Australasian Mining Review
Issue link: http://ebook.aprs.com.au/i/37922
177 Can you afford to ignore information security? There has been a number of high profi le IT security incidents and data breaches reported in the Australian media in 2011. This is a clear reminder to us all and that no business, or industry, should believe that they are not vulnerable to a targeted and sustained cyber-attack. For the mining and resources industry the IT security challenge is twofold. Appropriate security and risk management practices are necessary to protect the confi dentiality, integrity and availability of the enterprise computer systems and the SCADA (Supervisory Control and Data Acquisition) environment. T here is substantial evidence that targeted security attacks on Australian networks are on the rise and becoming more sophisticated; in Sense of Security’s experience this is equally true for the private and public sectors. In support of our view a defence department spokesman recently highlighted this point and warned that Australia was experiencing increasingly sophisticated attempts to infi ltrate networks in the public and private sectors. From January 2010 to January 2011 there were 405 cyber incidents, an increase from 220 in the previous year, Department of Defence fi gures show. How is the government helping the Australian business community deal with the issue? Systems of national interest go beyond our electricity grids, water supply, transport and telecommunications; they include networks of high economic value which includes the ICT systems that support the Australian mining sector’s operational activities. The Attorney General’s Department is responsible for Australia’s CERT (Computer Emergency Response Team) function. CERT Australia is the source of cyber security information for the Australian community and provides valuable cyber security guidance to owners and operators of critical infrastructure and other businesses of national interest. Whilst this guidance is welcomed by the mining and resources sector it is recognised that the security of their ICT infrastructure is ultimately the responsibility of each company. In a recent article published on ZDNet.com.au the fi rst assistant secretary for the National Security Resilience Policy Division, Mike Rothery, stated that government offi cials will respond to attacks based on the individual nature of each problem, rather than use a blanket defence. He went on to say, “To be honest, we struggle to defend our own systems from the current threats — the idea that we can extend the envelope to protect the mining industry’s SCADA or the banking industry just doesn’t fl y.” Sense of Security Pty Ltd www.senseofsecurity.com.au 1300-922-923 So where does this leave the mining sector? The reality is that information security is a business issue not an IT one; the implications of a security incident can be very serious. This could include; fi nancial loss caused by operational downtime, reputation and brand damage, loss of intellectual property, and possible exposure to legal risk. There is certainly room for improvement for many organisations in the way they adopt and implement their information security and risk management practices. For some, information security is not part of the company culture and at best is dealt with in haphazard and uncoordinated manner. In today’s environment this uncoordinated approach to security certainly works in favour of the attacker. Information security strategies need to refl ect the organisations risk profi le. Even within the mining sector, an organisation’s security needs may differ from their industry peers. The strategy should defi ne controls that are operationally practical and supportive of the business. Practical steps to establishing an information security and risk management strategy • Get the buy in from senior management; executive support is critical to a successful information security strategy and program. • Perform an information risk assessment across the entire enterprise, including the SCADA environment. The risk assessment should establish how IT systems and information assets are used by employees, customers and third party suppliers; in turn determine the likelihood and business impact of a security incident. Assign a risk classifi cation to each system and asset according to the assessment fi ndings. • Develop an information security management framework to govern the security architecture; select appropriate controls to treat the risk classifi cation of each information system and asset. • Follow the rule of least privilege when assigning user access rights to computer systems and information assets; this includes your IT administrators. • Educate your staff on information security and acceptable use of company information assets. It is critical that all employees understand the important role that they play in keeping the companies IT systems and information assets secure and operational. • Implement and maintain security at all stages of ICT programs and projects. By Neville Gollan of Sense of Security nevilleg@senseofsecurity.com.au [IT Security and Risk Management] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ issue 2.2