Riverstone Water — The Engineer's Convenience VPN

Riverstone Water is a fictional regional water utility serving 90,000 customers across three local government areas in regional Australia. As a designated critical infrastructure asset, the utility maintains a Cyber Security Risk Management Plan (CIRMP) under the SOCI Act and operates separate IT and OT environments with formal segmentation between them.

Documented standards required all remote access to OT systems to occur through an enterprise jump-host with multi-factor authentication, logging and review. The OT engineering team operated under these standards during normal hours.

Around 2019, the on-call engineering roster shifted to allow after-hours response from home for non-critical alerts. To enable this, two senior engineers each set up a personal commercial VPN (a consumer-grade product) to allow direct access from their home machines to a shared engineering workstation on the OT network. This bypassed the enterprise jump-host. The arrangement was never formally approved, but it was widely known on the team and treated as a practical necessity. Over the next three years, four more engineers joined the arrangement. The personal VPN service became the de facto after-hours access path.

Annual security reviews continued to validate the documented enterprise jump-host architecture. The reviews drew their access inventory from corporate identity records, which did not include the personal VPN accounts. In 2024, a phishing attack against one of the engineers' personal email accounts gave attackers access to the personal VPN credentials, and from there to the OT engineering workstation. The attackers spent eleven days reconnoitring the OT environment before being detected during a routine network audit.