Saturday, March 12, 2005

The SCADA Cyberterror Beat-Up

One of the more irritating habits of the IT industry in Australia is that US vendors believe they can ship American assumptions over to Australia and apply them, pretty much without adjustment, to their view of the Australian market (analysts do this as well. I well recall that in the 90s, a Gartner analyst told Australians with a straight face that ADSL was no good because it didn't work well on phone lines strung between poles. He apparently didn't travel far enough from the CBD to observe that Australia's phone lines are underground).

This week I noticed that ISS is talking up the dangers to SCADA systems (that is, the industrial control systems which take care of things like power stations, water and gas). It found a ready audience in the Australian here:

""We are going to see a serious outage because of a SCADA attack this year," he says. "It's not a matter of if, it's just a matter of when."

The threat arises because SCADA systems are increasingly being integrated with other business systems over the internet and through wireless technologies."

Well, I'm going to disagree with ISS's local MD, Kim Davies on this one.

First, when utilities in Australia integrate SCADA with business systems, they don't do so over the Internet.

Second, when utilities decide to replace the copper (which they overwhelmingly own themselves, avoiding wherever possible even using leased lines from Telstra), they're doing so by installing their own fibre.

Examples of this include Powercor in Victoria, Ergon in Queensland, and others really too numerous to mention. One of the reasons people keep putting forward utilities as competitors to Telstra is because they already own infrastructure. They're not using the bloody Internet.


Wireless is another matter. There has been a growth, away from the cities, in small utilities, at the local level, using wireless systems to connect up small plant. But even if that's a vulnerability, it's not the Big Scary Cyberterror that the security people are talking up. The effects are local and manageable.

And those wireless systems are probably not Internet-integrated.

Is there an issue with SCADA? Yes, and quite a straightforward one. If you're going to update the SCADA system, you should ignore what the vendors, snake-oilers and Internet-integrator-sales reps tell you, and keep them on private networks. Forever.

Well, that wasn't so tough, was it?

So why beat-up the SCADA story? Well, you see, there is a special working party set up in the government to look at SCADA (it's holding meetings later this year). Critical infrastructure has heavy government involvement. Vendors see the infrastructure sector as a huge untapped market for stuff like firewalls. And the ministerial advisers generally have a very thin understanding of technology.

If, for example, you tell them that you're using IP, they will understand this to mean the Internet, whether or not there is any Internet connection in existence.

In other words, the vendor community ever since 911 has seen the infrastructure sector as a feast, if only they can get invited to the party.

Beating up a story in the Oz is a pretty good way to get things moving...

No comments: