In Australia, energy delivery company AusNet told an industry conference this week how it has spurned IT/OT convergence in favour of separation.
Speaking at a conference held by the Australian Information Security Association, chief information security officer Babu Srinivas said “the air gap or segregation” between the two also extends to internal networks and operational SCADA systems, which have been caged off from the rest of the company’s IT infrastructure, reports Australian website ITNews.
Mr Srinivas said: “We treat them as being two different networks.”
AusNet’s approach flies in the face of current thinking of adopting IT/OT convergence as part of a grid modernisation programme.
Srinivas however said the energy delivery services company will not bring the Internet of Things to critical power infrastructure due to its regulatory obligation to protect transmission and distribution assets.
Citing the state of Victoria’s ‘Emergency Management Act 2013’, Srinivas said the legislation contains clear guidelines from the minister in terms of what AusNet’s obligations to the community are as a critical infrastructure operator.
He said: “It’s a good framework, and based on it organisations have to come up with their own frameworks for emergency management.”
IT/OT convergence – legacy systems
Commenting on AusNet’s current SCADA system, Srinivas told the Melbourne-based conference that critical grid infrastructure requires planning for the next 20 years.
He said: “We haven’t done upgrades on these particular devices because the life of these devices is quite long, and innovation in [the SCADA] domain was pretty slow for many of those years.
“But now we’re seeing a lot of action in terms of improving those legacy applications or systems.
“The question is do the security controls meet our requirements, and if not, we need to look at what compensatory controls we need to put in place.”
The chief information security officer cites the example of transformers with built-in web servers where suppliers have in some cases not been fully aware of the related IT risks.
If we can’t update the web server, then we’ll ring-fence those things, or we won’t use that capability at all, and we’ll dispatch staff to the site to collect the data.
“The newer products that we are getting are more proactive in terms of having better software built into them.”
Victoria smart meter rollout
AusNet has deployed an advanced metering infrastructure system since 2006 along with a smart meter deployment for residential and small business premises but the company believes this level of IoT connection is manageable.
Srinivas told ITNews: “If there is an issue [with smart meter data], it is contained locally within that community or customer. [If there’s an issue in] the transmission network, those issues are felt widely.”
Where data from operational technology needs to be accessed from outside, Srinivas is keen to make sure the flow of information is in one direction only.
Srinivas said: “How much of that data do you want to expose to the public?
“You need to have a mechanism where the data sits in the DMZ, and if end users manipulate it, the manipulated data can’t come back,” reports ITNews.