By Asher Moses
May 15, 2007
The computer systems powering Australia's essential services, such as
electricity, gas, water, sewerage, transport and communications
utilities, are outdated and not secured against cyber terrorist attacks,
the Federal Government has warned.
Security analysts in the United States said simplistic attacks
originating from the internet could shut down the electric grid,
interrupt the transport network and compromise drinking water systems.
The Department of Communications, Information Technology and the Arts
(DCITA) said the failure of critical infrastructure as a result of a
cyber attack could have "severe consequences for the wider Australian
The threat is so serious that the Government is holding free workshops
for critical infrastructure practitioners and executives next month
designed to teach them about emerging threats and how to treat them.
Speakers at the workshops will include staff from the National Cyber
Security Division of the US Department of Homeland Security.
Providers of critical infrastructure are being invited to register for
the June workshops on the DCITA website - they will be held in Sydney,
Melbourne, Brisbane, Adelaide and Perth between June 4 and 14.
In a document that will be handed out to attendees, obtained by
smh.com.au, the Government says control systems that form the "central
nervous system" of essential services "are now increasingly connected to
corporate IT networks and the Internet, making them vulnerable to
potential harm from malicious cyber attacks and accidents".
"Many are legacy systems that lack sufficient IT security for today's
"There are known cases of IC [industrial control] systems, owned and
operated by critical infrastructure operators, being disrupted through
Internet based attacks."
The document also warns CEOs and executives of their legal
responsibility to mitigate risks to essential services.
A spokeswoman for the Communications Minister, Helen Coonan, said: "This
program is a practical example of Government working closely with
industry to make Australian critical infrastructure more secure."
Last week's federal budget earmarked $73.6 million over the next four
years to improve the nation's capacity to manage cyber attacks.
The Attorney-General, Philip Ruddock, said part of this spending would
go towards expanding the Australian Government Computer Emergency
Readiness Team (GovCERT) to "provide owners and operators of Australia's
critical infrastructure with information to help reduce the risks from
sophisticated electronic attacks and to provide government with
information about the electronic risks to critical infrastructure".
In February last year, Australia was part of an international exercise,
Operation Cyber Storm, to test government response to cyber emergencies.
Ten federal government departments tasked with emergency management -
including the Australian Defence Force and the Australian Security
Intelligence Organisation - took part in a one-day desktop simulation in
Canberra, and had to respond to a fake hacking attack on the transport
The exercise did not include the private sector, which controls most of
the nation's critical computer networks including power, water and
A report on Cyber Storm was completed in March last year but results
were used for internal government evaluation purposes only and were not
release to the public.
A second cyber terrorism war game, Cyber Storm II, is scheduled to begin
in March next year.
Next month's workshops will incorporate information gleaned from April's
2007 International SCADA Cyber Security Advanced Training Workshop, held
at the Idaho National Laboratories (INL).
A cybersecurity strategist for INL, Aaron Turner, last month testified
to the US House Committee on Homeland Security (Subcommittee on Emerging
Threats, Cybersecurity and Science & Technology) about his research on
US critical infrastructure security and technology risks, which also
applies to Australia.
During his testimony, Mr Turner said "the use of technology [such as the
internet] in our nation's infrastructure has improved the efficiency of
infrastructure operations without corresponding improvements in the
ability to secure these newly connected systems".
Mr Turner added that INL had modelled scenarios where "simplistic
attacks originating from the internet" could degrade electric grid
capacity, impact petroleum refinery processes, interrupt transportation
networks and compromise drinking water systems.
"It should also be noted that the inter-connected nature of our
infrastructure increases the potential for a high-impact correction," Mr
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com