The Victorian Auditor General has wrapped up its investigation into SCADA security in the transport and water sectors down south.
It found major problems that will surprise absolutely no one. In short, four out of five of the installations examined were nightmarishly insecure. It also found a real lack of awareness among the operators of critical infrastructure that they even have a problem.
A lack of security understanding was on display in New Zealand recently when a spokesperson for Mighty River Power proclaimed the installation was immune to the Stuxnet malware because "we don't run Windows 2000... which we understand is the doorway for the virus".
I'd guess that in some cases more effort is put into securing billing websites for electricity providers than into securing the infrastructure itself, and this report seems to bear that out.
Most pros in the information security industry has known about these problems for a long, long time, but it's great to see them getting some attention at government level.
You can download the PDF from this page here.
It makes for fascinating reading. The text has an interesting feel and tone to it -- a mixture of disbelief and panic shine through.
I tried getting someone from the auditor general's office to chat with Risky.Biz, but the office has a policy of not commenting on reports.
The office and its staff are shielded from defamation action when writing official reports, but any commentary to the media is not protected.
The timing of all this is borderline freaky in light of all this Stuxnet hoo-ha.
Anyway, have a read yourselves and tell us what you think by commenting here.
