Knowledge is greatest threat to critical infrastructure

Knowledge is greatest threat to critical infrastructure
Knowledge is greatest threat to critical infrastructure

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Liam Tung
ZDNet Australia
10 August 2007 

Australia's critical infrastructure is still under threat due to a 
shortage of educational resources, according to researchers and security 

The major concern is security of Supervisory Control and Data 
Acquisition (SCADA) systems -- the central nervous system for sensors, 
alarms and switches that provide automated control and monitoring 
functions for utilities such as water, gas and electricity, as well as 
large manufacturers.

David Shaw, product manager for Verizon Business's security division, 
said that critical infrastructure operators naturally approach SCADA 
systems from an engineering perspective, which means there is an 
emphasis on availability over security.

While security standards vary from organisation to organisation, Shaw's 
greatest concern is not for the technological security of SCADA systems 
-- encryption or authentication -- but the "soft" measures supporting 

"I am concerned when there is a lack of policy, procedure and personnel 
training, to be mindful of the fact these old networks are around, to 
understand what limitations are there," he said.

At the inaugural International Federation for Information Processing 
(IFIP) Critical Infrastructure Protection conference held in New 
Hampshire in March this year, Jill Slay, a computer forensics specialist 
at the University of South Australia's Defence and Systems Institute, 
said Australia needed more stringent audits of SCADA network access, 
better training and stricter controls over contractors.

She welcomed Federal Government initiatives such as the Trusted 
Information Sharing Network but also warned that at present there were 
not enough resources to keep the SCADA operators' knowledge of threats 
and response strategies current.

Echoing Shaw's comments, Slay said that engineers who operate SCADA 
systems lack the "mindset for privacy".

"When we go to an electricity utility, the thing that's driving them is 
99.99 percent availability so there is not the mind set for privacy. 
Because they're using simple systems and everything is in real time, if 
you add auditing or monitoring to the process, it's seen as a waste of 
resources," Slay said.

Slay was amongst the first of a group of Australians to attend a 
training seminar in Idaho on protecting critical infrastructure, which 
is part of a knowledge-sharing program between the US and Australian 

The threat of terrorism has raised concerns over the security of 
essential services as SCADA systems have increasingly been opened to 
TCP/IP protocol corporate networks to improve process automation and 
visibility of data.

Cause for this concern was reaffirmed recently when a security expert 
from 3Com's security division, Tipping Point, at the Black Hat 
conference in Las Vegas, demonstrated how a SCADA system flaw could be 
exploited to cause the system to crash.

Slay called the hack "worrying", remarking it had become "cool" for 
hackers to exploit SCADA vulnerabilities.

"It means we need to do more research but we don=E2=80=99t have this critical 
mass of researchers they do in the US," said Slay.

The Federal Government's approach to SCADA security has been to garner 
industry support through cooperative initiatives such as its Trusted 
Information Sharing Network, a community of practice networks dedicated 
to fostering knowledge-sharing and training between government, industry 
and academia.

But as these groups attempt to bridge knowledge gaps, Craig Scroggie, 
Symantec's senior director for Asia Pacific and Japan said criminals 
that are interested in attacking critical infrastructure can rely on 
well-established networks to acquire knowledge about SCADA 

"The amount of information available on SCADA systems online provides 
such a large amount of information out there for those who want to find 
network vulnerabilities in critical infrastructure. The reality is that 
there is a wide dissemination of hacker tools which allows greater 
number of people to hack these systems," said Scroggie.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

Site design & layout copyright © 1986-2015 CodeGods