Production control systems used by utilities such as power and water operators were thrust into the spotlight with Stuxnet but experts at an information security gathering today said the fallout was mixed.
Delegates to the 10th annual AusCERT conference heard that crude worms based on Stuxnet code were on the horizon and likely to target utilities at random. But the attention on the information systems used by utilities may see security improve because it turned up heat on vendors and utilities to act, said Canadian information security expert Eric Byres.
“Those in the chemical-utility space have been quite good at fixing problems in their systems," Byres said. “Those utilities are naturally risk-averse.”
Byres, who has researched critical infrastructure security for 20 years, advised utilities using supervisory control and data acquisition (SCADA) systems on how to toughen networks, writing industry standards.
He said insecure proprietary communication protocols were one of the weakest elements of SCADA systems and fixing the problem required systems to be dissected.
Many SCADA vulnerabilities were blamed on links to external networks. It was the basis for the contested notion of cyberwar, which described scenarios where hackers launched network attacks on SCADA to open dam gates or black out power grids.
But "air gapping" or disconnecting SCADA networks from the outside was not the answer.
A security chief for a big company who requested anonymity said the benefits of linking SCADA to external networks made the risks worthwhile.
“Air gapping between SCADA and corporate networks isn’t the solution,” he said. “Keeping that link is, in fact, the answer.”
He said such attacks have led to the “death of security through obscurity” and operators must instead harden the most critical elements of SCADA systems.
“You may have created a system that you really love but it might not be worth protecting it if it’s not the most important component.”
At a SC Magazine roundtable held the day before AusCERT began, Byres said Australia's SCADA systems were the strongest in the world to outside attack.