[ISN] Knowledge is greatest threat to critical infrastructure

From: InfoSec News (alerts@private)
Date: Mon Aug 13 2007 - 00:14:45 PDT


http://www.zdnet.com.au/news/security/soa/Knowledge-is-greatest-threat-to-critical-infrastructure/0,130061744,339281010,00.htm

By Liam Tung
ZDNet Australia
10 August 2007 

Australia's critical infrastructure is still under threat due to a 
shortage of educational resources, according to researchers and security 
experts.

The major concern is security of Supervisory Control and Data 
Acquisition (SCADA) systems -- the central nervous system for sensors, 
alarms and switches that provide automated control and monitoring 
functions for utilities such as water, gas and electricity, as well as 
large manufacturers.

David Shaw, product manager for Verizon Business's security division, 
said that critical infrastructure operators naturally approach SCADA 
systems from an engineering perspective, which means there is an 
emphasis on availability over security.

While security standards vary from organisation to organisation, Shaw's 
greatest concern is not for the technological security of SCADA systems 
-- encryption or authentication -- but the "soft" measures supporting 
them.

"I am concerned when there is a lack of policy, procedure and personnel 
training, to be mindful of the fact these old networks are around, to 
understand what limitations are there," he said.

At the inaugural International Federation for Information Processing 
(IFIP) Critical Infrastructure Protection conference held in New 
Hampshire in March this year, Jill Slay, a computer forensics specialist 
at the University of South Australia's Defence and Systems Institute, 
said Australia needed more stringent audits of SCADA network access, 
better training and stricter controls over contractors.

She welcomed Federal Government initiatives such as the Trusted 
Information Sharing Network but also warned that at present there were 
not enough resources to keep the SCADA operators' knowledge of threats 
and response strategies current.

Echoing Shaw's comments, Slay said that engineers who operate SCADA 
systems lack the "mindset for privacy".

"When we go to an electricity utility, the thing that's driving them is 
99.99 percent availability so there is not the mind set for privacy. 
Because they're using simple systems and everything is in real time, if 
you add auditing or monitoring to the process, it's seen as a waste of 
resources," Slay said.

Slay was amongst the first of a group of Australians to attend a 
training seminar in Idaho on protecting critical infrastructure, which 
is part of a knowledge-sharing program between the US and Australian 
Governments.

The threat of terrorism has raised concerns over the security of 
essential services as SCADA systems have increasingly been opened to 
TCP/IP protocol corporate networks to improve process automation and 
visibility of data.

Cause for this concern was reaffirmed recently when a security expert 
from 3Com's security division, Tipping Point, at the Black Hat 
conference in Las Vegas, demonstrated how a SCADA system flaw could be 
exploited to cause the system to crash.

Slay called the hack "worrying", remarking it had become "cool" for 
hackers to exploit SCADA vulnerabilities.

"It means we need to do more research but we don’t have this critical 
mass of researchers they do in the US," said Slay.

The Federal Government's approach to SCADA security has been to garner 
industry support through cooperative initiatives such as its Trusted 
Information Sharing Network, a community of practice networks dedicated 
to fostering knowledge-sharing and training between government, industry 
and academia.

But as these groups attempt to bridge knowledge gaps, Craig Scroggie, 
Symantec's senior director for Asia Pacific and Japan said criminals 
that are interested in attacking critical infrastructure can rely on 
well-established networks to acquire knowledge about SCADA 
vulnerabilities.

"The amount of information available on SCADA systems online provides 
such a large amount of information out there for those who want to find 
network vulnerabilities in critical infrastructure. The reality is that 
there is a wide dissemination of hacker tools which allows greater 
number of people to hack these systems," said Scroggie.



____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Mon Aug 13 2007 - 00:35:33 PDT