The power of hands-on exercises in SCADA cyber security education

For decades Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) have used computers to monitor and control physical processes in many critical industries, including electricity generation, gas pipelines, water distribution, waste treatment, communications and transportation. Increasingly these systems are interconnected with corporate networks via the Internet, making them vulnerable and exposed to the same risks as those experiencing cyber-attacks on a conventional network. Very often SCADA networks services are viewed as a specialty subject, more relevant to engineers than standard IT personnel. Educators from two Australian universities have recognised these cultural issues and highlighted the gap between specialists with SCADA systems engineering skills and the specialists in network security with IT background. This paper describes a learning approach designed to help students to bridge this gap, gain theoretical knowledge of SCADA systems' vulnerabilities to cyber-attacks via experiential learning and acquire practical skills through actively participating in hands-on exercises.

It's just an old apron : aprons, artefacts and art - representations of personal and private 'her-stories', as public histories

This paper examines art and artefact in the representation and recollection of deeply personal WWII women’s experiences as POW’s under the Japanese. This kind of treatment of internees in the Tjideng Women and Children’s internment camp (and others) in Batavia under the Japanese in WWII, stands in stark and brutal contrast to the idyllic life lived by many families up to that time in what was then known as the Dutch East Indies (Indonesia). The deprivation and brutality of the Japanese incarceration of these women and children evoked responses - not military, but certainly militant, if muted. Representations of those responses – as both art and artefact - may be found in the most unlikely places and unexpected forms - and are still being unearthed to this day. However close we might personally be to these artists and artisans, can we, as observers from a distance, ever truly comprehend through spoken or written words alone, the day-today realities of those extraordinary times?

Can water security be achieved in the urban environment through the implementation of the Neo Institutional theory government regulation and legislation?

The research seeks to address the current global water crisis and the built environments effect on the increasing demand for sustainability and water security. The fundamental question in determining the correct approach for water security in the built environment is whether government regulation and legislation could provide the framework for sustainable development and the conscious shift providing that change is the only perceivable option, there is no alternative. This article will attempt to analyse the value of the neo institutional theory as a method for directing individuals and companies to conform to water saving techniques. As is highlighted throughout the article, it will be investigated whether an incentive verse punishment approach to government legislations and regulations would provide the framework required to ensure water security within the built environment. Individuals and companies make certain choices or perform certain actions not because they fear punishment or attempt to conform; neither do they do so because an action is appropriate or feels some sort of social obligation. Instead, the cognitive element of neo institutionalism suggests that individuals make certain choices because they can conceive no alternative. The research seeks to identify whether sustainability and water security can become integrated into all aspects of design and architecture through the perception that 'there is no alternative.' This report seeks to address the omission of water security in the built environment by reporting on a series of investigations, interviews, literature reviews, exemplars and statistics relating to the built environment and the potential for increased water security. The results and analysis support the conclusions that through the support of government and local council, sustainability in the built environment could be achieved and become common practice for developments. Highlighted is the approach required for water management systems integration into the built environment and how these can be developed and maintained effectively between cities, states, countries and cultures.

A security system based on human iris identification using wavelet transform

A security system based on the recognition of the iris of human eyes using the wavelet transform is presented. The zero-crossings of the wavelet transform are used to extract the unique features obtained from the grey-level profiles of the iris. The recognition process is performed in two stages. The first stage consists of building a one-dimensional representation of the grey-level profiles of the iris, followed by obtaining the wavelet transform zerocrossings of the resulting representation. The second stage is the matching procedure for iris recognition. The proposed approach uses only a few selected intermediate resolution levels for matching, thus making it computationally efficient as well as less sensitive to noise and quantisation errors. A normalisation process is implemented to compensate for size variations due to the possible changes in the camera-to-face distance. The technique has been tested on real images in both noise-free and noisy conditions. The technique is being investigated for real-time implementation, as a stand-alone system, for access control to high-security areas.

Urban Food Security, Urban Resilience and Climate Change

The growing importance of logistics in increasingly globalised production and consumption systems strengthens the case for explicit consideration of the climate risks that may impact on the operation of ports in the future, as well as the formulation of adaptation responses that act to enhance their resilience. Within a logistics chain, seaports are functional nodes of significant strategic importance, and are considered as critical gateways linking local and national supply chains to global markets. However, they are more likely to be exposed to vagaries of climate-related extreme events due to their coastal locations. As such, they need to be adaptive and respond to the projected impacts of climate change, in particular extreme weather events. These impacts are especially important in the logistics context as they could result in varying degrees of business interruption; including business closure in the worst case scenario. Since trans-shipment of freight for both the import and export of goods and raw materials has a significant impact on Australia’s sustained economic growth it was considered important to undertake a study of port functional assets, to assess their vulnerability to climate change, to model the potential impacts of climate-related extreme events, and to highlight possible adaptation responses.

Food security in Australia in an era of neoliberalism, productivism and climate change

For over 150 years Australia has exported bulk, undifferentiated, commodities such as wool, wheat, meat and sugar to the UK and more recently to Japan, Korea, and the Middle East. It is estimated that, each year, Australia's farming system feeds a domestic population of some 22 million people, while exporting enough food to feed another 40 million. With the Australian population expected to double in the next 40 years, and with the anticipated growth in the world's population to reach a level of some 9 billion (from its present level of 7 billion) in the same period, there are strong incentives for an expansion of food production in Australia. Neoliberal settings are encouraging this expansion at the same time as they are facilitating importation of foods, higher levels of foreign direct investment and the commoditisation of resources (such as water). Yet, expansion in food production – and in an era of climate change – will continue to compromise the environment. After discussing Australia's neoliberal framework and its relation to farming, this paper outlines how Australia is attempting to address the issue of food security. It argues that productivist farming approaches that are favoured by both industry and government are proving incapable of bringing about long-term production outcomes that will guarantee national food security.

New paradigms for password security

For the past several decades, cryptographers have consistently provided us with stronger and more capable primitives and protocols that have found many applications in security systems in everyday life. One of the central tenets of cryptographic design is that, whereas a system’s architecture ought to be public and open to scrutiny, the keys on which it depends — long, utterly random, unique strings of bits — will be perfectly preserved by their owner, and yet nominally inaccessible to foes.

Cyber security of networked critical infrastructures [Guest Editorial]

A new era of cyber warfare has appeared on the horizon with the discovery and detection of Stuxnet. Allegedly planned, designed, and created by the United States and Israel, Stuxnet is considered the first known cyber weapon to attack an adversary state. Stuxnet's discovery put a lot of attention on the outdated and obsolete security of critical infrastructure. It became very apparent that electronic devices that are used to control and operate critical infrastructure like programmable logic controllers (PLCs) or supervisory control and data acquisition (SCADA) systems lack very basic security and protection measures. Part of that is due to the fact that when these devices were designed, the idea of exposing them to the Internet was not in mind. However, now with this exposure, these devices and systems are considered easy prey to adversaries.

Security evaluation of Rakaposhi Stream Cipher

Rakaposhi is a synchronous stream cipher, which uses three main components: a non-linear feedback shift register (NLFSR), a dynamic linear feedback shift register (DLFSR) and a non-linear filtering function (NLF). NLFSR consists of 128 bits and is initialised by the secret key K. DLFSR holds 192 bits and is initialised by an initial vector (IV). NLF takes 8-bit inputs and returns a single output bit. The work identifies weaknesses and properties of the cipher. The main observation is that the initialisation procedure has the so-called sliding property. The property can be used to launch distinguishing and key recovery attacks. The distinguisher needs four observations of the related (K,IV) pairs. The key recovery algorithm allows to discover the secret key K after observing 29 pairs of (K,IV). Based on the proposed related-key attack, the number of related (K,IV) pairs is 2(128 + 192)/4 pairs. Further the cipher is studied when the registers enter short cycles. When NLFSR is set to all ones, then the cipher degenerates to a linear feedback shift register with a non-linear filter. Consequently, the initial state (and Secret Key and IV) can be recovered with complexity 263.87. If DLFSR is set to all zeros, then NLF reduces to a low non-linearity filter function. As the result, the cipher is insecure allowing the adversary to distinguish it from a random cipher after 217 observations of keystream bits. There is also the key recovery algorithm that allows to find the secret key with complexity 2 54.

Active security in multiparty computation over black-box groups

Most previous work on unconditionally secure multiparty computation has focused on computing over a finite field (or ring). Multiparty computation over other algebraic structures has not received much attention, but is an interesting topic whose study may provide new and improved tools for certain applications. At CRYPTO 2007, Desmedt et al introduced a construction for a passive-secure multiparty multiplication protocol for black-box groups, reducing it to a certain graph coloring problem, leaving as an open problem to achieve security against active attacks. We present the first n-party protocol for unconditionally secure multiparty computation over a black-box group which is secure under an active attack model, tolerating any adversary structure Δ satisfying the Q 3 property (in which no union of three subsets from Δ covers the whole player set), which is known to be necessary for achieving security in the active setting. Our protocol uses Maurer’s Verifiable Secret Sharing (VSS) but preserves the essential simplicity of the graph-based approach of Desmedt et al, which avoids each shareholder having to rerun the full VSS protocol after each local computation. A corollary of our result is a new active-secure protocol for general multiparty computation of an arbitrary Boolean circuit.

On the (in)security of IDEA in various hashing modes

In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.

Privacy enhancements for hardware-based security modules

The increasing growth in the use of Hardware Security Modules (HSMs) towards identification and authentication of a security endpoint have raised numerous privacy and security concerns. HSMs have the ability to tie a system or an object, along with its users to the physical world. However, this enables tracking of the user and/or an object associated with the HSM. Current systems do not adequately address the privacy needs and as such are susceptible to various attacks. In this work, we analyse various security and privacy concerns that arise when deploying such hardware security modules and propose a system that allow users to create pseudonyms from a trusted master public-secret key pair. The proposed system is based on the intractability of factoring and finding square roots of a quadratic residue modulo a composite number, where the composite number is a product of two large primes. Along with the standard notion of protecting privacy of an user, the proposed system offers colligation between seemingly independent pseudonyms. This new property when combined with HSMs that store the master secret key is extremely beneficial to a user, as it offers a convenient way to generate a large number of pseudonyms using relatively small storage requirements.

On the security of PAS (predicate-based authentication service)

Recently a new human authentication scheme called PAS (predicate-based authentication service) was proposed, which does not require the assistance of any supplementary device. The main security claim of PAS is to resist passive adversaries who can observe the whole authentication session between the human user and the remote server. In this paper we show that PAS is insecure against both brute force attack and a probabilistic attack. In particular, we show that its security against brute force attack was strongly overestimated. Furthermore, we introduce a probabilistic attack, which can break part of the password even with a very small number of observed authentication sessions. Although the proposed attack cannot completely break the password, it can downgrade the PAS system to a much weaker system similar to common OTP (one-time password) systems.

IT governance stability in a political changing environment : exploring potential impacts in the public sector

Public sector organisations (PSOs) operate in information-intensive environments often within operational contexts where efficiency is a goal. What's more, the rapid adoption of IT is expected to facilitate good governance within public sector organisations but it often clashes with the bureaucratic culture of these organisations. Accordingly, models such as IT Governance (ITG) and government reform -in particular the new public management (NPM)- were introduced in PSOs in an effort to address the inefficiencies of bureaucracy and under performance. This work explores the potential effect of change in political direction and policy on the stability of IT governance in Australian public sector organisations. The aim of this paper is to examine implications of a change of government and the resulting political environment on the effectiveness of the audit function of ITG. The empirical data discussed here indicate that a number of aspects of audit functionality were negatively affected by change in political direction and resultant policy changes. The results indicate a perceived decline in capacity and capability which in turn disrupts the stability of IT governance systems in public sector organisations.

Airports of the future : improving operation, security and experience

The final report for the ARC project "Airports of the Future". It contains the findings and recommendations provided by the various teams to the industry partners.