Critical infrastructure vulnerable for next 20 years

The IT security industry is relatively new and the threat from cyberterrorism is yet to be realised, which is why the people in charge of security for Australia's critical infrastructure - such as the power grid and water utilities -- do not have the necessary experience to prepare for such an attack.

Athol Yates, director of the Homeland Security Research Centre, said it will take up to 20 years before organisations develop the required mindset.

"We need a National Information Infrastructure Strategy... It will take 10 to 20 years for the change in mindset to permeate organisations," said Yates.

Andy Solterbeck, general manager of security products in Asia Pacific for Senetas, who also sits on the Information Technology Expert Advisory Group for Critical Infrastructure and Security to the Attorney-General, agreed.

"The people that tend to be in charge of security in the utilities market often from ex-police or ex-military backgrounds and very few have an IT background. IT security is a young industry and this is a generational change issue. Critical infrastructure security will remain weak for a generation," said Solterbeck.

To help improve the mindset and create a plan of action in case of a cyberterrorism attack, the government in January set up GovCERT, which will be the government's Computer Emergency Readiness Team.

Graham Ingram, Director of AusCERT, warned on Wednesday that Australia is lacking a national plan to deal with emergencies in the same way it has a plan in case of a physical attack -- such as a bomb.

"If [a cyberterrorism attack] happened tomorrow, nobody has a clue who does what. My personal view is that that is an area where Australia is lacking. If this is an area where the government can put some effort or resources I would see it as a productive outcome," said Ingram.

A spokesperson from the Attorney General's office said that although Australia is still working on a coordinated national plan, individual organisations are taking the matter seriously and are relatively well prepared.

"We are not totally unprepared. Most businesses will have disaster recovery plans in place... Most organisations will therefore be able to respond to attacks on their systems. The role of GovCERT is to ensure that there will be a co-ordinated response to an attack,' said the spokesperson.

Vulnerable technology
Senetas' Solterbeck warns that Australia's utilities are not only vulnerable because of a lack of security expertise, they are also at risk because some of the technology being used to manage critical infrastructure is "inherently weak".

For example, Solterbeck explained that the main utilities such as the power grid and water plants are controlled using SCADA (Supervisory Control and Data Acquisition), a communications system that allows physical equipment such as power switches and water pumps to be controlled remotely, is "inherently insecure".

"SCADA is designed to be highly robust and scalable but it is inherently insecure. It has been shown again and again and again that if anyone really wanted to, they could hack those systems and shut down the power grid," said Solterbeck.

However, Andreas Tilch, vice chair of the Information Security Interest Group (ISIG), an independent community of security professionals, said that although there are weaknesses in SCADA, it is complex enough to put off all but the most experienced hacker.

"You need some pretty specialised skills to get down to SCADA level. The lower line level -- process level controller -- is where the danger sits. But you need to be a control engineer to understand how it works. A script kiddie couldn't pose a threat," said Tilch.