http://www.zdnet.com.au/news/security/soa/Knowledge-is-greatest-threat-to-critical-infrastructure/0,130061744,339281010,00.htm
By Liam Tung
ZDNet Australia
10 August 2007
Australia's critical infrastructure is still under threat due to a
shortage of educational resources, according to researchers and security
experts.
The major concern is security of Supervisory Control and Data
Acquisition (SCADA) systems -- the central nervous system for sensors,
alarms and switches that provide automated control and monitoring
functions for utilities such as water, gas and electricity, as well as
large manufacturers.
David Shaw, product manager for Verizon Business's security division,
said that critical infrastructure operators naturally approach SCADA
systems from an engineering perspective, which means there is an
emphasis on availability over security.
While security standards vary from organisation to organisation, Shaw's
greatest concern is not for the technological security of SCADA systems
-- encryption or authentication -- but the "soft" measures supporting
them.
"I am concerned when there is a lack of policy, procedure and personnel
training, to be mindful of the fact these old networks are around, to
understand what limitations are there," he said.
At the inaugural International Federation for Information Processing
(IFIP) Critical Infrastructure Protection conference held in New
Hampshire in March this year, Jill Slay, a computer forensics specialist
at the University of South Australia's Defence and Systems Institute,
said Australia needed more stringent audits of SCADA network access,
better training and stricter controls over contractors.
She welcomed Federal Government initiatives such as the Trusted
Information Sharing Network but also warned that at present there were
not enough resources to keep the SCADA operators' knowledge of threats
and response strategies current.
Echoing Shaw's comments, Slay said that engineers who operate SCADA
systems lack the "mindset for privacy".
"When we go to an electricity utility, the thing that's driving them is
99.99 percent availability so there is not the mind set for privacy.
Because they're using simple systems and everything is in real time, if
you add auditing or monitoring to the process, it's seen as a waste of
resources," Slay said.
Slay was amongst the first of a group of Australians to attend a
training seminar in Idaho on protecting critical infrastructure, which
is part of a knowledge-sharing program between the US and Australian
Governments.
The threat of terrorism has raised concerns over the security of
essential services as SCADA systems have increasingly been opened to
TCP/IP protocol corporate networks to improve process automation and
visibility of data.
Cause for this concern was reaffirmed recently when a security expert
from 3Com's security division, Tipping Point, at the Black Hat
conference in Las Vegas, demonstrated how a SCADA system flaw could be
exploited to cause the system to crash.
Slay called the hack "worrying", remarking it had become "cool" for
hackers to exploit SCADA vulnerabilities.
"It means we need to do more research but we don’t have this critical
mass of researchers they do in the US," said Slay.
The Federal Government's approach to SCADA security has been to garner
industry support through cooperative initiatives such as its Trusted
Information Sharing Network, a community of practice networks dedicated
to fostering knowledge-sharing and training between government, industry
and academia.
But as these groups attempt to bridge knowledge gaps, Craig Scroggie,
Symantec's senior director for Asia Pacific and Japan said criminals
that are interested in attacking critical infrastructure can rely on
well-established networks to acquire knowledge about SCADA
vulnerabilities.
"The amount of information available on SCADA systems online provides
such a large amount of information out there for those who want to find
network vulnerabilities in critical infrastructure. The reality is that
there is a wide dissemination of hacker tools which allows greater
number of people to hack these systems," said Scroggie.
Received on Mon Aug 13 02:14:45 2007