http://www.zdnet.com.au/news/security/soa/Knowledge-is-greatest-threat-to-critical-infrastructure/0,130061744,339281010,00.htm By Liam Tung ZDNet Australia 10 August 2007 Australia's critical infrastructure is still under threat due to a shortage of educational resources, according to researchers and security experts. The major concern is security of Supervisory Control and Data Acquisition (SCADA) systems -- the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers. David Shaw, product manager for Verizon Business's security division, said that critical infrastructure operators naturally approach SCADA systems from an engineering perspective, which means there is an emphasis on availability over security. While security standards vary from organisation to organisation, Shaw's greatest concern is not for the technological security of SCADA systems -- encryption or authentication -- but the "soft" measures supporting them. "I am concerned when there is a lack of policy, procedure and personnel training, to be mindful of the fact these old networks are around, to understand what limitations are there," he said. At the inaugural International Federation for Information Processing (IFIP) Critical Infrastructure Protection conference held in New Hampshire in March this year, Jill Slay, a computer forensics specialist at the University of South Australia's Defence and Systems Institute, said Australia needed more stringent audits of SCADA network access, better training and stricter controls over contractors. She welcomed Federal Government initiatives such as the Trusted Information Sharing Network but also warned that at present there were not enough resources to keep the SCADA operators' knowledge of threats and response strategies current. Echoing Shaw's comments, Slay said that engineers who operate SCADA systems lack the "mindset for privacy". "When we go to an electricity utility, the thing that's driving them is 99.99 percent availability so there is not the mind set for privacy. Because they're using simple systems and everything is in real time, if you add auditing or monitoring to the process, it's seen as a waste of resources," Slay said. Slay was amongst the first of a group of Australians to attend a training seminar in Idaho on protecting critical infrastructure, which is part of a knowledge-sharing program between the US and Australian Governments. The threat of terrorism has raised concerns over the security of essential services as SCADA systems have increasingly been opened to TCP/IP protocol corporate networks to improve process automation and visibility of data. Cause for this concern was reaffirmed recently when a security expert from 3Com's security division, Tipping Point, at the Black Hat conference in Las Vegas, demonstrated how a SCADA system flaw could be exploited to cause the system to crash. Slay called the hack "worrying", remarking it had become "cool" for hackers to exploit SCADA vulnerabilities. "It means we need to do more research but we don’t have this critical mass of researchers they do in the US," said Slay. The Federal Government's approach to SCADA security has been to garner industry support through cooperative initiatives such as its Trusted Information Sharing Network, a community of practice networks dedicated to fostering knowledge-sharing and training between government, industry and academia. But as these groups attempt to bridge knowledge gaps, Craig Scroggie, Symantec's senior director for Asia Pacific and Japan said criminals that are interested in attacking critical infrastructure can rely on well-established networks to acquire knowledge about SCADA vulnerabilities. "The amount of information available on SCADA systems online provides such a large amount of information out there for those who want to find network vulnerabilities in critical infrastructure. The reality is that there is a wide dissemination of hacker tools which allows greater number of people to hack these systems," said Scroggie. ____________________________________ Attend HITBSecConf2007 - Malaysia Taking place September 3-6 2007 featuring seven tracks of technical training and a dual-track security conference with keynote speakers Lance Spitzner and Mikko Hypponen! - Book your seats today! http://conference.hitb.org/hitbsecconf2007kl/
This archive was generated by hypermail 2.1.3 : Mon Aug 13 2007 - 00:35:33 PDT