School of Computer and Information Science, Security Research Centre, Edith Cowan University, Perth, Western Australia
While it is recognised that there must be segregation between corporate and process control networks in order to achieve a higher level of security, there is evidence that this is not occurring. Computer and network vulnerability assessments were carried out on three Australian critical infrastructure providers to determine their level of security. The security measures implemented by each organisation have been mapped against best practice recommendations for achieving segregation between process control and corporate networks. One of the organisations used a model which provided a dedicated information security team for provision of security for the process control networks. One of the other organisations relied heavily on outsourcing for their IT security, and a third used in house corporate IT for their process control security. It was found that the organisation using a dedicated IT security team that worked within the process control group achieved the highest level of security when mapped to best practice. This paper concludes that best practice recommendations for critical infrastructure providers should also include guidelines for the organizational structure, and further, that dedicated IT security personnel be placed within the process control group.