From: Science Network Western Australia

A GROUP of WA cyber security professionals have warned Australia’s critical infrastructure is increasingly vulnerable to attack as its systems become digital and more interconnected.

In a paper calling for significant updates to Australian regulations and standards, the four authors wrote that the Industrial Control Systems (ICS) operating critical infrastructure are now widely connected to the internet and lack sufficient safeguards to resist persistent threats.

ICS were historically secured by physical segregation from the internet-connected corporate network and used proprietary software with weaknesses unknown to outsiders.

Now companies are increasingly sharing ICS data with other parts of the network and external stakeholders to increase efficiency and functionality, and using widely available operating systems and applications such as Windows and SQL, providing a path for would be hackers to attack through.

“Systems which typically rely on security through separation are now connected to the internet, making them just as susceptible,” the authors wrote.

“The change is an inevitable one, and has many distinct advantages, but has produced some security challenges,” co-author and Perth website developer Marc Loney says.

In 2003 a worm shut down the safety monitoring system of a US nuclear power plant for five hours, accessing the system through the unsecured network of an external contractor with a direct connection to the plant’s production network that bypassed its firewall.

Security breaches to ICS could damage critical infrastructure and initiate a catastrophic failure of a power grid, water treatment plant or telecommunications system, as was demonstrated in a 2007 test by Idaho National Laboratories.

The authors wrote there is no way to prevent a hacker from safely shutting down all or part of the system temporarily once they gained access.

The authors advocated a layered network design that separates ICS from the corporate network with a “demilitarised zone” in the middle, surrounded by firewalls that block all but the most necessary connections, along with different authentication mechanisms for the ICS network and redundant systems as backups, should the primary ones be compromised.

Australia has no policies or standards specific to the cyber protection of critical infrastructure ICS, instead relying on generic IT security standards.

“Cyber warfare is moving at an incredible pace, and we have not yet seen a commitment from government or critical infrastructure providers that shows they are keeping up,” Mr Loney says.

“The government has an obligation to protect the nation’s critical infrastructure, regardless of whether or not it is government owned or administered… the need for robust regulatory standards and changes in the security culture of organisations making use of ICS has never been more important.”