Published on the 09/08/2016 | Written by Beverley Head
Disclosure of industrial systems security breaches should be mandated…
Getting a handle on the number of SCADA (supervisory control and data acquisition) systems that have been compromised is challenging. While personal data breaches are mandated in some countries, and likely in Australia in the future, industrial systems breaches are even more difficult to track.
Dell’s 2015 security report suggested that there had been a doubling of SCADA attacks in the previous 12 months – but also noted that such breaches often go unreported, despite the fact that they can bring industrial networks to their knees.
Jeroen De Corel, a security architect and SCADA specialist from Check Point Software Technologies has been visiting Australia and New Zealand this month and said that “in an ideal world” industrial corporations should be mandated to reveal when their systems had been breached as ultimately it could lead to a more secure environment.
The challenge for IT managers who typically have oversight of information and communications security, is that SCADA systems tend to come under the aegis of operational managers. De Coel lamented this still very siloed approach to overall enterprise security.
He, like Gartner, recommends that IT and OT work more closely together in industrial organisations. At present he said they had different priorities with OT “Focused on production and uptime, while IT is all about protecting the users.”
Another disconnect was the lifespan of operational equipment compared to IT he said. While many IT systems were written off and replaced after five years, some operational technology could be deployed for up to 15 years – with some systems in situ since before the Stuxnet virus which attacked SCADA systems was first identified.
And he said that security remained a low priority for OT managers who may have a day a year’s maintenance window, which meant security was relegated way below keeping the equipment in service for another year.
Asked about the potential impact of Internet of Things, which could send data feeds to SCADA systems, De Corel said that at present IoT deployments were mainly in the consumer rather than industrial space. However he said that should enterprises wish to connect IoT devices to industrial networks, they should do so over a secure network with information encrypted.
Separately Trustwave has this week warned that in the race to launch IoT devices security is also taking a back seat. It has identified a WiFi connected home thermostat which has a gaping security hole allowing people to access usage data which could provide burglars with a useful schedule of when people will and won’t be at home.