Few, if any, of the industrial control systems used today were designed with cybersecurity in mind. Meanwhile, Australia's critical information infrastructure has never been more vulnerable . . .
It took no more than a simple engineering error, a software malfunction and a communication failure to cause the largest blackout the world has ever seen - the massive power outage that hit 40 million people in eight US states and 10 million people in Ontario, Canada, on August 14, 2003.
Terrorists, schmerrorists. Bin Laden or his cohorts might have wet dreams about bringing the West to its knees, but it was a failure of the IT folks assigned to fixing the energy management system to speak to the operations folks, that helped cost the US and Canadian economies more than $US30,000 million.
And the bad news is, much of both Australia's and the United States's critical infrastructure may be every bit as vulnerable to such happenstance today - let alone concerted terrorist attack - and will remain so as long as CIOs fail to take the time to investigate and fully understand their organizations' vulnerabilities, particularly within the supervisory control and data acquisition (SCADA) and energy management system (EMS) operational networks now interconnected with IT.
So at least says the man who delivered the keynote address at the Geospatial Information & Technology Association's GITA 2004 Conference in Melbourne last August - Dick Lord, CEO of the Steadfast Group. Lord, a member of the US Department of Energy Office of Electric Transmission and Distribution Blackout Forum, says in the past such operational systems worked in isolation. Nowadays they are linked in a variety of ways to the business IT network. "That places them clearly under the purview of the CIO," Lord says. "But how many CIOs have taken the effort and time to grasp an understanding of how those systems work?
"I'm an electrical engineer and I spent much of my earlier career in the SCADA/EMS world. My former operational colleagues don't understand IT any better than IT folks understand SCADA/EMS. We have to remedy that," Lord says.
Infrastructures are inextricably interrelated, Lord points out. If the electricity fails, then reservoir water pumps cease to work. If telecommunications fail then operators in different companies or locations cannot communicate in an emergency. One water company in the US went to great lengths to ensure several sources of water for a city, only to leave itself vulnerable because the pumps were serviced by a single power feed that ran through the desert. And the human effort can undo the best laid critical infrastructure protection plans, as in the case of the US control room that installed complex security at the front door, only to be undone by controllers wedging the back door open so they could go outside to smoke.
When the Russian mafia can reportedly "crash" Telstra's Alice Springs local network, leaving a city of 23,000 people without e-mail for more than five hours in an apparent case of net blackmail - as they did in September - the vulnerabilities should be enough to strike fear into the heart of any self-respecting CIO.
Suddenly, what the Americans have taken to calling homeland security or critical infrastructure protection (CIP) is firmly within the purview of the CIO. Suddenly, says enterprise security firm Symantec CEO John Donovan, the CIO has been elevated to this role of protecting something greater than the IT aspects of the organization.
"I hate to reference September 11, but it's a constant point of reference, in that that was the time when there was this fundamental change in the philosophy over what the role should be for the CIO within organizations," Donovan says. "That was probably the point, even though it didn't actually change the threat landscape, when a lot of organizations saw there was a connection between information security, critical infrastructure and their company.
"And I guess what people realized was the obvious thing: The private sector is actually responsible for greater than 50 percent of the critical infrastructure."
Indeed many once public utility networks are now in private hands. The outsourcing of critical infrastructure and mission critical information services once solely the responsibility of government has only heightened the risk. Since Telstra operates an extensive network of coaxial cable, microwave radio, optical fibre, digital radio concentrators, mobile phone cells, submarine cables and submarine fire cables, just about all of Australia's telecommunications interconnect at some point with Telstra's infrastructure. Yet the Senate inquiry into the Australian telecommunications network has pointed to the inherent risk to service standards in the neglect and inevitable decay of that infrastructure. They complain that far from infrastructure protection being an issue, Telstra - which has seemed to be intent on reducing capital expenditure and boosting bottom line profits in preparation for privatization in recent times - has trouble keeping its services going in heavy rain.