More cooperation is needed between government and industry on critical infrastructure protection (CPI), according to analysts.
“I don’t think government and industry have learnt to share information," Gartner research director, Rob McMillian, told Computerworld Australia. "Ninety per cent of critical infrastructure is held in commercial hands. That means it is up to industry to decide how to protect that infrastructure. It’s your own commercial requirements that lead you to protect your kit.”
He said if government wants to work with industry, there needs to be a joint understanding of the economics behind this in terms of risk.
A recent Symantec survey found 93 per cent of Australian industry respondents were engaged with CPI programmes and were willing to work with government on them.
“Industry will be looking for some guarantees about information sharing and where that information goes to," McMillian said. "We’ve got some scope there but we still have to figure out a way forward.”
McMillian also said he was surprised to see comments from the Attorney-General department assistant secretary, Mike Rothery, in the Sydney Morning Herald that businesses would have to defend themselves if a cyber attack hit Australia.
Rothery was quoted as saying the government struggles to defend its own systems, despite the opening of a Cyber Security Operations Centre in Canberra. The government has also created a Computer Emergency Response Team (CERT) to help with cyber attacks.
“If it’s in private hands, than the ball is in the government's court to outline what they can bring to the table. CERT Australia will need to make sure it offers a value proposition when an incident takes place.”
The Symantec survey, which drew responses from industries such as finance and IT, also revealed that 79 per cent of local respondents said they had started engaging on CPI less than a year ago.
A recent report from the Victorian auditor-general also found the Supervisory Control and Data Acquisition (SCADA) systems at key Victorian infrastructure remained vulnerable to attack and subversion.
Asia Pacific vice president and managing director Craig Scroggie said this is because there have been more reports of cyber terrorism.
“We’ve observed the Stuxnet worm attack on an Iranian nuclear power plant in September," he said. "The potential for significant and large scale harm by taking control of a power plant is quite scary.”
McMillian said although these types of attacks are not new, they are likely to increase in the future.
"That's why critical industries such as water and power companies need to start CPI programmes."