What do the mining industry, logistics, and utilities have in common, apart from being vital to Australia's modern industrial economy? They're the sectors with the least well-developed understanding of managing IT security risk as part of a broader operational and technology risk management process.
Consultations between the Australian government and industry have revealed a patchy security landscape.
"On a scale of one to 10, we saw examples at nine, and examples at one. SCADA [the protocol used by large-scale industrial control systems] is an example where a lot of organisations don't even understand that it's IT," said Mike Rothery, first assistant secretary in the National Security Resilience Policy Division of the Attorney-General's Department, and secretary to the government's Cyber Security Operations Board.
"I've certainly had some discussions with CIOs of utilities who show me their map of their IT environment, and all the controls they have ... and the background checking they do on people that work in the accounts area and the call centre and so forth, and then you say to them, 'There's nothing on here with your SCADA system. Where's your engineering side of it?' 'Oh that's not IT. That's the engineers. That's not a problem, because they're not interconnected'," Rothery told the Gartner Security and Risk Management Summit in Sydney on Monday.
"You've got these two tribes working in the organisation," he said.
They're literally not on the same page.
But they are on the same wire.
"When you go to see the chief engineer, he says, 'Well, they used to not be interconnected, but when they took out all the analogue systems and they needed to put it on an IP-based system, we weren't going to put in a separate IP-based network. We just dumped it onto the corporate network. The CIO doesn't even know it's there'," Rothery said.
"You should see the colour drain from the CIOs."
I'd pay to see that.
This is a familiar story around the world, of course. And it's not justthat get dumped onto corporate networks without proper security controls, either. The same happens with heating, ventilation, and air conditioning (HVAC) systems — indeed, as Rothery reminded us, that's how the bad guys got into Target.
"[It] is a not uncommon scenario in a whole range of companies from the mining industry, logistics, and the utilities — that's probably the area which is probably the least well developed," Rothery said.
The organisations where risk management is well integrated are those where there's a good dialogue between executives and CISOs, based on a common language for the dollar value of risk. Rothery outlined an old-school but sensible framing of analysing risk as being risk to confidentiality, availability, or integrity — to which a modern, privacy-oriented approach might add identifiability, permissions, and pedigree.
In both the government and private sectors, maturity levels in terms of this approach vary a lot.
"The issue is how do we actually accelerate this transformation across government, but also across the whole of the Australian economy," Rothery said.
"While federal government agencies are good at classifying their information, actually valuing their information on risk is still fairly rudimentary ... The service delivery agencies in the Commonwealth, I think, are probably the first movers. The national security agencies — often because they work in air-gapped non-internet-connected systems — are probably in the luxurious position where even assessing the risk in a different way doesn't necessarily change their paradigm. But it's still fairly early days."
As for Australia's vulnerable SCADA systems, there's some good news — at least for now.
"The bad guys are struggling to figure out how to make money out of attacking it," Rothery said. It's merely a "nascent" threat.
"The number of attacks on SCADA systems that everyone agrees have happened is probably in the 15 to 20 mark, compared to other forms of cybercrime and cyber espionage, it's minuscule, but it's just got this huge potential for the vulnerabilities."