. Those include landfill operations, library and Scada system monitoring of the water supply. He calls the cyberattack a ransomware incident and says the council became aware of it on April 1.
“We have a strong IT team who are working with the best cybersecurity experts in the field,” he said. “We are doing the due diligence that’s the cornerstone of the recovery from a cybersecurity incident, so we ask people to be patient with us.”
As recently as 2021, cybersecurity industry research suggested that local government was one of the sectors least likely to be targeted by bad actors. Experts then warned that this was causing complacency, leaving local councils and their infrastructure entities vulnerable.
Several high-profile cyberattacks since then, including on Stonnington City Council in Melbourne, have focused attention on the potential cyber vulnerabilities of local councils, something Stewart Harris says Isaac Regional Council is well on top of, saying, “cybersecurity is part of our day-to-day business.”
A 2022 Australian Cyber Security Centre (ACSC) report raised the flag on the potential cyber threats local councils faced, saying the propensity to pour cyber defence resources into larger utilities at the expense of smaller local council-run utilities posed a serious security risk. The legacy systems many local councils operated further exacerbated this, with councils often unable to update because of a lack of skills and cash.
Also, last year, the Western Australia Auditor General’s office conducted capability maturity assessments at 12 local governments in that state, finding none met expectations across six broad cybersecurity criteria and none met the benchmark for information security.
That 2022 assessment found more weaknesses across fewer local council entities compared to the year before. “These weaknesses represent a considerable risk to the confidentiality, integrity and availability of entities’ information systems and need prompt resolution,” said Auditor General Caroline Spencer. She said that as cyber threats continued to evolve, it was important that local councils implemented and updated controls to keep their data and systems secure.
Meanwhile, Stewart Harris says his council’s systems are staying locked down as a precautionary measure to safeguard data, adding that protecting customer and employee information was a top-tier priority. “I want to assure everyone we have the best people on the job,” he said.