Attorney-General rules out SCADA security regulations
- 25 October, 2010 10:37
- Comments
The Federal Attorney-General’s Department has ruled out regulation of security standards for supervisory control and data acquisition (SCADA) systems for critical infrastructure, despite a mounting threat landscape.
It is believed that while the department is in conversation with members of the SCADA security community, security regulation is currently not under active consideration and may not be reviewed for a further two years.
The Attorney-General department’s refusal comes after a scathing report released earlier this month by the Victorian Auditor-General into critical infrastructure systems found security and government oversight both lacking. The 56-page report (PDF) stated most critical infrastructure operators did not have fully compliant risk management frameworks, and recommended the State Department of Sustainability and Environment, and the Department of Transport both establish ICT security teams to properly oversee and advise on security and risk within utilities.
The Federal Attorney-General’s department currently facilitates a SCADA community of interest comprising IT security managers at critical utilities as part of the department-led Trusted Information Sharing Network for Critical Infrastructure Resilience. It also provides best practice frameworks and advice on potential mitigation strategies for security on critical infrastructure networks, as well as additional advice for relevant personnel on security risks of the networks. However, the department does not currently regulate certain standards for such security.
One IT security manager present at the last community event held earlier in the month told Computerworld Australia the SCADA community was receptive to the notion of security regulation along similar lines as the Payment Card Industry (PCI) security standards mandated for credit and debit card transactions in the financial and retail industries. However, he said not enough was being done at a government level to ensure these standards were developed and implemented in time to prevent a local version of the Stuxnet worm.
“We have not been attacked but it’s just a matter of time,” he said. “We haven’t got that tension yet, but we are so vulnerable from a SCADA perspective and we haven’t actually talked about it.
“We definitely need something from the government to push critical infrastructure, mandate them to have security structures in place, to spend money and ensure that if they don’t meet certain requirements, they get fined.”
However, he said, the department remained apprehensive to community concerns.
Fears among IT security managers that Stuxnet malware could be repeated at local critical infrastructure have continued to perpetuate. The malware, first noticed in June, spread globally but was best known for infecting some 30,000 computers at Iranian critical infrastructure, including a nuclear reactor. The worm is believed to have originated from a USB drive plugged into a computer on critical infrastructure, highlighting the current gaps in endpoint security at such locations.
Looming smart grid projects, such as the $100 million Smart Grid, Smart City trial currently being rolled out by Energy Australia across NSW, have also been keyed as potential security threats. It is believed vulnerabilities the home area networks used to connect smart meters back to the utility could mean viruses other than Stuxnet are transmitted from vulnerable home computers, rather than inside utilities.
Nevertheless, current SCADA systems, which at some locations remains connected to organisation wide area networks for remote connectivity, remain a sore point for critical infrastructure security managers.
Stuxnet may provide the wake-up call for government regarding threats to critical infrastructure.
Sydney Water tendered for a new SCADA system in June, while Yarra Trams picked a Logica-supplied control system last year following a four-year search.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Victorian Auditor-General report: Security of Infrastructure Control Systems for Water and Transport (PDF)
- Iran confirms massive Stuxnet infection of industrial systems
- Updated: NSW to pilot $100 million smart grid project
- Smart grid security: Critical success factors
- Sydney Water begins SCADA upgrade
- Yarra Trams finally settles on supply control system
- INFORMATION FOR SUCCESS - Customers Achieve Extreme Performance at Lowest Cost with Oracle Exadata Database Machine
- CSO Security Buyers Guide 2011
- Key Considerations in Modernising Your Backup and Deduplication Solutions
- Securing SOA and Web Services with Oracle Enterprise Gateway
- Enabling Agile and Intelligent Businesses
-
Coalition NBN better or worse?
-
Conroy turns the attack to Hockey
-
CeBIT 2012: Will NBN speed up freight delivery times?
-
Amazon Web Services personalizes CloudFront web hosting service
-
CeBIT 2012: Will NBN speed up freight delivery times?
-
Office 2007 for Dummies
-
Teach Yourself Visually Windows 7
-
Windows 7 for Dummies®
-
Microsoft Office
-
Windows 7 for Seniors for Dummies®
-
Office 2007 All-In-One Desk Reference for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies® Dvd+book Bundle
Comments
Post new comment