Saturday, March 12, 2005

The SCADA Cyberterror Beat-Up

One of the more irritating habits of the IT industry in Australia is that US vendors believe they can ship American assumptions over to Australia and apply them, pretty much without adjustment, to their view of the Australian market (analysts do this as well. I well recall that in the 90s, a Gartner analyst told Australians with a straight face that ADSL was no good because it didn't work well on phone lines strung between poles. He apparently didn't travel far enough from the CBD to observe that Australia's phone lines are underground).

This week I noticed that ISS is talking up the dangers to SCADA systems (that is, the industrial control systems which take care of things like power stations, water and gas). It found a ready audience in the Australian here:

""We are going to see a serious outage because of a SCADA attack this year," he says. "It's not a matter of if, it's just a matter of when."

The threat arises because SCADA systems are increasingly being integrated with other business systems over the internet and through wireless technologies."

Well, I'm going to disagree with ISS's local MD, Kim Davies on this one.

First, when utilities in Australia integrate SCADA with business systems, they don't do so over the Internet.

Second, when utilities decide to replace the copper (which they overwhelmingly own themselves, avoiding wherever possible even using leased lines from Telstra), they're doing so by installing their own fibre.

Examples of this include Powercor in Victoria, Ergon in Queensland, and others really too numerous to mention. One of the reasons people keep putting forward utilities as competitors to Telstra is because they already own infrastructure. They're not using the bloody Internet.

Really.

Wireless is another matter. There has been a growth, away from the cities, in small utilities, at the local level, using wireless systems to connect up small plant. But even if that's a vulnerability, it's not the Big Scary Cyberterror that the security people are talking up. The effects are local and manageable.

And those wireless systems are probably not Internet-integrated.

Is there an issue with SCADA? Yes, and quite a straightforward one. If you're going to update the SCADA system, you should ignore what the vendors, snake-oilers and Internet-integrator-sales reps tell you, and keep them on private networks. Forever.

Well, that wasn't so tough, was it?

So why beat-up the SCADA story? Well, you see, there is a special working party set up in the government to look at SCADA (it's holding meetings later this year). Critical infrastructure has heavy government involvement. Vendors see the infrastructure sector as a huge untapped market for stuff like firewalls. And the ministerial advisers generally have a very thin understanding of technology.

If, for example, you tell them that you're using IP, they will understand this to mean the Internet, whether or not there is any Internet connection in existence.

In other words, the vendor community ever since 911 has seen the infrastructure sector as a feast, if only they can get invited to the party.

Beating up a story in the Oz is a pretty good way to get things moving...

Tuesday, March 08, 2005

Keeping the Industry's Secrets

When a segment of the media gets too close to its industry, you get some strange outcomes. One of those is that the press tries to respect the secrets of the industry, instead of trying to uncover and report them.

Over the last 24 hours, the wires have started lighting up with reports of a new malware, Serchmeup, which downloads a slew of exploits into the target machine. The journalists don't notice that the name given by virus experts is the same as another malware that's been around for more than a year, which is bound to create confusion, but that's trivial.

What's not trivial is this: Searchmeup infects users who visit a malicious Website. In other words, the attacker has a URL with a public face, which exists only to slap users with the dangerous download. That site - or those sites - also have IP addresses and registrations and all the other details assocated with hosting a Web site.

So what do the journalists tell us about the sites which are distributing Searchmeup?

Nothing. Not a sausage. Not a single word. They're respecting the secrets of the sources; for some reason, the antivirus companies want to distribute the warning about Searchmeup without telling people where it is so they can stay away.

Even a little curiousity would have been nice to see.

Sunday, March 06, 2005

Correlation Equals Cause

VoIP is one of those hot-button technologies. All you have to do is stick it in a press release, and the media's critical facilities go out the window. Instead, the hacks and proxy publicists will not only run with the press release, they'll also run up a heap of bromides inserted into the stories using the Disruptive Technologies Phrase Grabber.

Hence when Telstra (Australia's incumbent telco) said it's trialling a consumer VoIP service, the press in Australia went nuts. But in seeking to wrap their own commentary around the story, the flacks also tossed reality out the window.

For example:
"The announcement comes as existing VoIP products from relatively small telecommunications players begin to proliferate and eat into Telstra's PSTN voice calls market. Telstra's revenue from fixed line voice calls has been on a steady decline for some time, while its broadband revenue continues to grow." (here).
(My emphasis.)

Stan Beer goes on that:

"In addition to voice over broadband, Telstra plans to offer users enhanced VoIP services such as click-to-call, email notification of voice mail, a self service web interface for management of calls and functions and multimedia services such as video conferencing."

In the normal course of events I don't expect great technical accuracy in how media reports telecomms. But since the Beer Files bills itself as the "most informative" source, let's go hog wild. Voice-over-broadband is not identical to Voice-over-IP, since you can deliver a PSTN service on a broadband connection (as Optus can be argued is doing with voice on its HFC network, or in the business space as PowerTel definitely does with Voice-over-DSL).

Most VoIP services, which Beer says are offered by "small telecommunications players", are arguing long-and-hard to convince the world that they're not telcos. And most of the "enhanced VoIP services" he lists are not specific to VoIP (although I can't blame a journalist for believing years of inaccurate puffery). They are CTI - computer telephony integration - functions, and can be done on non-VoIP environments.

But the howler is in the assumption that Telstra's revenues are already suffering at the hands of VoIP.

Note, by the way, the contradiction in the author's remark: although the VoIP market is a new phenomenon, PSTN revenues have been falling "for some time".

Let's grab Telstra's last results announcement: did the PSTN call revenues fall?

Yes.

Have they been flat or falling for some time?

Yes.

Has VoIP been a competitive market long enough to explain this?

Yeah, right.

The PSTN decline predates the VoIP revolution. The usual explanation is "mobile substitution", and it's no coincidence that mobile revenues are growing faster (up $156 million last half-year) than PSTN call revenues are falling (down $89 million in the same period).

It's fine to think that VoIP is a future threat. To treat it as a phenomenon that's already on the Telstra balance sheet? I doubt it.