Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Australia's infrastructure vulnerable as control systems remain at risk

  • 12 September, 2007 09:59

<p>Infrastructure essential to Australia's continuing prosperity and stability remains at risk despite the best efforts of data security professionals.</p>
<p>Sectors under threat include agriculture and food, water, public health, emergency services, defence industrial base, telecommunications, energy, transportation, banking and finance, chemical, postal and shipping, and key physical assets such as dams, government facilities and commercial assets.</p>
<p>Recent times have seen a dramatic escalation in risks to the systems that control these critical infrastructures, because conventional data security techniques alone cannot resolve the problems.</p>
<p>The Department of Communications Information Technology and the Arts (DCITA) - working with the Trusted Information Sharing Networks (TISN), the IT Security Expert Advisory Group (ITSEAG) and the Supervisory Control and Data Acquisition (SCADA) Community of Interest (CoI) - is raising awareness of SCADA cyber security issues and promoting industry best practice</p>
<p>In the USA, the Government Accountability Office (GAO) has outlined four areas of concern:</p>
<p>• The adoption of standardised technologies with known vulnerabilities;
• Control networks that are connected to other networks;
• Insecure connections which exacerbate vulnerabilities; and
• Information about infrastructures and control systems that is easily available to the public.</p>
<p>As well as physical safety and security, network security for critical infrastructure is crucial because of reliance on electronic systems for operational control. Yet malfunctions to the industrial control systems in these industries, including faults within programmable logic controllers (PLCs), distributed control systems (DCS), remote terminal units (RTUs) and supervisory control and data acquisition (SCADA) systems can cause safety issues. Ignoring or improperly addressing industrial control system security or robustness risks can result in disruption of critical systems, damage to equipment, and may cause unpredictable operations or failure of critical infrastructure.</p>
<p>Adding existing IP-based security controls such as firewalls, intrusion detection/prevention, antivirus, encryption, authentication, and other related technologies to control systems represents a good first step, but will not always ensure plant safety or security.</p>
<p>The operators of industrial control systems have begun to embrace next-generation tools for testing and analysis that isolates and documents safety concerns - including protocol implementation weaknesses in any IP-based control system. The new protocol testing and measurement systems work by enabling, using, and routinely stressing control system resiliency and security as part of a safety process of continuous improvement, and automate risk by quantification according to the "attack surface" for products or services.</p>
<p>While traditional protection and assessment tools tend to start with a list of known bugs, vulnerabilities, worms and Trojans, criminals out to compromise commercial and government (especially military) networks generate new code and new 'patterns' that deliberately create and exploit new vulnerabilities. So today's new vulnerability is today's unknown vulnerability, or weakness.</p>
<p>The increasing number of intelligent devices appearing in IT laboratories and networks are spawning an exponentially increasing number of potential new weaknesses. Even the daily upgrade of these devices provides an opportunity for a hacker or accidental virus to exploit.</p>
<p>Perhaps it is inevitable that we will continue to play 'catch up' with the perpetrators of computer crime. However, we seem to have been giving them an unnecessary advantage - while they are probing for and creating new vulnerabilities, most infotech professionals appear to assume that all they can do is guard against the sum total of 'known' and therefore 'old' threats. If so, they are assuming a false and dangerous sense of security.</p>
<p>According to IDC Research, security vulnerabilities are a major concern for government, product developer, and service provider organisations. A recent IDC survey shows that although 66% of attacks on enterprises were reported as foiled, more than 40% of survey respondents who knew about attacks reported at least one successful breach of security to their networks.</p>
<p>Fortunately the newly emerging security analysers help to guard against the 'next' vulnerabilities. Major test labs, security consultancies, telcos, large enterprises and vendors such as Motorola and SonicWALL have begun to use these new devices to verify the robustness and security readiness of IP-based products including network equipment, VoIP systems and security gear. Industry leaders including CT Labs, NSS Labs and Ziff Davis test labs have deployed the Mu-4000 Security Analyzer, from pioneering developer Mu Security Inc.</p>
<p>Now available in Australia, the Mu-4000 Security Analyzer is prompting keen interest among the information technology professionals responsible for some of the nation's key infrastructures.</p>
<p>The device reveals industrial control resiliency issues; documents SCADA and process control vulnerabilities; prevents zero-day attacks and network robustness problems; and enables 99.999% continuity of critical services.</p>
<p>IDC Research reports that because vulnerabilities are now exploited within days, hours, or even before formal disclosure, security preparedness is critical. Security analysers are essential for preparedness, as they represent the integration of brains and brawn. Analysers that perform vulnerability testing are helping drive the convergence of the three "S's" - Security, Systems, and Storage.</p>
<p>IDC notes that proactively finding and remediating vulnerabilities is critical for vendors of IT products because the sooner security vulnerabilities are discovered in the product development cycle, the less costly they are to fix. IDC says developers employed by IT product vendors are often overloaded with the growing complexity of products and security management options. Security analysers complement existing engineering efforts and augment already extensive QA frameworks to quickly identify bugs and expedite their remediation using detailed analysis reporting.</p>
<p>The most effective strategy for proactively defeating hackers and maintaining a highly available service is to eliminate attack surface weaknesses before they cause downtime. An effective security analyser will enable end user and service provider networking and operations teams to identify the root cause of these weaknesses and enable a user to provide necessary details to the vendor so they can address these issues.</p>
<p>A good security analyser provides an effective way to search the enormous space of previously unknown attacks against the protocols commonly implemented across enterprise networks. The capability to test any IP-based application or device, including switches, routers, intrusion detection and intrusion prevention devices, and IP-based applications running on servers enables IT organisations to transition from reactive to a proactive operational stance in the critical area of network security and service availability.</p>
<p>The best analysers also provide external analysis capabilities to vastly improve IT and lab staff productivity by optimising existing processes, labour-intensive testing and analysis processes. Finally, the analyser will embody a repeatable and automated published vulnerability auditing framework that can evaluate network infrastructure security enforcement products, ensuring that these devices actually protect the network as promised by vendors.</p>
<p># # #</p>
<p>About In Systems</p>
<p>Australian-owned In Systems ( provides design, planning and operations for IT systems and integrated voice/data networking, helping to maximise business outcomes. The company places a strong focus on data security. Since 1990, the company has delivered successful IT projects across industries such as banking, insurance, telecommunications, defence and education, as well as many small and medium enterprises. Principals and staff share a huge fund of expertise and experience in IT management, voice and data networking design, planning and operation, systems administration and security.</p>
<p>For more information</p>
<p>Peter Long, Director
In Systems Pty Ltd
Phone: (03) 8611 3901 or 0417 857 919

Most Popular