Open standards security threat ignored: auditor

A senior technology auditor has raised concerns about his profession's awareness of the risks posed by critical infrastructure operators' shift from proprietary systems to open standards-based structures for the management of important tasks.

A senior technology auditor has raised concerns about his profession's awareness of the risks posed by critical infrastructure operators' shift from proprietary systems to open standards-based structures for the management of important tasks.

Certified information systems auditor (CISA) Barry Munns told ZDNet Australia the IT auditing profession had "largely ignored" moves by energy, gas and water utilities to adopt open standards for their telemetry and telecontrol infrastructure, often known as supervisory control and data acquisition (SCADA) systems and the dangers this created. These systems allow remote control or monitoring of infrastructure, such as substations or water pipes.

"There's a bit of a generational change that's happening," Munns said.

"Moving away from fairly closed system, proprietary type structures -- software and operating systems, to more open systems or public type systems. All the risks associated with things like hacking and denial of service, those risks are now very much coming to the fore in SCADA."

Munns has audited such systems for Energy Australia, and recently joined the Australian Nuclear Science and Technology Organisation (ANSTO).

"SCADA telemetry and telecontrol systems are moving towards that open arrangement and that inter-connected kind of model," he said.

"As an IT auditor, it's an area that's largely ignored and generally not known about.

"I think it's an area that doesn't have a great deal of profile in my profession."

While attackers would previously have had to have a high degree of specialised knowledge and sometimes physical access to the critical infrastructure operators' facilities to wreak havoc, now there task was a lot more simple, according to Munns.

"Whereas before you might have had a very much closed system, a proprietary SCADA system that you bought from a company and they gave you all the hardware and software ... and it was very unique to that arrangement.

"Nowadays, you might buy a SCADA system or develop a SCADA system but you might be using Linux as your operating system, you might be using TCP/IP as your communication protocol, you might be using generally available firewall software. So all of a sudden you're using stuff that is common. And because it's common, it's more exposed.

"So whereas before there might've only been a very small number of people who knew about this stuff ... we're actually moving to an area where you don't have to be an insider anymore. That's where the problem arises."

This greatly increased the number of potential attackers, Munns said.

"Often you needed physical access to these things to be able to get up to no good, well that level of security has been done away with as we move towards open standards."

Munns said more organisations needed to adopt IT governance frameworks in order to realise the risks.

"I'd strongly recommend the application of 7799 Information Security standard, in any organisation," he said.

The federal government last year published advice for chief executive officers on SCADA systems, and runs security forums such as the Trusted Information Sharing Network (TISN) to deal with the risks.

Munns declined to comment on Energy Australia's SCADA systems.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All