Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Critical Threats

Too few CIOs have taken the time to investigate and fully understand the operational networks now interconnected with IT - specifically, EMS and SCADA systems.
Page:

Few, if any, of the industrial control systems used today were designed with cybersecurity in mind. Meanwhile, Australia's critical information infrastructure has never been more vulnerable . . .

It took no more than a simple engineering error, a software malfunction and a communication failure to cause the largest blackout the world has ever seen - the massive power outage that hit 40 million people in eight US states and 10 million people in Ontario, Canada, on August 14, 2003.

Terrorists, schmerrorists. Bin Laden or his cohorts might have wet dreams about bringing the West to its knees, but it was a failure of the IT folks assigned to fixing the energy management system to speak to the operations folks, that helped cost the US and Canadian economies more than $US30,000 million.

And the bad news is, much of both Australia's and the United States's critical infrastructure may be every bit as vulnerable to such happenstance today - let alone concerted terrorist attack - and will remain so as long as CIOs fail to take the time to investigate and fully understand their organizations' vulnerabilities, particularly within the supervisory control and data acquisition (SCADA) and energy management system (EMS) operational networks now interconnected with IT.

So at least says the man who delivered the keynote address at the Geospatial Information & Technology Association's GITA 2004 Conference in Melbourne last August - Dick Lord, CEO of the Steadfast Group. Lord, a member of the US Department of Energy Office of Electric Transmission and Distribution Blackout Forum, says in the past such operational systems worked in isolation. Nowadays they are linked in a variety of ways to the business IT network. "That places them clearly under the purview of the CIO," Lord says. "But how many CIOs have taken the effort and time to grasp an understanding of how those systems work?

"I'm an electrical engineer and I spent much of my earlier career in the SCADA/EMS world. My former operational colleagues don't understand IT any better than IT folks understand SCADA/EMS. We have to remedy that," Lord says.

Infrastructures are inextricably interrelated, Lord points out. If the electricity fails, then reservoir water pumps cease to work. If telecommunications fail then operators in different companies or locations cannot communicate in an emergency. One water company in the US went to great lengths to ensure several sources of water for a city, only to leave itself vulnerable because the pumps were serviced by a single power feed that ran through the desert. And the human effort can undo the best laid critical infrastructure protection plans, as in the case of the US control room that installed complex security at the front door, only to be undone by controllers wedging the back door open so they could go outside to smoke.

When the Russian mafia can reportedly "crash" Telstra's Alice Springs local network, leaving a city of 23,000 people without e-mail for more than five hours in an apparent case of net blackmail - as they did in September - the vulnerabilities should be enough to strike fear into the heart of any self-respecting CIO.

Suddenly, what the Americans have taken to calling homeland security or critical infrastructure protection (CIP) is firmly within the purview of the CIO. Suddenly, says enterprise security firm Symantec CEO John Donovan, the CIO has been elevated to this role of protecting something greater than the IT aspects of the organization.

"I hate to reference September 11, but it's a constant point of reference, in that that was the time when there was this fundamental change in the philosophy over what the role should be for the CIO within organizations," Donovan says. "That was probably the point, even though it didn't actually change the threat landscape, when a lot of organizations saw there was a connection between information security, critical infrastructure and their company.

"And I guess what people realized was the obvious thing: The private sector is actually responsible for greater than 50 percent of the critical infrastructure."

Indeed many once public utility networks are now in private hands. The outsourcing of critical infrastructure and mission critical information services once solely the responsibility of government has only heightened the risk. Since Telstra operates an extensive network of coaxial cable, microwave radio, optical fibre, digital radio concentrators, mobile phone cells, submarine cables and submarine fire cables, just about all of Australia's telecommunications interconnect at some point with Telstra's infrastructure. Yet the Senate inquiry into the Australian telecommunications network has pointed to the inherent risk to service standards in the neglect and inevitable decay of that infrastructure. They complain that far from infrastructure protection being an issue, Telstra - which has seemed to be intent on reducing capital expenditure and boosting bottom line profits in preparation for privatization in recent times - has trouble keeping its services going in heavy rain.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ABC, Attorney-General, Australian National University, Commonwealth Government, Gartner, HIS Limited, Island, Network Communications, PLUS, Qantas, Symantec, Telstra, University of Canberra, University of Canberra, Waste Management

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Case Study: Svenska Kraftnät safeguards web and ensures communication security with Clearswift
    Energy producers from surrounding countries load power onto the Swedish National Grid’s network, with energy suppliers then paying the Swedish National Grid to load onto their grids for them to sell-on to customers. Using Clearswift’s Email Appliance, and MIMEsweeper for SMTP means that the organisation has safe and resilient email helping them to meet their goal of providing a safe, robust, cost-effective and environmentally sound energy transmission system.
    Learn more »
  • The Value of Information: Business Decisions
    Traditional data-storage approaches are geared toward delivering structured data to management and knowledge workers through business intelligence and performance management applications. But CIOs need to look at the enterprise information taxonomy in a much broader context. External and internal information has to be collected, managed, and provided to many internal and external stakeholders. In addition, storage capacity is challenged by an almost exponential growth of unstructured data, such as audio and video files.
    Learn more »
  • Securing and Managing Your Enterprise: An Integrated Approach
    Your organization has a dizzying number of platforms, directories, systems and applications- all requiring your attention and administration. You know you need to manage this complex infrastructure correctly, or your diverse resources will cease to be assets, and instead become a serious drain on administrative time and budget. And even worse, if the management program you deploy isn't comprehensive, unsecured devices can expose your systems to significant security issues. So how you can you integrate and automate fragmented management tasks while addressing a full range of governance, risk and compliance (GRC) issues?
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources