From: Perth Now

By Claire Connelly

AUSTRALIA’S gas, electricity, water and transport computer systems are 20 years out of date and falling victim to cyber attacks daily, IT security experts say.

These critical infrastructure systems are controlled by the Supervisory Control And Data Acquisition (SCADA) system which can go offline for more than a month without being reported, according to security specialist Phil Kernick.

“At the moment we see these systems failing every day and they just don’t get reported,” Mr Kernick, the chief technology officer at Australia’s largest independent cyber security consultancy CQR, said.

“If something went wrong as there was no requirement to disclose, it makes perfect sense why a company would choose not to talk about it.”

He said while companies may feel safe behind a firewall, they were in fact vulnerable to malware, hackers and viruses.

Mr Kernick called for the Federal Government to implement mandatory disclosure laws, similar to those that exist in the US as a matter of public accountability and transparency.

The general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram told news.com.au that attacks by hostile governments, hackers, cyber criminals and “malicious actors” happen almost every day on these systems.

The attacks are what are known as “zero day exploits” where “researchers” discover vulnerabilities in IT systems and then sell it to an interested party.

The information can be used to develop an attack code and sent through the system – usually before the original developers are aware the vulnerability existed.

“The attack code is usually developed within 24 to 48 hours,” Mr Ingram said. “Most big networks cannot patch the flaw within that time frame. They are not fast enough.”

He said that if people’s personal private data has been exposed then companies should be forced to report the breach.

But if it was a matter of transport systems failing, or water systems being poisoned, the actual consequence should be reported rather than how it occurred.

“Some of these systems are so massive that there’s no government agency that could go on to site and determine how these systems should be performing. These systems are far too complex,” he said.

Mr Ingram said that legislation would be a “dead weight” and would do nothing to solve the problem of securing Australia’s critical infrastructure.

He said that companies should only be forced to disclose security breaches if it’s a matter of public interest, but he said the threshold for that was difficult to distinguish.

“It’s too hard to talk about network disclosures,” he said. “What if your server goes down for five minutes? Should you have to report that?”

“There are companies out there who have disclosed security flaws and have gone broke because the share price has gone down.”

A spokesperson for CERT Australia told news.com.au that Mr Kernick’s statistics are not an accurate representation of the security environment.

“Businesses already voluntarily report incidents to CERT Australia, which demonstrates a good level of cooperation and engagement between business and Government.”

The spokesperson also said that CERT Australia works closely with owners and operators of SCADA systems, and funds their annual attendance at advanced SCADA training provided by the Idaho National Laboratories, part of the US Department of Homeland Security.

It is also actively participating in a new SCADA workshop developed by Edith Cowan University in Western Australia.

The CNVA program also assessed a number of network vulnerabilities, the results of which led to the formation of a computer emergency response through which CERT Australia was established in 2010.

“Information security is an ongoing issue for business to focus upon,” the spokesperson said.

“The Attorney is aware of concerns around mandatory data breach notification and is currently considering the options available.”

CERT Australia has received notification of more than 5000 incidents in 2012.