Can critical infrastructure be secured without standards?

According to Computerworld, the Australian Federal Attorney-General’s Department has ruled out regulation of security standards for supervisory control and data acquisition (SCADA) systems for critical infrastructure.

Personally, I’d preferred them to have mandated very strict development, implementation and operating standards. SCADA systems need to be safeguarded from zero and minus day vulnerabilities. That means developing code that is not susceptible to common forms of attack (e.g. deploying Microsoft’s SDL as a minimum) and avoiding any external connections. Unfortunately, these are not strong points of today’s systems.

Can we trust industry to implement the measures needed to secure SCADA systems from future attacks? I doubt it. For three decades we’ve been uncovering vulnerabilities in these systems. Process industries clearly prefer to cut costs, rather than invest in strong security measures.