The Federal Attorney-General’s Department has ruled out regulation of security standards for supervisory control and data acquisition (SCADA) systems for critical infrastructure, despite a mounting threat landscape.
It is believed that while the department is in conversation with members of the SCADA security community, security regulation is currently not under active consideration and may not be reviewed for a further two years.
The Attorney-General department’s refusal comes after a scathing report released earlier this month by the Victorian Auditor-General into critical infrastructure systems found security and government oversight both lacking. The 56-page report (PDF) stated most critical infrastructure operators did not have fully compliant risk management frameworks, and recommended the State Department of Sustainability and Environment, and the Department of Transport both establish ICT security teams to properly oversee and advise on security and risk within utilities.
The Federal Attorney-General’s department currently facilitates a SCADA community of interest comprising IT security managers at critical utilities as part of the department-led Trusted Information Sharing Network for Critical Infrastructure Resilience. It also provides best practice frameworks and advice on potential mitigation strategies for security on critical infrastructure networks, as well as additional advice for relevant personnel on security risks of the networks. However, the department does not currently regulate certain standards for such security.
One IT security manager present at the last community event held earlier in the month told Computerworld Australia the SCADA community was receptive to the notion of security regulation along similar lines as the Payment Card Industry (PCI) security standards mandated for credit and debit card transactions in the financial and retail industries. However, he said not enough was being done at a government level to ensure these standards were developed and implemented in time to prevent a local version of the Stuxnet worm.
“We have not been attacked but it’s just a matter of time,” he said. “We haven’t got that tension yet, but we are so vulnerable from a SCADA perspective and we haven’t actually talked about it.
“We definitely need something from the government to push critical infrastructure, mandate them to have security structures in place, to spend money and ensure that if they don’t meet certain requirements, they get fined.”
However, he said, the department remained apprehensive to community concerns.
Fears among IT security managers that Stuxnet malware could be repeated at local critical infrastructure have continued to perpetuate. The malware, first noticed in June, spread globally but was best known for infecting some 30,000 computers at Iranian critical infrastructure, including a nuclear reactor. The worm is believed to have originated from a USB drive plugged into a computer on critical infrastructure, highlighting the current gaps in endpoint security at such locations.
Looming smart grid projects, such as the $100 million Smart Grid, Smart City trial currently being rolled out by Energy Australia across NSW, have also been keyed as potential security threats. It is believed vulnerabilities the home area networks used to connect smart meters back to the utility could mean viruses other than Stuxnet are transmitted from vulnerable home computers, rather than inside utilities.
Nevertheless, current SCADA systems, which at some locations remains connected to organisation wide area networks for remote connectivity, remain a sore point for critical infrastructure security managers.
Stuxnet may provide the wake-up call for government regarding threats to critical infrastructure.