As readers of this blog may recall, I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form.
There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.
But as I also noted previously, companies make business decisions that favor cost savings over systems security on a regular basis.
Recent news reports from Australia indicate that Energy Australia will be deploying “smart” metering device which use WiFi communications to collect consumer energy consumption statistics.
Now, this is not to single out this particular company, but the opportunity presents itself for commentary. There are energy companies in the United States and elsewhere which are making similar business decisions regarding their service infrastructure, and it is somewhat troubling.
According to an article in itWorldCanada, “…The system will transmit power usage and maintenance data from two million digital smart meters across the states of New South Wales and Queensland to a central database over a Wi-Fi and fiber-optic network.”
Notwithstanding the business issues involved, or second-guessing Energy Australia’s assessment of the cost-benefit analysis of this decision, it nonetheless raise some serious security questions with regards to the possibility of denial-of-service attacks, or complete compromise of an associated system (it does happen, and has been documented on several occasions) .
The “Air Gap” principle exists for a reason — real security segmentation. Without proper segmentation, you basically begin to add risk — the security posture of unauthorized access or other cyber shenanigans – enormously. I cannot stress this issue enough.
When you cut corners in the name of cost savings, you will inevitably be victimized by the fickle finger of fate, as the saying goes.
I’m a little unnerved to realize that the systems which deliver my electricity, gas, water, and other basic services are making some very risky decisions when it comes to their infrastructure.
You should probably be worried too. Maybe a little bit. Maybe a lot.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research