SCADA systems in Australia easy target for malware: Security expert
- 09 August, 2012 09:38
- Comments
Gas, electricity, water and transport systems controlled by Supervisory Control and Data Acquisition (SCADA) systems are vulnerable to malware infection because of a lack of PC patching and anti-virus programs, according to a security expert.
CQR director of technical assurance, Phil Kernick, told CIO Australia that almost all of the SCADA attacks he has investigated are related to malware infections.
In-depth: Information security 2011 Research Report.
“It’s the same type of malware that the Eastern European bad guys are trying to put on your home PC to steal your banking credentials,” he said. “If it gets into a control network, it sometimes crashes machines.
“Control network PCs need to be running all the time and not just randomly re-boot.”
Kernick said the malware also gets in because of the “porous” inter connection between the control network and the corporate network, staff inserting USB keys into unpatched computers, and contractors connecting their laptop to the network and accidently unleashing malware into the system.
According to Kernick, an additional problem is that SCADA systems are not run by the corporate IT departments in critical infrastructure companies but by the engineering department.
He said that the engineering and IT departments at critical infrastructure companies needed to “stop throwing rocks at each other” and start working together on SCADA systems.
“Even though these are process control systems they are still made out of IT systems and the best practises such as patching and strong passwords need to be applied."
He said SCADA system owners should also:
- Conduct a SCADA security risk assessment, including penetration testing if appropriate, and conduct regular vulnerability testing.
- Create SCADA security policy, so use a risk-based approached focused on credible threats.
- Develop governance processes to manage vulnerabilities and actions during security events.
- Assign SCADA security responsibility, so use line managers and have performance externally audited.
- Train staff, especially those in engineering who are usually responsible for the operation of SCADA infrastructure, to be security conscious.
- Legal obligations: ensure you meet your customers’ increasingly complex legal obligations for cyber security.
- Business continuity: plan for the worst (including disaster recovery) and design future SCADA systems with security as a key deliverable.
Kernick added that these measures should help critical infrastructure companies avoid having to report a security incident to shareholders.
“If something goes wrong and you have to disclose that information, it will manifestly affect your share price,” he said.
"Therefore, the business has a very good incentive to protect these systems so they don’t have to disclose an attack.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia
Related Articles
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Backup and Recovery Changes Drive IT Infrastructure and Business Transformation
- FAQs: Small and Midsize Business Guide to Mobile Security
- Building a Business Case: Integrated Mobile Security for SMBs
- Migrate From HP-UX and Standardise with Confidence
- Endpoint Security Solutions: VDI Performance Analysis Report
-
Spiceworks' free management software gets integrated MDM
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Agentless Security for Virtual Environments
Virtualised datacentres, desktops, and cloud computing should be secured by the same strong protection technologies as physical machines. However, traditional agent-based solutions that are not architected for virtualisation can result in a number of significant operational security issues. Find out more about the first agentless security platform solution. -
Endpoint Security and Virtualisation
Besides form factor, virtual systems are not really that different than physical systems. They both use the same operating systems and applications. They both present users with computing resources such as RAM and hard drives. Consequently, the ability to exploit vulnerabilities in a physical environment will present a significant threat to virtualised environments as well. This paper examines the different endpoint security methods for virtualised environments and presents how Endpoint Protection security provides optimal performance, protection and manageability. -
New Demands for Real-time Threat Management
Many organisations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organisations need to embrace two new security practices: real-time risk management for day-to-day security adjustments and real-time threat management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., advanced persistent threats, or APTs). Learn more.
Get exclusive access to Invitation only events CIO, reports & analysis. 
