Australian Security Magazine, Issue 1, 2019 by MySecurity Marketplace

Print Post Approved PP100003227

THE COUNTRYâ&#x20AC;&#x2122;S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Issue 1, 2019

The economic impact of ICS vulnerabilities Black Hat Seduction CYBER RISK MEETUPS Capturing the essence of networking Exposing Dirty Habits CCTV SPECIAL The new compression in your pocket A history of CCTV test charts!

The Health of NSW Hospital Security The Danger of Slashing: Human Anatomy Connecting missioncritical Push-to-Talk with enterprisegrade apps WA Police Force Reticent, Unaccountable and Inadequate: Report Review

$8.95 INC. GST

PLUS

Techtime

CIVIL SECURITY CONGRESS AND EXPOSITION

www.civsec.com.au

Hosting the major conferences of Australiaâ&#x20AC;&#x2122;s key law enforcement, corrective services and enabling technology organisations, the CIVSEC 2020 International Civil Security Congress and Exposition is your gateway event to the growing Indo-Asia-Pacific civil national security sector. CIVSEC 2020 will feature an industry exhibition, supporting a program including: l

Australia New Zealand Policing Advisory Agency (ANZPAA) PC20 Police Commissioners Conference National Security Science and Technology Centre (Defence Science and Technology) Corrective Services Emerging Technologies Project Group

l l l l

Custodial Corrections Working Group Custodial Corrections Working Group Electronic Monitoring Conference Australian Association for Unmanned Systems Conference

2018 HIGHLIGHTS l

9 Australia/New Zealand Police Commissioners in attendance

l l

55 Government agencies represented 100 international and Australian speakers across 74 sessions

For further information contact the CIVSEC 2020 Sales Team T: +61 (0)3 5282 0500

E: expo@amda.com.au

One destination for all your cybersecurity needs. In today’s cybersecurity, there’s no standing still. The threats are greater, the stakes are higher. That’s why there’s RSAC 2019 Asia Pacific & Japan. Join industry leaders and peers as you explore best practices, get up to speed on new regulations, and stay on top of the latest developments through: •

Informative sessions covering eight tracks

•

Inspiring keynotes that examine where the industry is headed

•

Hands-on demos of cutting-edge products from over 90 companies

•

Innovation in action at RSAC Early Stage Expo and RSAC Launch Pad

•

Networking opportunities that can benefit your company and career

Don’t miss the chance to get all the tips and tools you need to help protect your organization. Register today at: www.rsaconference.com/mysecuritymedia19

FOCUS ON SECURITY THE 2019 SECURITY EXHIBITION & CONFERENCE:

WHERE YOUR SECURITY NEEDS ARE BROUGHT INTO FOCUS

24-26 JULY 2019 ICC SYDNEY DARLING HARBOUR

Gain insight into the newest innovations that are reinventing the industry. AI, biometrics and tech inventions are moving at lightning speed and smart technology is inspiring new discoveries every day.

EXHIBITION IS FREE REGISTER NOW

Industry leaders, new visionaries and expert users are all joining together to exchange ideas and developments. The Security Exhibition + Conference is Australiaâ&#x20AC;&#x2122;s largest and most established commercial security event that cultivates innovation, solves problems and leads an industry to be the best in the world.

#security2019

securityexpo.com.au

LD RS SO EA CE Y N T3 RE AS FE L N HE CO T T U O

THE ASIAL SECURITY 2019 CONFERENCE

BUILDING RESILIENCE TO COMBAT CHANGING SECURITY THREATS The ASIAL Security Conference hosts a compelling program of renowned local and international experts, academics and visionaries addressing how to strengthen your capabilities, managing risk, a digital future, emerging technologies and innovations, integration and more. It is your annual opportunity to receive fundamental updates from the organisations shaping today’s security landscape in a program carefully curated by the industry’s peak body. The format and content of the program reflects critical industry updates and challenges on the first day, followed by your choice of streamed executive briefings on the second and third day of the program. Bring your security needs into focus, stay up to date with the latest developments and gain a competitive advantage with proven strategies to tackle a rapidly changing industry.

SECURE YOUR EARLY BIRD TICKET & ENTER THE DRAW

TO WIN A PENTHOUSE HOTEL SUITE DURING THE EVENT!

HEADLINE SPEAKERS

HUGH RIMINTON

NICK ALDWORTH

DR TONY ZALEWSKI

JOHN LOMAX

Author, Television News Presenter, Radio Broadcaster. Conference Moderator

MPA DipPR, National Coordinator Protect & Prepare, Counter Terrorism Policing National HQ, New Scotland Yard

Director, Global Public Safety Pty Ltd

General Manager Asset Protection, The Star

KELLY SUNDBERG

SHARA EVANS

NICK DE BONT

DR LISA WARREN

Associate Professor, Mount Royal University (Canada)

Futurist, Market Clarity

Chief Security Officer, Thales Australia

Clinical/Forensic Psychologist, Clinical Director, Code Black Threat Management

SECURITYEXPO.COM.AU FOR FULL SESSION DETAILS

BOOK NOW TO SECURE YOUR PLACE and take advantage of the early bird discount.

EXHIBITION HOURS

CONFERENCE HOURS

Wed 24 July: 9:30am – 5.00pm

Wed 24 July: 9:00am – 5.00pm

Thurs 25 July: 9:30am – 5.00pm

Thurs 25 July: 9:00am – 2:30pm

Fri 26 July: 9:30am – 3:30pm

Fri 26 July: 9:00am – 2:30pm

Lead Industry Partner

ENGAGING CO-CREATION TO PREPARE FOR FUTURE SECURITY THREATS 2 - 4 July 2019 Sands Expo & Convention Centre

•

Singapore

www.interpol-world.com

Global Safety Today • Improving Security for Tomorrow • Forecasting and Planning for the Future

INTERPOL World is a global co-creation opportunity which engages the public and private sectors in dialogue and fosters collaboration to counter future security and policing challenges. 30 strategic Co-creation Labs to discuss the challenges and solutions for combating the crimes of the future Exhibition that serves as a business and networking event for 250 manufacturers, distributors, and Research and Development organizations to offer innovative products and cutting-edge technologies

EVENT OWNER

SUPPORTED BY

INTERPOL Working Groups (by invitation only) including the chief innovation officers group, artificial intelligence, drones and the Darknet and cryptocurrency group

INDUSTRY INSIGHTS BY

visitor@interpol-world.com

HELD IN

MANAGED BY

INTERPOL WORLD 2nd A Australian ustralian Delegation LLuncheon uncheon ENGAGING CO-CREATION TO PREPARE FOR FUTURE SECURITY THREATS 2 - 4 July 2019 Sands Expo & Convention Centre

•

Singapore

www.interpol-world.com

Global Safety TodayMySecurity • Improving Security forpartnering Tomorrow Media is • Forecasting and Planning for the Future

with theRegister for INTERPOL World 2019! organisers of INTERPOL World 2019 and INTERPOL World is a global co-creation opportunity which engages the public and private sectorsholding in dialogue our and fosters collaboration to counter second Australian Delegation future security and policing challenges. Luncheon event in Singapore on 4 July. 30 strategic Co-creation Labs to discuss the challenges and solutions for combating the crimes of the future

In 2017 the luncheon was led by the INTERPOL Working Groups (by invitation only) Australian Ambassador for Cyber Affairs visitor@interpol-world.com including the chief innovation officersby group, artificial intelligence, and attended senior government and drones and the Darknet and cryptocurrency group industry representatives from Australia and Singapore.

Exhibition that serves as a business and networking event for 250 manufacturers, distributors, and Research and Development organizations to offer innovative products and cutting-edge technologies

EVENT OWNER

INDUSTRY INSIGHTS BY IN To Register for the luncheon & forHELDVIP Passes email rsvp@mysecuritymedia.com

SUPPORTED BY

MANAGED BY

Meet the suppliers behind the future of security face-to-face IFSEC International is your unmatched opportunity to see the latest security technology put to the test, learn directly from world-renowned industry leaders and network with security directors & managers, installers, integrators and distributors from across the globe. Source specialist security solutions across IT, cyber, perimeter protection, access control, CCTV and more.

Organised by

10 SCADA WORLD SUMMIT TH

17 - 20 JUNE 2019, LONDON UK OVER 8 HOURS OF NETWORKING OPPORTUNITIES WITH SCADA DECISION MAKERS, MANAGERS & ENGINEERS FROM ACROSS OIL & GAS, PETROCHEMICALS, POWER & UTILITIES, ENERGY, MANUFACTURING AND TRANSPORTATION SECTORS!

To find out more: PHONE EMAIL WEB

Media Partners:

+65 6376 0907 enquiry@equip-global.com http://www.equip-global.com

Researched & Developed By:

Contents Editor's Desk 15

Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai Art Director Stefan Babij Correspondents Jane Lo

MARKETING AND ADVERTISING promoteme@mysecuritymedia.com Copyright ÂŠ 2019 - My Security Media Pty Ltd GPO box 930 SYDNEY N.S.W 200, AUSTRALIA E: promoteme@mysecuritymedia.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Capturing the essence of networking

Exposing Dirty Habits

The economic impact of ICS vulnerabilities

Black Hat Seduction

COVER FEATURE â&#x20AC;&#x201C; Artificial Intelligence Ethics

The Health of NSW Hospital Security

The Danger of Slashing: Human Anatomy

Connecting mission-critical Push-to-Talk

Page 34 - Black Hat Seduction

CCTV SPECIAL The new compression in your pocket

A history of CCTV test charts!

Techtime the latest news and products

Book review REPORT REVIEW: WA Police Force Reticent, Unaccountable and Inadequate:

BOOK REVIEW: Cyber Risk Leaders

Page 42 - Artificial Intelligence

Ethics

CONNECT WITH US www.facebook.com/apsmagazine @AustCyberSecMag www.linkedin.com/groups/Asia-PacificSecurity-Magazine-3378566/about

Page 46 - The Danger of

Slashing - Human Anatomy

www.youtube.com/user/MySecurityAustralia

OUR NETWORK www.cyberriskleaders.com

www.mysecuritymedia.com

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors Page 52 -The new compression

in your pocket www.australiansecuritymagazine.com.au

Jane Lo www.aseantechsec.com

www.asiapacificsecuritymagazine.com

Vlado Damjanovski

Tony Campbell

Brenda van Rensburg

Also with www.drasticnews.com

www.chiefit.me

Konrad Buczynski

www.youtube.com/user/ MySecurityAustralia

www.cctvbuyersguide.com

12 | Australian Security Magazine

Denny Wan Daniel Marsh Milica D. Djekic Roderick Hodgson

Page 54 - A history of CCTV test charts

Editor's Desk

"When the security agencies are running foreign policy, the nutters are in charge…. China is a great state. It’s always been a great state and now has the second largest economy, soon the largest economy in the world. If we have a foreign policy that does not take that into account, we are fools” - Former Australian Prime Minister Paul Keating, ABC Interview, 5 May 2019, Brisbane

ith the Federal election just a week away, it is hard not to make mention of the complex and inter-connected security environment in Australia and the region. Though with complexity being one of the key issues in itself, there is an enhanced debate brought about by elections. Be it Climate Change, China Relations, Counter Terrorism, Cybersecurity or CCTV. Politicians still fall into the trap of promising large pools of funds and putting themselves up as the bastions of public safety and national defence. Example? Nothing cries more of ‘we’re taking action to keep you safe’ than announcing more public CCTV cameras – whether needed or not. The Morrison government has announced a $156 million election pledge intended to scale up cyber security, with an increase in the online security workforce across several departments and using public funds to encourage more young Australians to study computer science. $40 million would be set for “countering foreign cyber criminals” capacity within the Australian Cyber Security Centre (ACSC), which will work with the Australian Federal Police against organised crime. Another $26 million would go to the ACSC to expand its assistance to the community. Interestingly, during the campaign, the head of the Australian Cyber Security Centre, Alastair MacGibbon announced his resignation and will be gone by the end of the month. I would anticipate a stark contrast between the Liberal “scare them and protect them” approach to Labour’s more laissez faire approach to national security. The security domain, despite an oftenbipartisan approach, is clearly reflected by two different mindsets. For Labour, with reference to their 48th ALP National Platform, they will be looking to re-appoint “an appropriately resourced and empowered National Security Adviser” and will be reviewing the Home Affairs portfolio arrangements and Australia's national crisis management arrangements. A replacement Minister for Home Affairs has not

been nominated. However, other than that, it appears the only cyber related policy refers to the introduction of an eSmart Digital Licence, with the delivery of a pilot and evaluation of the licence in 2019 and a full national rollout to every student commencing from Year 3 in 2020. And as Paul Keating suggests above, the heads of the existing security agencies may be best to jump early and follow Alastair MacGibbon. Much like the broad nature of the security domain and challenges of keeping up with a national election campaign, this edition of the Australian Security Magazine offers some great insights. As our cover story, Singapore Correspondent Jane Lo, reports from EmTech Asia 2019 on the ethics of artificial intelligence. The petabytes of photos, messages, emails and videos that we exchange and store are commonly referred to the 5 “V’s” – volume, veracity, variety, velocity and value. Digital data is key in speech and facial recognition, and sentiment analysis, for training or for drawing out key information. But its use has also elevated privacy as a key consideration when adopting AI. More concerning than the privacy of our digital information is the rise of empathy robots - machines that read emotions from eye dilation, skin heat, or speech patterns to tailor marketing messages or teaching methods. Or interrogation techniques. Are we losing our right to keep our emotions private? Will AI be able to create a picture of our psychology even if we seem composed to the naked eye? Thinking above to the political promises of rolling out ever more and ever improving CCTV cameras, this is a recommended read! Also check out Jane Lo’s new podcasts from Super Computing Asia and Singtel Innov8 – more to come. Leading security practitioner, Konrad Buczynski provides important insight into the health of NSW hospital security. Despite $24M being spent on CCTV upgrades, installation of remote locking systems and personal duress equipment, a recent interim report prepared by

ex- NSW Police Officer and Minister, Peter Anderson, titled “Improvements to security in hospitals” reveals that ample room for improvement continues to exist. This includes a lack of effective recourses for staff in the event that an act of serious aggression occurs, especially in rural EDs, where police may not be available to help for extended periods. Vlado Damjanovski provides two essential articles for the CCTV sector, including the new High Efficiency Video Compression (HEVC) standard, popularly known in the CCTV industry as H.265. Vlado also provides the ViDi Labs latest test chart for the CCTV industry, v.5.0. The Chart has new features intended for cameras with various aspect ratio imaging sensors, such as 16:9, 3:2 and 4:3, common HD resolutions and all other megapixel cameras. The chart also accommodates the latest CCTV standards, including IEC 62676-4 and 62676-5 standards – a must read and keep it in the reference library. Finally, to highlight our Tech-Time – there is a rapidly developing drone race currently on – between Airobotics and Percepto. The Airobotics ‘Optimus’ Drone and the Percepto’s ‘Sparrow’ Drone are each autonomous systems and they, as well as, other emerging players, including the likes of Google, are vying for a large part of the government, defence and industrial applications of the Australian drone market. Watch the skies for more on these systems. And on that note, as always, we provide plenty of thought-provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Sincerely, Chris Cubbage CPP, CISA, RSecP, GAICD Executive Editor

Australian Security Magazine | 13

MEDIA CHANNELS Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly –. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

Your one-stop shop for all things CCTV, surveillance and detection technologies

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media.

promoteme@mysecuritymedia.com 14 | Australian Security Magazine

www.mysecuritymedia.com

The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOFTWARE

promoteme@mysecuritymedia.com

www.mysecuritymarketplace.com

Australian Security Magazine | 15

Crystal Eye UTM Series 10 Gateway

Illumio Adaptive Security Platform

Enterprise to SMB/Home Office Solutions - Crystal Eye Series 10 - 200

Enterprise Solution

10% Discount off RRP to Marketplace Users:

The Illumio Adaptive Security Platform® (ASP) secures the inside of any data center and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps.

Crystal Eye Deployed Device that is a Unified Threat Management (UTM) next-generation firewall (ngfw) software/hardware solution for your enterprise or home office, protecting it from a variety of threats and risks through a range of integrated services.

Predictions 2019: Cyber Security Key Trends

The Cyber Breach Communication Playbook

Over 2018 the Huntsman team has seen a number of trends develop which may impact your organisation’s operation and exposure to risk; we’ve created a White Paper Predictions 2019 – Looking forward to next year in cyber security to share these with you.

The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format that delivers on equipping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.”

HUNTSMAN SECURITY CYBER SECURITY PREDICTIONS 2019 LISTEN TO OUR AUTHOR PODCAST

16 | Australian Security Magazine

Cyber Security

Modern workflow without modern risk Dekko is a web-based platform that relies on engineering solutions to provide privacy and security â&#x20AC;&#x201C; not anonymity, secrecy, or private cloud infrastructure. Dekko is easy to use, easy to implement and easy to manage. Dekko enables you to navigate:

Threat of intruders Accidental misaddressing Untrusted networks Lack of communication control Protecting your brand reputation Information privacy

Circles

Sharing

Control

Security

Isolate and discuss projects Control visibility

Share files with no size limits Share documents for approval Granular permissions

Branding Data sovereignty

End-to-end encryption Two-factor authentication Completely user-transparent

The Dekko platform tools

DekkoVAULT

DekkoSIGN

DekkoCHAT

DekkoMAIL

www.m ysecurityma r ke tpl ac e .c om / pr oduc ts / de k k os e c ur e

Australian Security Magazine | 17

Cyber Security

Capturing the essence of networking - Cyber Risk meetup, Melbourne wrap Up By Chris Cubbage, Executive Editor

Interview with Jacqui Loustau, Founder of the AWSN

18 | Australian Security Magazine

he group representation of thousands of cyber security professionals in Australia, from seniors to students, and otherwise just curious minds, was captured at the latest Cyber Risk Meetup. Held in Melbourne on April 30, in association with the Australian Women in Security Network (AWSN), supported by Illumio and Privasec and hosted by Ernst & Young Australia in Exhibition Street, the opening panel represented the ‘on the ground’ founders of leading meetup groups in the Australian cybersecurity industry. Shamane Tan, Founder of the Cyber Risk Meetup gathered together the opening panel, with Matt Tett, Founder of Day of the Month (DOTM) Club, Mike Monnik, Organiser of SecTalks Meetup and Founder of the Deakin University Information Security Club (DISC), and Jacqui Loustau, Founder of the AWSN. Together these ‘founders’ each represent different, yet cross complimentary segments of the industry, now running in the majority of Australian states and territories. Matt Tett’s DOTM clubs, be they a Tuesday, Wednesday or Thursday of each month, capture about 2,000 networkers across the country, sharing an ale or two and discussing their focus of interest. Be that for consulting or technical teams, to students and through to the industry retirees, often paired with younger up-and-comers. Matt brings a relaxed and inclusive approach to his events and they’re an ideal chance to connect and network. For Mike’s SecTalks, coincidentally on the last Wednesday of each month, the focus is more on garnering technical skills. To ensure focused learning, numbers are often capped at 80- 100 attendees, despite growing to about 1,500 national members. Held at the PWC Tower in Melbourne, the SecTalks dive into red teaming and penetration testing

and are an ideal opportunity for teams and even students, coming into the city from the suburbs, to hone their skills. Shamane Tan outlined the secret of success for the Cyber Risk Meetups, now spanning Australia and Singapore. These quarterly events provide a unique opportunity for senior executives to share their experiences in mixed panel and presentation settings with a ‘no-sales’ approach. The format clearly works and with 1,500 members, the CRMs (#CyberRiskMeetup) are a full house each and every time. Having interviewed Jacqui Loustau for a podcast just prior to the event, it was an insight to learn the AWSN was born from her desire to share her own challenges in being one of the few women in the room, attending industry events in a male dominated sector. She wasn’t alone. The women’s network grew rapidly, and nationally, to now having 1,700 members and retaining the focus of connecting, supporting and inspiring women in the security industry. This includes cybersecurity, physical security or the less recognised security roles like business continuity and fraud prevention. Together the panel of four provided great insight into the cybersecurity sector and the desire for learning, sharing, networking and connecting across Australia and beyond. Mike pointed out that going to Sec Talks, or any networking group, is like going to the Gym. The reason people stop going is the lack of community and making friends to go with you. The real value each of these groups offer is a genuine approach to friendship and inclusion. When asked how to address the key industry challenges, if it was up to Matt, he may well turn the Internet off to solve the cybersecurity challenge – many agree that is probably the only solution. For Mike, it was getting cybersecurity taught as early as possible, including primary school. Collaboration is key for Shamane and Jackie summed it up nicely; with ensuring

Cyber Security

the industry keeps its message simple, so as not to confuse and scare, but to educate and empower, the general public. Following another intensive networking break and some canapes, the session moved onto the next panel. Lead by EY’s Senior Manager Meaghan Stackpole, the panel was Mick Dunne, CISO, AustralianSuper, Claire Pales, Director, 27 Lanterns and Author of Secure CIO and David McMurdo, Head of Private Client Group at AIG. Yet again, a fascinating discussion ensued with diverse input from an insurance perspective, major economic trust brand in Australian Super and Claire’s invaluable experience from decades in the industry. It was clear from the discussion that despite a diverse background, each panellist had observed and experienced the same mass movement of modern technology, with new trends seemingly coming out each week. Social media trends and our relationship with technology has changed and evolving. Even the relationship with our cars is changing as they become computerised and autonomous. For Claire it’s all about trust, including the importance of building trust in consumers and customers. Nothing will be sustained without trust or ethics. Yet, despite technology rapidly moving forward, it is policy that comes second and then the Judiciary comes in third when trying to grapple and control the impacts on our daily lives, and the risk to enterprise. It was reiterated that Australia lacks political leadership in this area and regrettably, it is unlikely to change in the near term. Yet to change and influence, such as an enterprise risk culture, the removal of barriers to silos and silo mentalities is important. It can start with some simple changes, such as sitting people together and allowing them to share job experiences. Moving from a binary decision approach around security, or a ‘yes or no’ approach, to a risk-based approach, with adaptation needed as risk changes. Of concern, is that Executives and Boards still aren’t being fully appraised of the risk around cybersecurity, or understanding the risk. Elevating the right risks, at the right time, to the Executive team is a primary challenge for a large enterprise. The discussion also included the longer-term challenges of society in a challenging geo-political environment and for the kids of today who may not be getting taught the best cyber-hygiene skills. How are we preparing them for the workplace of tomorrow? Kids in school are still being taught to right down passwords and social media is still not fully understood on its impact on behaviours like bullying. Looking back, when Claire was young, she wanted to be a lawyer, then a journalist and then a police officer – in many ways now being in Cybersecurity she has become of mix of all three. This highlights the great aspect of cybersecurity, namely the opportunities and challenges it presents. The opportunities are numerous and were indeed a common theme through-out the night. A great event and would encourage you to get along to your local group so as not to miss out! Visit www.cyberriskmeetup.com to staytuned! Register for a copy of Shaman Tan’s upcoming book release – ‘Cyber Risk Leaders: C-Suite Insights – Leadership and Influence in the Cyber Age’

Shamane Tan and Jacqui Loustau opening the CRM

L-R: Matt Tett, Mike Monnik, Shamane Tan and Jacqui Loustau

Questions? Lively audience participation

Meaghan Stackpole facilitating the panel with David McMurdo, Claire Pales and Mick Dunne

Thanks to our facilitators and panellists (L-R): Claire Pales, Meaghan Stackpole, Jacqui Loustau, Shamane Tan, Matt Tett, Mike Monnik, David McMurdo and (MIA) Mick Dunne

Australian Security Magazine | 19

We want to help build and maintain the pipeline of talented professionals and grow the security ecosystem

Help our future by supporting & joining us now CONNECTING - SUPPORTING - INSPIRING Join the conversation: awsn_au

www.awsn.org.au

awsn Australian Women in Security Network

R1 OVE ODES, EPIS ER OV

00 S 0 , 0 5 OAD NL

DOW

www.australiancybersecuritymagazine.com.au 22 | Australian Security Magazine

PODCAST HIGHLIGHT EPISODES Episode 147 – Pre-War Phase, Warfare & Cyber: Amongst Space, Air, Land, Sea, Time & Perception Interview with Dr. Malcolm Davis, ASPI Whilst in Canberra for the #CyberTaipan National Finals pilot program, we visited the Australian Strategic Policy Institute (ASPI) and met with Dr. Malcolm Davis, Senior Analyst to discuss defence, cyber, space, China, USA, droneswarms, Warfare Tactics in this pre-war phase.

Episode 146 – High-Performance Computing (HPC) and why it matters for Australia: Pawsey Supercomputing Centre Jane Lo, Singapore Correspondent interviews Mark Stickells, Executive Director, Pawsey Supercomputing Centre, based in Perth, Western Australia. Why HPC or Supercomputing – high performance computers that perform at highest operational rate - matters to Australia’s vision for 2030 to be a top tier innovation nation, and the history behind Pawsey, HPC projects, partnerships across the world, and talent development at the centre.

Episode 145 – #GameOn with #OzCyberinUSA2019 - Interview with Michelle Price, CEO, AustCyber in San Francisco for #RSA2019 In San Francisco for the joint AustCyber and Austrade “Australian Cyber Security Mission to the USA”, MySecurity Media's Director Dave Matrai interviews Michelle Price, AustCyber CEO and discusses Australia’s position on the global cyber security stage. The discussion includes how the Australian cyber security industry has changed over the past 3 years and why Australia is an attractive destination for investment into Australian cyber security innovation. Singtel Innov8 and NUS Enterprise to deliver the ICE71 Inspire and ICE71 Accelerate programmes.

Episode 144 – #CyberTaipan joins an International program delivering a critical skills pipeline with #CyberPatriot #CyberCenturian #CyberArabia This interview with Michelle Price, Chief Executive Officer of AustCyber and Diane Miller, Director, Global Cyber Education & Workforce Initiatives for Northrop Grumman provides insight into the CyberTaipan Finals Competition held in Canberra on 16 March 2019 and the program's link to the USA, UK and Saudi Arabia.

Episode 141 – Insights to Illumio Adaptive Security Platform & Micro-Segmentation Interview with Andrew Kay, Systems Engineer with Illumio. The Illumio Adaptive Security Platform® (ASP) secures the inside of any data centre and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps. Illumio ASP delivers micro-segmentation that is enabled by combining vulnerability data with real-time traffic visibility. This combination enables organisations to understand how their applications work, see where they are most vulnerable, and use that visibility to create and enforce microsegmentation policies.

Episode 138 – Cyber Breach Communication Playbook - In-depth interview with author Peter Coroneos This interview starts with a book review but dives into Peter's long and fascinating journey, starting as the CEO of the Internet Industry Association in 1997 and through to his observations of today's contemporary cyber environment and potential for the next cyber crisis - including an existential threat with an apparent escalating Cyber War between the major powers of USA and China. Peter is the CEO of Icon Cyber and the APAC Regional Head for CyAn CyberSecurity Advisors Network.

Episode 139 – Probable not Provable Privacy for Census Data vulnerable to attack - Chief Scientist Optus Macquarie University Cyber Security Hub Interview with Professor Dali Kaafar, Chief Scientist at Optus Macquarie University Cyber Security Hub and Professor at the Faculty of Science and Engineering at Macquarie University. Professor Kaafar and Macquarie University Lecturer Hassan Jameel Asghar, released a paper mid February, titled, ‘Averaging Attacks on Bounded Perturbation Algorithms’ that identifies and demonstrates a vulnerability of the Perturbation Algorithm used by the Australian Bureau of Statistics for its online tool, TableBuilder, that enables querying the Australian Census Data.

Episode 140 – DevOps and the journey to DevSecOps with #OzCyberinUSA2019 - Interview with Paul McCarty of SecureStack Recorded in San Francisco at the RSA Conference and part of #OzCyberinUSA2019, MySecurity Media's Dave Matrai interviews Paul McCarty of SecureStack. This is a great story about an American that’s come to Australia, become an Aussie and is on a mission to take his company back to America! Already working with a number of government clients, Paul discusses his insights into DevOps and the journey he is undertaking as part of CyRise.

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 23

Cyber Security

Exposing Dirty Habits: Perth’s Cyber Riskers Meetup

T By Tony Campbell

he recent Cyber Risk Meetup in Perth demonstrated well the West Australian cyber community’s enthusiasm, strength and passion for learning. With an enticing title, “Exposing Dirty Habits”, the event kicked off in GHD Digital’s offices on Hay Street, with a very relevant discussion on big company exposures. It was delivered by Rapid7’s Vice President for APAC, Neil Campbell, who has a long and interesting career spanning law enforcement, forensics, cyber technology and consulting, through to most recently, sales. Neil’s presentation entitled, The State of Security for Australia’s ASX 200 Orgs, focused on the key finding from Rapid7’s recently published report on ASX 200 companies and their cyber exposures. He covered the following aspects on a sector-by-sector basis: • Number of exposed servers and devices; • exposure to known common attacks; • susceptibility to phishing attacks; • evidence of infection from malware; • third-party dependencies share risk; and • evidence of vulnerability management. As Neil explained, ASX 200 organisations are amongst the most well-funded and well-resourced in Australia. Each of these organisations will undoubtedly spend a significant amount of money each year on cyber security (likely into millions of dollars), but Rapid7 was able to discover many systemic cyber risks and exposures across every sector represented in the report. A frightening fact was that Rapid7 showed ASX 200 organisations to have, on average, a public attack surface exposing 29 servers/devices, while many of them had more

24 | Australian Security Magazine

like 200–300 systems/devices directly reachable over the open Internet. Furthermore, none of the examined industry sectors were free from malware infections, with many individual companies signalling to Rapid7’s honeypot network, known as Project Heisenberg[1]. How Did Rapid7 Gather This Data? The data that Rapid7 collected for this report was gathered using active scanning and special DNS queries. However, one additional capability Rapid7 has established, known as Project Heisenberg, is a global array of passive network sensors that advertise services such as HTTP/HTTPS, Telnet, SMB etc. As Neil said, no genuine Internet traffic should be hitting those systems, so when they do receive a connection from organisations, it’s a great indicator that they are compromised. A further worrying statistic that Neil shared was that most ASX 200 companies don’t employ industry best practice for spam mitigation. 67% of the organisations could enhance their security posture by simply using DMARC (Domainbased Message Authentication, Reporting & Conformance) to their email infrastructure[1]. Exposed weak services was another major problem, with some organisations having open Telnet and Windows file-sharing (the security nightmare that is SMB). Each one of these exposed services elevates the organisation’s risk and exposure. ASX organisations in every sector had serious issues with patch/version management of business-critical internet-facing systems. It is vital that organisations make configuration and patch management of internet-facing systems a top priority.

Cyber Security

Next Up: Richard Addiscott, Silver Chain Group’s CISO Following Neil Campbell’s talk was a fascinating discussion on the 3 C’s, from Richard Addiscott. Richard is Silver Chain CISO and over his tenure with them he’s been introducing systems and processes to better upskill the Silver Chain workforce to protect themselves and protect each other. His presentation had the extended title of, The 3 C’s – Delivering Effective Information Security in a Digitally Transforming Environment, which in essence boils down to the three main points: • Context; • Collaboration; and • Culture. Context is important, because without knowing what the business does, who the users are and what is most important to them, security controls are often mismatched and slow business down rather than enabling it. In Silver Chain’s case, if a security control hinders getting employees to patients, then the context of the business is lost and so is the willingness to collaborate with the security team. When security builds a collaborative approach with users for protecting the business, you get an increased willingness across the organisation to engage/work with the security team. Also, vitally important, the senior executive and stakeholder advocacy group is better informed and is consulted throughout the security programme on matters that affect the entire organisation, so collaboration breeds trust and demonstrates value in the security programme. Culture was the final ingredient of Silver Chain’s security programme that Richard discussed. It was also likely the most important. Context and collaboration both assist in developing the organisation’s willingness to support their security’s mission, but for new controls to stick, it’s important to take the business on a cultural journey, where the goal is to ensure, “the new security culture supports the transformed internal context.” Are You Protecting Your Valuables? Janette Opperman was the final speaker of this Cyber Riskers evening. She talked about Chevron’s approach to cyber security in the OT and process control space and it was an interesting and eye-opening discussion. Janette is Chevron’s Australasia Business Unit (ABU) Process Network Control (PCN) Support Team – Manager, so her area of responsibility includes making sure the process control network operates within Chevron’s agreed tolerances, and systems do what they are supposed to do. Janette’s team makes sure that data integrity and system availability is foremost in their mind since any failure in integrity or availability can see a false reading or failed control unit poses an extreme safety risk. Janette provided some background on Chevron’s Gorgon and Wheatstone Projects, to illustrate how extreme a failure in security could be in terms of its threat to human life. Wheatstone[1] is Australia’s first liquefied natural gas (LNG) hub, with two LNG trains and a combined capacity of 8.9

Neil Campbell looks at exposures affecting ASX 200 organisation

Richard Addiscott talks about Silver Chain’s Security Culture

Janette Opperman discussed the security risks to Chevron’s Wheatstone and Gorgon Projects

million tonnes per annum. Gorgon[2] is located on Barrow Island and comprises, “a three-train, 15.6 million tonnes per annum LNG facility and a domestic gas plant with the capacity to supply 300 terajoules of gas per day to Western Australia.” One of the most fascinating aspects of Janette’s talk was how she has adopted a zero-tolerance culture to security issues. If engineers fail to follow protocols and download malware or fall for a phishing campaign, they lose Internet access. If it happens again, she said, “They will likely end up working somewhere else.” There can be no exceptions since the stakes are so high. Perth’s New Cyber Place to Be… The enthusiasm and passion of the Cyber Riskers speakers, coupled with the obvious buzz amongst the crowd, was a welcome change for security meetups in Perth. Hats off to the team over at GHD Digital (especially Daniel Marsh) for giving the Perth security community something new, with a real focus on value and finding speakers who deliver engaging and interesting content. Keep up the great work and we are all looking forward to

Australian Security Magazine | 25

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

LAW ENFORCEMENT

REGULATION

BUSINESS

ACADEMIA

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration Sharing cutting edge and emerging global intelligence practices and enabling technologies Supporting and representing intelligence professionals throughout their career lifetime Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Cyber Security

3-5 SEPTEMBER 2019 | MITEC | KUALA LUMPUR | MALAYSIA

EXHIBIT AT ASIA’S NEW END-TO-END POWER EVENT GAIN VITAL ACCESS TO KEY POWER & ENERGY BUYERS POWER GENERATION

DIGITAL TRANSFORMATION

TRANSMISSION & DISTRIBUTION

PARTICIPATE IN THE REGION’S PREMIER BUSINESS PLATFORM FOR POWER PROFESSIONALS POWERGEN Asia will in 2019 be co-located with the leading smart energy show, Asian Utility Week, as well as DistribuTECH Asia and SolarVision. This one combined show will cover the whole value chain of power - from generation to transmission and distribution to its digital transformation. Attracting attendees from all of the largest and most influential utilities and IPPs, governments and solution providers, it is here that you will discover the future of the Power & Energy industry.

11,000+ Attendees

350+

Leading Exhibitors

Cutting

Edge Content

350+

International Speakers

VISIT WWW.POWERGENASIA.COM OR WWW.ASIAN-UTILITY-WEEK.COM ▪ MAKE A BOOKING ENQUIRY ▪ SEE THE FLOOR PLAN ▪ VIEW THE EVENT PROSPECTUS

Organised by: Australian Security Magazine | 27

Cyber Security

The economic impact of ICS vulnerabilities By Denny Wan and Daniel Marsh

28 | Australian Security Magazine

he Common Vulnerability Scoring System (CVSS) is used throughout various industries for scoring vulnerabilities based on several metrics. These metrics focus on confidentiality, integrity and availability, the very well known CIA triad ingrained in the mentality of cybersecurity professionals and extends to maturity and environmental when and where the additional information is required. This allows CVSS to have the scores “weighted” based on organisational nuances and discrepancies. For example, a vulnerability with a CVSS score of 10 may could be lowered based on the temporal and environmental factors such as protected by an air-gapped network. When working in industrial environments the context of vulnerability can be vastly different for ICS vulnerabilities. CVSS does not include an estimation for the potential economic impact from the successful exploitation of a vulnerability. Blindly applying CVSS to any environment without addressing context can result in inappropriate prioritisation and resources and effort being misdirected, leading to potentially disastrous consequences. A remote code execution (RCE) vulnerability is critical for any exposed system, however, in a segmented and isolated environment that the same RCE does not have the required exposure factors. The temporal CVSS scores should help to reduce it slightly, but not necessarily enough to reduce it from the highest score for vulnerabilities in the environment. A high CVSS score does not necessarily mean the vulnerability is

critical to an ICS and treating CVSS like this can result in massive economic loss, including the loss of life. This paper explores some recent research in the scoring of Industrial Control Systems (ICS) vulnerabilities to improve its usability. It extends from the approach in our previous paper titled “A New Approach to ICS Risk Assessment” which applies a business based prioritisation approach to scoping an ICS risk assessment based on cyber risk quantification techniques. The Open Group Factor Analysis of Information Risk (FAIR) Cyber Risk quantification framework is a useful approach for ICS risk professionals to dimension ICS risk in a business language and financial metric, to better explain the business impacts and the remediation prioritisation decisions to the business stakeholders. ICS Security Basics ICS exists to ensure the effective operation of facilities and generally to help in providing manageable services such as water, power, transportation and building management. Any service delivered where the loss of life is considered is acceptable should not be a service being operated and these ICS sectors are aligned with this approach, ensuring a safetyfirst approach is taken to any activities carried out. The first question of ICS security basics should simply be, will this “thing” have a potential to cause loss or harm to life? If yes,

Cyber Security

how do we remove this potential? There are a number of regulatory and legislative requirements that these must adhere to, and some that they simply should adhere to. In Australia, the Security of Critical Infrastructure Act requires reporting of all assets deemed as critical infrastructure and to implement and effect changes as deemed appropriate by the Minister. The North American Electric Reliability Corporation (NERC) has the Critical Infrastructure Protection reliability standards, the NIST Cybersecurity Framework and the Cybersecurity Capability Maturity Model (C2M2) of which the Australian Energy Market Operator has based the Australian Energy Sector Cyber Security Framework (AESCSF). ICS used to be completely isolated and operated over proprietary protocols and interfaces. This significantly limited the attack vectors, however, with the growth of the Internet, open standards and the need for devices to communicate with other vendors the air-gap between ICS and the general IT world has shrunk. Devices have been built with serial to ethernet capability allowing for devices built before the dawn of the Internet to be directly connected and sharing information with anyone who has the knowledge to query them. Simply applying the same controls to an ICS as what is applied in the Enterprise IT environment is daft, disastrous and impossible. Trying to achieve a 99% patch rate within two weeks of patch release throughout Enterprise IT might be a reasonable goal, but achieving even a 50% patch rate in the ICS world could be seen as a lofty goal. Malware, such as Stuxnet and TRISIS, are engineered to specifically target ICS environments to cause loss, destruction or simply shut down energy distribution and processing. While others are more general such as KillDisk which played part in the Ukraine blackout in 2015, KillDisk destroyed the disks of servers and workstations making recovery more difficult. The greatest trick the Devil ever pulled was convincing the world he didn't exist. – Usual Suspects (1995). Making a Human Machine Interface (HMI) or system console to show that everything is OK while everything in the background is going haywire was a wonderful part of TRISIS, the engineers could not identify why the centrifuges were breaking because their monitoring was being tampered with. Implementing zone models, such as the Purdue Enterprise Reference Architecture (PERA) and applying the concept of zone models in general to environments is still one of the best practices that can be implemented, by doing so correctly the attack vectors are reduced and choke points can be established for thorough and deep investigation of traffic. In addition to implementing zone models, applying a systems classification plan can greatly assist, such as that of the McAfee 3x3 matrix. Each asset within an environment can be classified in one of the nine boxes with each box applying different controls to protect the asset. By utilising the two approaches of PERA and the 3x3 matrix, a complete strategy for protecting an ICS can be developed effectively. There also exists a number of standards and guides for securing ICS, NIST 800-82 is a comprehensive guide, while the SANS paper titled “Securing Industrial Control Systems-2017” provides an organisational view to addressing cybersecurity in ICS. Taking a simple approach of what’s good for IT is good

for OT will result in inappropriate priorities and misdirected effort. Each approach, system and technology must be tailored for ICS to ensure the appropriate context is applied. The problem with using CVSS The Common Vulnerability Scoring System (CVSS) is a widely used system to prioritise system patching effort on IT system. ICS-CERT publish ICS CVSS to track vulnerabilities specific to ICS. CVSS V3 was released in 2015 to improve the effectiveness of CVSS. However, a 2018 paper from Carnegie Mellon University (CMU) titled “Towards Improving CVSS” spelling out a few key deficiencies contributed to a widely misused for vulnerability prioritization and risk assessment, despite being designed to measure technical severity. The CVSS scoring algorithm is not justified, either formally or empirically. Misuse of CVSS as a risk score means you are not likely learning what you thought you were learning from it, while the formula design flaw means that the output is unreliable regardless. Not surprisingly, ICS CVSS also suffers from similar problems. For example, a medical system vulnerability that could cause death is rated lower than a vulnerability that could lead to spear phishing (in a zone that doesn't allow email). Part of the problem is that most users only reference the CVSS Base Score focusing on Exploitability and Impact without contextualising the score with temporal and environmental metrics in accordance with the design of the CVSS scoring methodology: CVSS scoring system consists of three metric groups in Figure 2 below. The score from the previous group is feed into the next group to contextualise the score to reflect the deployment environment and use case as depicted in Figure 3 below. In the recent S4x19 ICS Security conference, Billy Rios (Founder, WhiteScope), Clint Bodungen (Executive VP, Leo Cyber Security) and Art Manion (Senior Vulnerability Analyst, CERT/CC) participated in a panel session titled

Australian Security Magazine | 29

“A New CVSS For ICS Vulnerabilities” to present their suggested modifications to the CVSS for ICS vulnerabilities. They score the same vulnerabilities and then discuss the pros and cons of each other’s methods. The “I” have it – IoT and IIToT Daniel Ehrenreich, ICS Security Expert, challenges the industry to differentiate between Internet of Things (IoT) and Industry Internet of Things in his recent post titled “IoT and IIoT – Are there differences?”. He is still waiting for an answer! I am sure it would have made him a small fortune if he can collect a dollar every time someone failed to respond to his challenge or failed to answer the question properly. Jokes aside, this is a serious matter because “… IIoT endpoint devices are part of the ICS architecture …”. Moreover, he pointed out in this post titled “Why this chart on IoT is incorrect?” that “… The IIoT is a completely different story, and there is a huge difference between IoT and IIoT. The IIoT devices (smart sensing devices) never communicate directly over the internet (as IoT devices do) as they are part of the ICS architecture which must be cyber Figure 2

Figure 3

30 | Australian Security Magazine

secured. When IIoT ecosystem service is required (upon detecting a problematic condition or need for optimized performance), the ICS initiates a communication session through corporate IT with the cloud-based service and vice versa ..” We look forward to his latest update when he visits Australia in June to deliver his ICS security workshops. Integrating FAIR to ICS security As explained in the previous section, contextualising CVSS score (for both ICS and non-ICS vulnerabilities) to the target environment and use case is the key to maturing the application of CVSS score for vulnerability management. The Open Group FAIR cyber risk quantification framework provides a structured approach to break down the risk scenario and use case. This enables stakeholder to explain the rationale behind their analysis and the rating assigned to each CVSS metrics. For example, the FAIR taxonomy breaks down vulnerability into Threat Capability and Resistance Strength (see Figure 4 ) Because CVSS focus on vulnerability rather than the

Cyber Security Figure 4

CVSS metric

FAIR terminology

Access Vector

Contact Frequency Probability of Action Threat Capability

Attack Complexity

Resistance Strenght Figure 5

attacker, there isn’t a direct mapping for “Probability of Action” or “Treat Capability”. These are the domain of threat intelligence analysis e.g. the motive for and capabilities of the attackers. It is intuitive to understand that patching improves “Resistance Strength” where isolation technology such as network segmentation techniques. Similarly, stateful firewall based access controls increases complexity for the attacker to launch their attacks resulting in a lower “Contact Frequency” with the targeted asset. The other dimension in the FAIR taxonomy is the estimation of potential loss from a cyber incidence (see Figure 5) The presentation “De-Mystifying Cyber Risk” from Mike Radigan, Director, OT Strategy | Strategic Partners at Capgemini Cyber, ICSJWG 2017 Fall Meeting shown how to apply the FAIR framework to model cyber risk in an ICS environment. A summary of Mike’s presentation has been published on the FAIR Institute blog titled “Case Study: Demystifying

ICS Cyber Risk with FAIR normalized with mechanical/ industrial operational risk”. While Mike’s analysis did not quantify ICS CVSS score, the quantification approach is a useful template for ICS security practitioners who want to present their technical analysis to the business stakeholders. He had been very helpful and patient in explaining his approach to us. I am sure he would be equally helpful to other ICS practitioners interested in applying the FAIR approach to their analysis.

Australian Security Magazine | 31

Cyber Security

SCADA & ICS CYBER SECURITY WORKSHOPS 24 & 25 JUNE - PERTH | 27/28 JUNE - SYDNEY Overview Reliable and safe operation of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are considered critical for a broad range of industries supporting the wellbeing on a national level. The growing convergence of IT and ICS, long-time separated domains, calls for a special attention and adoption of ICS-oriented best practices. That being said, these functionalities can be jeopardised internally by an incentivised individual, or through remote access by a hostile organisation; Hence appropriate preventive measures should be taken to mitigate these breaches and minimize possible damages.

Target Audience The proposed training workshop is aimed to empower the competency of a wide range of position holders in the SCADA/ ICS arena. Graduates of this course will master the key terms, technologies, and vector activities related to the computerised control which they operate. The training program is suitable for the following groups: •

•

IT personnel who need to know more on SCADA/ICS risks and defence technologies in order to assure better collaboration among these teams SCADA/ICS engineers involved with design, maintenance of critical manufacturing (food, medicine, chemical processes, etc. Operators dealing with control of renewable and other electric power technology plants, sewage plants, desalination and other chemical process plants A broad range of managers interested in upgrading their technical knowledge and to be able to make correct and cost-effective investment decisions Upon completion of this training workshop, graduates should be able to better defend their critical infrastructures and comprehend the mechanism behind it. Also, it will prepare you to apply for certification classes such as CISA and CISSP.

32 | Australian Security Magazine

Facilitator Daniel Ehrenreich, B.Sc. Engineering, ISO27001 Lead Auditor. Secure Communications and Control Experts Daniel’s current assignments include writing ICS Cyber Security Methodology as well as lead facilitator for ICS Cybersec 2019, Israel and ICS Cybersec Asia 2019, Singapore.

Daniel Ehrenreich

Daniel brings over 25 years of experience with SCADA & ICS, deployed for electric power, water, sewage, oil and gas. Since 2010 he has combined his engineering activity with cybersecurity and has consulted and delivered training in Israel and across the world. Previously he held senior positions with leading firms in Israel, including Waterfall Security, Siemens and Motorola Solutions.

BEST PRACTICE WORKSHOP The two days are suitable to a broad range of technical and C-level positions in the OT & IT domains and includes provision of training material and Certificate of Attendance. The class is suitable for people, coming from or interested in entering typical SCADA industries:

Water and sewage Power plant Power distribution Oil and Gas Manufacturing Chemical plants

Public safety Transportation Smart Cities Public communication networks

Cyber Security

COURSE REGISTRATION

SINGLE DAY $750 | BOTH DAYS $1,250 FULL COURSE MATERIALS PROVIDED * PRICES EX GST

1 Full Day (Intermediate) Training Workshop Syllabus

1 Full Day (Advanced) Training Workshop Syllabus

24-06-2019 PERTH & 27-06-2019 SYDNEY

25-06-2019 PERTH & 28-06-2019 SYDNEY

Part 1 08:30 – 12:30 Introduction to ICS Technologies

Part 1 08:30 – 12:30 SCADA/ICS Cyber security vulnerabilities

o Introduction to ICS (SCADA, OT) architecture o Roles of the main computers in ICS architecture o Description of the Triangle and the Purdue ICS models o Field Control units PLC, RTU, IED and Remote I/Os o Structuring an ICS Cabinet with I/O tech-nologies o Complementing Sensors and Field Control Devices o ICS Data communications; networks and protocols o PLC / RTU Configuration and Programming principles

o Introduction to ICS (SCADA, OT) and HMI Solutions o Field Control units PLC, RTU, IED and Remote I/Os o Use of IoT and IIoT for ICS Installations o Introduction to Authentication and Encryption o Introduction to SCADA system Security Vulnerabilities o Connection between Safety and Cyber Security o ICS and IT systems differences related to cyber risks o Experience Sharing: Vulnerability Assessment vs White Hackers Why You Need Both

Part 2 13:30 – 17:30 SCADA/ICS Cyber Security Basics

Part 2 13:30 – 17:30 ICS Cyber Security Risk and Defence methodologies

o ICS and IT systems differences related to cyber risks o Introduction to SCADA system Security Vulnerabilities o Cyber risk development through Social Engineering o Introduction to IAM, encryption and authentication o Defence achieved by PPT: People-PolicyTechnology o External & Internal attacks: MitM, DOS, DDoS, GPS o Defence solutions: Zoning FW, IDS, SIEM, DMZ, UGW o Defence achieved by PPT: People-PolicyTechnology

o External & Internal attacks: MitM, DOS, DDoS, GPS o Industrial Cyber Kill Chain attack step-by step process o Communications and Process Anomaly detection using packet’s inspection o Firewalls, IDS, SIEM, DMZ, UGW, Visibility Analysis o Best practices to enhance ICS-IIoT Cyber defence o Periodic assessment to enhance ICS Cyber security o Standalone Vs Multi-Purpose Cyber Security SW: o Determining Cost vs Effectiveness o Applicable standards: NERC-CIP, IEC 62443, NIST 800-82

Australian Security Magazine | 33

Cyber Security

Black Hat Seduction

Mitigating the migration of qualified professionals to the dark side

T By Brenda van Rensburg

34 | Australian Security Magazine

he statistics are out. There is going to be a skill shortage in the very near future. Security Ventures has predicted that there will be about, 3.5 million unfilled positions by 2021. However, if you look at the current trends, it is the complete opposite. In Perth, Hays recruitment placed an advert for a “Cyber Security Analysis”. By the end of the week, this position had over 106 applications and 361 views. In Melbourne there is a job for a middle tier position as a Cyber Security Manager. This job has 94 applicants. If we head over to New York, there is a Cyber Security Sales position with 378 applicants. If cyber security skills are in such high demand, why are there so many applicants for a range of cyber jobs? More importantly, why are we continually encouraging more people in this field, when the current people can’t even get jobs? Who has to gain from the ‘alleged prediction’ and what happens to the people with a skill set they can’t get a job with? In 2014, CISRO made a prediction that the industry will be short of more than 1 million professionals. We can clearly

see that this is not the case. According to John McAfee, there are two job openings for every qualified individual. Maybe the individuals that are applying for different roles are not qualified? Or maybe, the industry does not know what they want. If you look at some current job ads, you will notice a request for a cyber superhero with certificate of every acronym that is listed in the ‘cyber acronym dictionary’? And while you think that this would only fit one individual, I can guarantee you that this job had 121 applicants. Obviously, a number of cyber superheros in the world. Cyber Security, although a predicted skill shortage, is not void of certification. In fact, it is one of the industries where educational institutions have seen a huge marketing opportunity and have offered cyber security degrees/ certification. Being a recognized facility, coupled with the use of common used media statistics, people are lining up to get a head of the curve. Outside of the possibility that most of these individuals already have a good foundation of ‘hacking’ skills, education facilities are scrambling to provide an

Cyber Security

"If we head over to New York, there is a Cyber Security Sales position with 378 applicants. If cyber security skills are in such high demand, why are there so many applicants for a range of cyber jobs? "

education for a platform that is evolving rapidly. According to emerging future, technology doubles every 11 months. This means that by the time you complete a degree in Cyber Security, most of the information you learnt, will be history. It is probably why IBM hire individuals without a degree. According to Business Insider, a black hat makes an average of $80,000 per month. No certification is needed. When a student completes their university degree, they are faced with an average of $36,000 debt which could be offset by a possible entry level job of $45,000. Notably a job that is not guaranteed, and clearly given the mistake of statistically facts, a position that probably will not be there when they graduate. However, they will have a very unique skills set. A skill set that could be compared to that of a trained marine. The only difference is that these individuals know how to move in and out of a system without being detected. They are also able to acquire data and sell it on sites which are, most often, hard to track. Furthermore, they love to be paid in bitcoin. And with more, and more retailers accepting bitcoin, means that a

career on the dark side of the fence is a little more alluring. As a result, what we will be facing is not necessarily a job skill shortage in the cyber sector. What will most definitely could expect is an increase of individuals with a unique skill set that would make Bryan Mills (a.k.a Liam Neeson in Taken) look like a ‘private’. While everyone is scrambling to make a ‘buck’ from selling a dream that may have a nightmarish ending, very few are thinking of the long-term impact. Cyber Security skills in the wrong hands could be catastrophic. Tie that with someone who has spent a lifetime in a digital landscape and a number of years acquiring a certification for job that may not exist, then you will most definitely have an equation for disaster. After all, survival instinct is extremely powerful. When you place someone in a desperate situation, it is highly likely that they will apply desperate measures. If these measures mean dancing with black hats, then there is a strong chance that ethics will not longer be part of a solution. In conclusion, to reduce the migration of our qualified professionals to the darker realm of the digital landscape, we must take on equal responsibilities to offer them a role in which they can continue to contribute positively to the community and support themselves financially. Whilst it is unlawful to ‘hack into sites’ without an owner’s permission, a person with significant amount of skills will most definitely dance with the concept of being a ‘black hat’ because they too have bills to pay. Notably, we tend to turn to the private sector to pick up the pieces and offer jobs which were spurred by agencies outside of this area. However, the responsibilities of ensuring an opportunity of our digital citizens, should fall on everyone’s shoulders who are encouraging people into the cyber industry. Everyone that is capitalizing off the alleged prediction of a cyber security skill shortage, should be equally responsibility in assisting these individuals with acquiring a job. Unfortunately, when reality does not meet prediction, we are left with the same line that is given to every career decision taken: “We cannot guarantee you a job with this degree, but you have a better chance of one”. Unfortunately, for a country as a whole, we have a rising number of skilled individuals that have shifting ethics, values and morals. These same individuals will quickly work out that there is a more seductive opportunity on the darker realm of cyber than remaining hopeful that ‘one day’ they will get that job. The question that we are facing now: “What are we going to do about it?”

Australian Security Magazine | 35

Cyber Security

Artificial Intelligence Ethics

C By Jane Lo Singapore Correspondent

36 | Australian Security Magazine

enturies before Turing’s question "Can machines think?”, philosophical postulation of machine intelligence included processing knowledge (Diderot: "If they find a parrot who could answer to everything, I would claim it to be an intelligent being without hesitation") or holding mode of consciousness and the same reasoning faculties as humans (Descartes: “I think therefore I am”). The term “Artificial Intelligence” (AI) was actually coined in 1956, by John McCarthy at the Dartmouth Conference, widely recognized as the first AI conference. In the decades since, AI languished in the innovations race, but is now finally catching up. From facial recognition to chat bots to driverless cars, it is a key player in today's digital world. But this journey to "make machines intelligent" is not without controversies. Examples are: Tesla Motors’ 2016 selfdriving fatality and the recent Uber autonomous car which killed a pedestrian, or Google’s Project Maven to identify military targets from video footage. These incidents shifted the discussion in “AI Ethics” from a pure philosophical contemplation to one of indisputable relevance. In Asia, the growing importance of “AI Ethics” can be seen from the survey results released by EmTech Asia (MIT Technology Review Asia’s AI agenda report) and at Accenture’s Ethical AI Media Roundtable. • MIT Technology Review Asia’s survey: 37% believed that Asia will lead in the development and deployment

•

of AI technology in the next decade (followed 36% who believe Europe will lead). Accenture’s survey of 330 global business leaders including 25 from Singapore: 67% in Singapore said they have an ethics committee to review the use of AI; 43% review their AI output at least weekly; 30% have a process in place for augmenting or overriding questionable results.

We hear more at EmTech Asia (22-23rd Jan 2019), Accenture’s Ethical AI Media Roundtable (16th Jan 2019 hosted by Mr Joon Seong Lee, Managing Director Accenture Applied Intelligence ASEAN Lead), ADECS Asia Defence Expo and Conference Series (28-29th Jan 2019), and SGInnovate ‘In Conversation: AI Ethics' (12th Dec 2018). “AI Ethics” in Singapore Recent governance and policy developments in Singapore included: • June 2018: the Singapore Advisory Council was formed, to advise the government on the ethical use of AI and data (11 members included Google, Alibaba, and Microsoft, leaders from local companies, advocates of social and consumer interest) . • Nov 2018: Monetary Authority of Singapore introduced

Cyber Security

From Left to Right : Moderated by: Steve Leonard, Founding CEO, SGInnovate Richard Koh, Chief Technology Officer, Microsoft Singapore Yeong Zee Kin, Deputy Commissioner, Personal Data Protection Commission (PDPC) & Assistant Chief Executive (Data Innovation and Protection), Infocomm Media Development Authority Dr David Hardoon, Chief Data Officer, Data Analytics Group, Monetary Authority of Singapore

We may accept, just as there is no 100% security, that there is no 100% control, and that as machines gain more autonomy, our control decreases.

•

“FEAT” (fairness, ethics, accountability and transparency) principles to promote responsible use of AI and data analytics to strengthen internal governance around data management and use. Jan 2019: Singapore released a framework on how AI can be ethically and responsibly used. Released at the World Economic Forum (WEF), it is a “living document” intended to evolve along with the fast-paced changes in a digital economy.

But what is “AI Ethics”? In the framework released by Singapore, AI is “a set of technologies that seek to stimulate human traits such as knowledge, reasoning, problem solving, perception, learning and planning. AI technologies rely on AI algorithms to generate models. The most appropriate model(s) is/are selected and deployed in a production system”. In this context, the framework is underpinned by two principles:

that decisions made by or with the help of AI are explainable, transparent and fair to consumers, and that AI solutions are human-centric. A private sector view was presented at the Accenture Roundtable. Dr Rumman Chowdhury (Managing Director & Global Lead for Responsible AI Accenture Applied Intelligence) referred “Responsible AI” as “the practice of using AI with good intention to empower employees and businesses, and fairly impact customers and society - allowing companies to engender trust and scale AI with confidence”. In practical terms, this means, for example, by detecting and eliminating certain bias that may influence AI results such as gender, race using an “AI fairness tool”. Mr Koh (Chief Technology Officer, Microsoft Singapore), speaking at the SGInnovate event, distinguished between “AI ethics”, which “is about making sure there are no biases when building the algorithms” versus “ethical AI” which “means that we expect it to be able to make moral decisions, which I don’t think an algorithm is capable of.” “AI Ethics” is a complex subject that raises 4 frequently asked questions. Will AI take our jobs? “You will work. You will build ... You will serve them... Robots of the world... — Radius in Karel Čapek’s 1920 science fiction “Rossumovi Univerzální Roboti” (RUR) which coined the word 'robot' for a new working class of automatons, originated from the Slavonic word, rabota, which means

Australian Security Magazine | 37

Shuan Vickers, EW Development Manager, MASS, UK (“The Eltectromagnetic Environment/Domain is Changing, - How do you know?) at ADECS 2019. Photo Credit: ADECS 2019

servitude of forced labor. Since the RUR publication, there had been optimistic predictions and setbacks known as “AI winters” before emerging with today’s impressive gains. Besides chatbots and driverless cars, we have robo advisors, cobots, and adoption in other sectors. Recently, China’s state news agency Xinhua introduced AI anchors capable of reporting “24 hours a day, 365 days a year”. In the defense industry, Shuan Vickers (EW Development Manager, MASS, UK), said at ADECS 2019 that “from an electronic warfare perspective we could use machine learning to deal with some of the information challenges that are difficult for humans to work through quickly enough; think of it as artificial intelligence helping humans to make quicker, better decisions” and also “to recognize a pattern of events, and then predict what should be coming next”. The worries that these advances require less human touch is exacerbated by successes in chess and poker games - It is indeed hard to escape our nagging suspicions that AI will replace us. The end of Poker Face? At the MIT Technology Review, EmTech Asia, Poppy Crum (Chief Scientist, Dolby Laboratories) said: “Devices will

know more about us than we do”. The petabytes of photos, messages, emails and videos that we exchange and store are commonly referred to the 5 “V’s” – volume, veracity, variety, velocity and value. Digital data is key in speech and facial recognition, and sentiment analysis, for training or for drawing out key information. But its use has also elevated privacy as a key consideraton when adopting AI. For example, in 2017, Google announced that it stopped scanning the emails of Gmail users for training AI to personalise adverts. However, more concerning than the privacy of our digital information is the rise of empathy robots - machines that read our emotions from eye dilation, skin heat, or speech patterns to tailor marketing messages or teaching methods. Are we also losing our right to keep our emotions private? Will AI be able to create a picture of our psychology even if we seem composed to the naked eye? Is it the end of poker face? Will AI go rogue? “A robot may not injure a human being, or, through inaction, allow a human being to come to harms” - Isaac Asimov’s Three Laws of Robot Ethics, First Law Popular science fiction often explores possibilities of coding human values into robots, and “make” robots observe our values and respond accordingly. In the movie Continue next page >>

38 | Australian Security Magazine

Cyber Security

Australian Security Magazine | 39

“Terminator”, the robot played by Arnold Schwarzenegger (the “evil T-800”) was reprogrammed, and transformed from an assassinator to a protector (the “good T-800”) in the sequel “Terminator 2”. Where there are clear outcomes, programming AI to reflect our values requires understanding of and mitigating data, model and algorithm biases. But human values are diverse - culturally situated and contextual. Our decisions can also be inconsistent and irrational. Frequently, there is ambiguity – and no “best” or “right” answer. In a classic thought experiment, there is a railway-trolley barreling down towards a group of five people strapped onto the tracks. We are standing some distance off next to a lever, faced with two choices: (1) pull the lever to divert the trolley onto a side track where a person is tied up or (2) do nothing and the trolley kills the five people on the main track. SGInnovate’s event (“In Conversation: AI Ethics”) presented a similar moral dilemma in an Asian context (choosing between a young child or an elderly person?). “In such a lose-lose situation, I personally don’t know how even a human can make a so-called ‘best choice’,” said Mr Steve Leonard (SGInnovate Founding CEO), who moderated the panel. Mr Yeong (Deputy Commissioner, Personal Data Protection Commission), agreed: “When we obtained our driver’s license, we were never asked to answer such a question. So why should we expect an AI to be able to answer it ‘correctly’?” How do we code such a dilemma in a machine? What is the ‘best’ choice? How do we code the machine to make ethical decisions, as we do, under time pressure when there is no time to algorithmically optimize billions of outcomes? Will AI Control us? “You are my creator, but I am your master; - obey!” – The monster to Victor Frankenstein With this declaration from the monster, the power shift from Frankenstein to the monster is complete. We may accept, just as there is no 100% security, that there is no 100% control, and that as machines gain more autonomy, our control decreases. In our expectations that AI embody similar human traits, emotions, intentions and react like us, we find ourselves in a constant battle to religiously check that the we have coded these traits in the machine. However, is it possible to fit and then control every theoretical scenario, physical mechanism and component in the machine? How do we control unpredictability in which each machine in sprawling networks responds to its own algorithms?

EmTech Asia (22-23rd January 2019, MBS Singapore), Poppy Crum, Chief Scientist, Dolby Laboratories. Photo Credit: EmTech Asia

surpasses human intelligence. The AI we have so far, “Weak AI”, operates within a pre-determined and pre-defined range. For example, Apple Siri can answer “what is the weather today” but will probably give vague responses or URL links to “is global warming real?” However, there are already real implications from today’s adoption of “Weak AI”. If practical steps are not taken [1], we face the possibility as we delegate more and more tasks and decisions to machines, our ethics and values that sustain our societies may undergo subtle compromises that can produce significant changes in our behaviourial patterns over time.

Doomsday or Utopia? Too many questions, not enough answers. Will AI lead to the dystopian future painted by Science Fiction, or will it lead to a life of plenty, fun and leisure for humans? For now, doomsday scenarios remain in the realms of Science Fiction, and we still retain significant “control” over AI. We have not yet achieved “Strong AI” or “Super AI” that 40 | Australian Security Magazine

Cyber Security

Driving growth in Australia’s cyber security sector From ideation to export, and everything in between, AustCyber works with: • Startups

• Government agencies

• Scale-ups

• Research organisations

• Corporates

• Educational institutions.

• Venture capital funds

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com

info@austcyber.com

+612 9239 3250

@AustCyber Australian Security Magazine | 41

Frontline

The Health of NSW Hospital Security

C By Konrad Buczynski

42 | Australian Security Magazine

ommenced in mid-November 2018, NSW Health recently released an interim report prepared by exNSW Police Officer and Minister, Peter Anderson, titled “Improvements to security in hospitals”. Containing 48 recommendations, this report follows several major security initiatives within the sector in recent years, many of which were triggered by the 2016 shooting of a police officer and a security staff member at Nepean Hospital, using the officer's service pistol. The shooting itself was a clear illustration of a problem that has been on the increase for years in hospitals – a growing number of people presenting at Emergency Departments (EDs) and increased instances of aggression caused by mentally and/or drug impaired patients, and often their friends/relatives. The police officer, Sergeant Luke Warburton, had been responding to a 000 call when Michael de Guzman “… grabbed Sergeant Warburton's Glock 22 from its holster and fired twice ”. One bullet from the pistol passed through the leg of the officer and struck a hospital security officer in the shin. After 14 surgeries Warburton was back at work, but only part time and enduring long-term damage to his leg. Evidence was later given during the trial by forensic psychiatrist Adam Martin, who suggested that Guzman likely suffered a psychotic mental state precipitated by

methamphetamine . This represents a blended manifestation of the problem, involving an apparently mentally impaired person becoming uncontrollably aggressive after taking illicit drugs; in this case a pair of scissors had been held to the throat of a doctor before the scuffle erupted with Sergeant Warburton. Despite $24M being spent on CCTV upgrades, installation of remote locking systems and personal duress equipment , the recent report reveals that ample room for improvement continues to exist and that many of the issues of 2016 have not yet been mitigated. This includes a lack of effective recourses for staff in the event that an act of serious aggression occurs, especially in rural EDs, where police may not be available to help for extended periods. Mixed Results With a strong interest in matters of security governance, risk and compliance, this author noted the recommendation within the report, which related to the elevation of issues of security to Board-level, or where they exist “…subcommittees dealing with risk, audit and/or compliance ”. This seems an obvious aspect of hospital governance and its apparent absence runs counter to “NSW Health Policy and Standards for Security Risk Management in

Frontline

NSW Health Agencies ”; this policy requires that the “Chief Executive and the Board get relevant information on security related risks and how they are being addressed”. If this is not being practiced as intended, then it appears to highlight flaws in both Health NSW oversight and local implementation. A further recommendation in the Anderson report relates to the creation of an additional NSW licensing sub-class for security officers/guards, one that acknowledges the nuanced duties of those involved in security in hospitals. In the absence of articulating what those nuances are, in favour of referencing the consensus of stakeholders engaged, some may regard this as debatable. Hospital security staff are currently required to hold a “NSW Class 1A - Unarmed Guard” endorsed security licence, which authorises the licensee to patrol, protect or guard any property while unarmed (and whether while static or mobile) . It may be argued that security officers/guards in some other industries and nuanced situations do too. Creating an additional hospital license sub-class (i.e. not even the broader health context) would add another layer to industry licensing arrangements. Moreover, the NSW regulator appears to have moved in the opposite direction, with the old Class G - Loss Prevention Officer being rolled back into Class 1A. In addition, and as noted further below, a health-focused training initiative has already been launched, with favourable results noted in the report. Regardless of the merits, it would have been useful to read the full background and justification for the recommendation (noting that this may yet be provided as the report is still interim). That aside, the recommendation to embed security staff within clinical support teams, such that they are a specialist element of local staffing, rather than an outsider, is a good one, and consistent with the original 12-point plan reflected below. This would assist control, cooperation, information sharing and, one would expect, contribute to the likelihood of achieving better security outcomes. 12-point Plan In early 2016, the NSW Minister for Health, Jillian Skinner, announced a 12-point action plan in the aftermath of the shooting incident to “…improve security at all NSW public hospitals following a roundtable of health stakeholders and union representatives in Sydney”. This was the NSW Government’s necessary response to a serious incident in a sector that the community clearly and consistently considers a priority. This plan was designed to drive improvements to protect those who work in and visit hospitals, and especially in view of increasing violence within Emergency Departments. The 12 points can be characterised as: 1) “Intensive” individual and team-based training for managing disturbed and aggressive behaviour. 2) Development of better workplace health and safety culture and adopting a zero tolerance to violence. 3) Undertake ED security audits at 20 nominated hospitals. 4) Establish a working group to identify opportunities for security staff professionalism and multi-disciplinary integration (i.e. working with non-security staff ) in

Among other things, the report indicated that “…the risk assessment process was not well understood by some of those charged with this responsibility”, and significantly, that “The auditors did not sight any documented risk assessments that were specific to the hazards and risks…” of EDs. response to patient aggression. 5) Partner with TAFE to train existing security staff in the health environment. 6) Sponsor new trainees to undertake the course as a pathway into health security and review. 7) Establish a group of expert clinicians to develop specific patient management and treatment pathways for patients presenting at Eds under the influence of psychostimulants (e.g. ice). 8) “Examine” the availability of resources, including the use of telehealth options for rural and regional areas for patients presenting to EDs under the influence of psycho-stimulants. 9) Work with NSW Police to ensure arrangements involving them are adequate. 10) Examine potential legislative changes to ensure that security staff are covered by its provisions, including legal protections when acting in good faith in response to an incident. 11) Define specific recourses for security staff in relation to removing disruptive non-patients from hospital premises. 12) Improve incident management reporting systems. Action 3 in the plan was completed in August 2016 via contractor BRI, consultants for whom reported that, while NSW Health policy was clearly documented, it was not “prescriptive or proscriptive”, and this was resulting in nonuniform policy implementation (underpinning the Anderson report observations). Specifically, “Inconsistencies were found in the way that policy was implemented in the following areas: • The conduct and content of risk assessments. • Training for ED clinical and security staff in aggression or conflict management. • Responses to duress alarms and medical alarms when used for non-medical incidents. • The understanding of the roles and responsibilities of security staff including HASAs. • The understanding of clinical staff of their role in relation to managing violent patients. • The carriage and use of prohibited weapons (batons & handcuffs) by security staff. • The carriage and use of personal duress alarms by ED staff including doctors and visiting clinicians. The development and testing of Code Black procedures. • The use of restraints in the ED. • The reporting of incidents occurring in the ED. • The acceptance by ED staff of verbal abuse and harassment.

Australian Security Magazine | 43

• The use of CCTV - its purpose and use ”. The second observation required a second read in view of the extensive security risk management policy and procedural guidance applicable and readily accessible to the sector, and the fact that 20 hospitals were audited. If accurate, which is assumed, it is a significant revelation and a negative indictment on risk management practices within the sector. There was nothing to suggest that this issue had been remedied across NSW Hospitals within the Anderson report, notwithstanding that ‘risk management’ was not specifically addressed within it. A number of irregular cultural deficiencies were also reported in the BRI report, which highlighted (among other things) an at times casual approach to minimising access to sharps, failing to afford/appreciate at least equivalency between co-worker health and safety and that of patients presenting, and planning for a coordinated response to codeblack situations. One of the underlying issues may perhaps be evident through a response noted within the Anderson report, wherein a hospital stakeholder indicated that “I will resign if security are brought in”. Peter Anderson notes this response in reporting the “…significant divergence of opinion amongst staff ”, and even between staff and the union. Separately, a NSW Health policy was issued in October 2018, relating to the release of a “Security Assessment Inspection Tool (SIAT)”. The purpose of the tool is to “… determine compliance with the Protecting People and Property: NSW Health Policy and Standards for Security Risk Management in NSW Health Agencies (Security Manual) and work health and safety and security legislation and to ensure continuous improvement in security risk management”. This is assumed in response to the observation that security risk management practices were poorly regarded, especially in relation to EDs. An interesting aspect of this policy is that it specifically mentions that “…All hospitals are to be audited within the audit cycle by at least a person with a 1A security licence and extensive health care security experience…” While the language is confusing, it is expected that NSW Health regards the Class 2A licence (security consultants - those who are specifically endorsed to deliver services like audits and assessments) as a superior endorsement to 1A. It would be useful to ensure that this is clearer in future policy updates. Emergency Department Recourse Further, and as already mentioned, the report does highlight that no stakeholder that was engaged had a satisfactory answer for an act of serious aggression occurs, especially in rural EDs. This does not necessarily mean that nothing can be done, and it is (arguably) considered more a reflection of what might be described as ‘risk treatment appetite’. For instance, the Anderson report does not support the “re-introduction” of special constables (without detailed explanation), but the NSW Health Services Union indicated that it did just prior to the review being launched. Unlike a situation where a guard may be forced to make a citizen’s

44 | Australian Security Magazine

arrest, which carries with it significantly elevated safety and legal liability , a formally appointed special constable would have the authority to restrain and detain people who pose a significant risk to others. Embedded, as they presently are within integrated hospital management teams, it may be the case that some of the risks of appointing security officers to as special constables may be at least partly mitigated. It is hard to assess however, without solid reasoning being provided, and it is expected that there would be a range of other risks. Incident Management One of the other key issues raised in many hospital security reviews has been the absence of effective incident reporting and management systems, and regular use of those systems. This is considered linked to the assertion in the BRI report that “…all of the EDs visited …staff would in fact tolerate a certain level of verbal aggressive or anti-social behaviour by patients and visitors.” This runs contrary to NSW Health policy of zero tolerance to aggressive behaviour. Were the full quantity and details of incidents to be accurately documented, it is certain that this would highlight the very difficult and dangerous situation that hospital staff are placed in routinely. It needs to be acknowledged that numerous changes are clearly underway within the sector, but whether they are making a discernible difference as yet is difficult to assess, especially in the absence of comprehensive incident reporting. In the meantime, and for the benefit of those working in EDs and elsewhere, it is hoped that a repeat of an incident comparable to the 2016 one is avoided at all costs. About the Author Konrad Buczynski is a Certified Practising Risk Manager (CPRM) with the Risk Management Institute of Australasia (RMIA), the Managing Director of Industry Risk and Principal of SECTARA

Frontline

AuSec2019 9th July 2019

5TH AUSTRALIAN SECURITY SUMMIT

Hotel Realm, Canberra

Join the hundreds of security officials from across the globe for our annual Australian Security Summit as they discuss the challenges at the forefront of intelligence, security strategy, operations, policy and procurement.

LINDA GEDDES Commonwealth Counter-Terrorism Coordinator, Department of Home Affairs

PADDY MCGUINNESS Former Deputy National Security Adviser, Intelligence, Security and Resilience (UK)

DR TOBIAS FEAKIN Australian Ambassador for Cyber Affairs, Australian Government

CAROLINE MILLAR Deputy Secretary, National Security and International Policy Group, Department of the Prime Minister and Cabinet

DATOâ&#x20AC;&#x2122; DR AMIRUDIN ABDUL WAHAB CEO, Cybersecurity Malaysia

NICHOLAS RASMUSSEN Director, National Counterterrorism Center (NCTC), USA

Quote MySec30 for 30% o ff* your ticke t *G overnmen t on

Australian Security Magazine | 45

Frontline

The Danger of Slashing: Human Anatomy By Robert Kaiser

46 | Australian Security Magazine

n Monday morning, the 18th April 2018, a 8 yearold boy left home with a kitchen knife and walked into his central Minnesota elementary school. Minutes later he slashed three fellow pupils aged 8, 9 and 13 years-old, all of which requiring surgery. One doesn’t require intense knife training to cause damage to others, and that you, as a homeland security professional or enforcement agent, must subsequently accept that anyone carrying a knife represents a real danger, even if he/she looks like he/she hasn’t got a clue what he/she is actually doing. Slash resistant clothing has been developed to effectively improve your personal safety, by offering cut/slash protection to highly vulnerable areas, to which common body armour (bullet or stab resistant vest) do not offer any protection whatsoever. To help you understand why this type of PPE (Personal Protective Equipment) makes real operational sense, please allow me to explain some extremely important things about human anatomy and its relevance to combat… or in this case your defence and survival. For the purpose of this article I will not go into the ‘stabbing’ motion/action of using a knife. I have extensively covered this in the past and will continue to cover this type of attack in dedicated articles in the future. The following really highlights the potentially irreparable and even deadly consequences of being slashed by either someone who knows what he/she is doing, or by someone who just wildly swings that knife and ultimately may well get ‘lucky’. I do not claim to be a medical expert, hence please forgive me if something isn’t 100% medically accurate or precise phrased. However, based on my understanding of this

subject matter I can assure you that the following information is reliable enough to be taken serious, and for you to either consider issuing your team with slash resistant clothing, or indeed for you to consider wearing it whilst on duty. Those who know how to use a knife effectively will understand when it comes to knife combat, stabbing and blood loss will not necessarily and quickly incapacitate an attacker. Combat expert and author Michael Janich did an excellent research on this topic, and after careful analysis of forensic data, modern trauma medicine and consulting with experts on this subject matter, Janich’s research concluded the very same. In fact, in an article titled “The Realities of Knife Stopping Power”, Janich mentioned a case wherein a combatant received 50 stab wounds and still managed to fight for five minutes before collapsing due to collective blood loss, and I personally have witnessed cases of individuals who have survived multiple stabbings and made their way home without any assistance. In a self-defence situation (or indeed in a situation where your operation requires you to incapacitate an assailant) every single second counts and can indeed make the difference between life and death. If you wound an attacker, but he still has the ability to do the same to you, you may still die. When/if someone is knowledgeable enough and his intention is to immediately incapacitate you, you really have to understand human anatomy. To hold anything in your hand, such as a baton, CS gas or shield (if you are a police officer), the muscles of your forearm contract and pull on the flexor tendons, which pass through your wrist and are attached to your fingers. If someone cuts

Frontline

or slashes the tendons or the muscles that power them, this connection is broken and your hand will no longer be able to close or to hold your baton, CS gas, shield or anything else you might be holding. This concept applies to all muscle groups, tendons and limbs. If someone cuts or slashes the key tissues responsible for you moving a limb, he would most likely disable or at least severely hinder your limb’s function. Sometimes this is referred to as ‘biomechanical cutting’. Based on the above, your flexors tendons or muscles of the forearm, the biceps and triceps muscles of your upper arms, and the major quadriceps muscles just above the knee require reliable abd effective protection from such deliberate attack or cut. Just above the knee, where the muscles narrow and connects to the patellar tendon, this area is typically covered by a just single layer of trousers material. It is a comparatively large target, and if someone is close enough to reach your body, that person will clearly also be close enough to reach your quadriceps. Cutting this target is called ‘mobility kill’... you will no longer be able to effectively defend yourself and hence it is extremely likely you will be defeated or eliminated. Although many will claim that this approach doesn’t work, historical evidence from both sources around the world suggests very differently. Perhaps the best-known reference comes from the Filipino martial arts, which have a very highly evolved edged-weapon culture. Their key tactic is called “defanging the snake”… meaning targeting the attacking limb to destroy its structure and function. According to their symbolism, the weapon is the “fang” and the arm wielding it is the “snake.” Removing the fang from the snake immediately eliminates the primary threat to the defender… the attacker’s weapon. In the traditional Filipino knife arts, aiming to cut the attacker’s wrist or forearm is one of the prime objectives. The goal is to sever the flexor tendons that connect the forearm muscles to the fingers, destroying the attacker’s ability to grip his weapon. Cutting the muscles on the inside of the forearm can produce the same effect. Can you slowly see what I can see? Can you see the risks involved when confronted by someone wielding a knife? Most of us are concerned about being ‘stabbed’, but many trained specialists might have other plans… and that’s when slash resistant clothing starts making sense. The below graphic and following bullet points will give you a reasonable understanding of the most vulnerable ‘slashing targets’. Each ‘successful’ cut or slash can or will either lead to rapid blood loss and subsequent death (most likely caused by a) shock and b) blood loss, or dramatically decrease your mobility. However, please note below graphic does not feature all targets, but is simply a selection of some of the key targets of the front of a human torso. Targets trained professional will aim for to cause maximum harm, pain or death. Due to the ‘worst case scenario outcome’ we strongly advice to look or re-look at the potential use of slash resistant clothing within your line of work. 1.

3. 4.

and Jugular Vein. If either is cut the attacker will bleed to death very rapidly. The Carotid is approximately 1.5″ below the surface of the skin, and if severed unconsciousness will result in approximately 5-15 seconds. A powerful cut to the outer side of the pectoral muscle can potentially sever the cephalic vein which will bleed profusely. A powerful cut across the front of the deltoid muscle may sever the cephalic vein. A slashing cut across the biceps can a) disable any motion of the arm and b) as it contains multiple veins it can cause rapid blood loss.

The side of the neck and throat just about even with the adam’s apple. This area contains the Carotid Artery

Australian Security Magazine | 47

Frontline

A slashing cut across the inside of the elbow joint. In addition to the numerous veins, this area also contains the ligaments that enable motion in the forearm. 6. A horizontal cut across the neck and throat will not only sever your Jugular Vein and cause death, but it will also cut the trachea and ligaments that control movement of the head. 7. A powerful slash across your pectoral muscle will destroy your ability to throw punches with any power. 8. A powerful vertical slash, leading to the penetration of the abdominal wall will result in loss of motion, and possible disembowelment. 9. A powerful horizontal slash to the abdomen leading to the successful penetration of the abdominal wall will result in loss of motion, and possible disembowelment. 10. A more than one-inch penetrating slash to the inside of the forearm between the radius and ulna bones will sever the radial artery (this artery runs across the top of the radius bone 2-4 inches behind the base of your thumb). is. Severing the radial artery can result in unconsciousness in as little as 30 seconds, and death in as little as two minutes. 11. The brachial artery run along the inside of your arms. This artery is deep, but severing it will result in unconsciousness in as little as 15 seconds, and death in as little as 90 seconds. All of the potential injuries following any of the above highlighted cuts could be prevented. I haven’t written this brief article as a scaremongering tactic. I haven’t written this brief article to provide those bad men/women who currently plan attacks on other good human beings with additional information to cause further harm or harm in a more effective fashion. There are men and women out there who have made a professional choice in their lives to protect other human beings, facilities, venues, events and infrastructure from the bad guys. We at PPSS Group genuinely believe those men and women have the moral and legal right to be equipped appropriately, and this brief article simply highlights the risks and threat they face sometimes on a daily basis. Risks and threats the general public is not aware of or simply cannot see or comprehend. Ryan Vickers, PPSS Group’s Director of Global Development, and a man who spent nearly 15 years advising clients on security and risk in hostile and austere environments, says “it is imperative that companies, and their management teams, have an overall process of risk identification, risk analysis and risk evaluation, forming part of a dynamic and up to date risk assessment. Once all the risks have been identified and evaluated, control measures and ‘treatment’ must be put in place in order to keep the residual risk as low as possible. Senior and Operational Management teams within companies have a legal obligation to ensure their staff and teams are provided with adequate equipment and measures. The Context and Risk Assessment forms the base for all

48 | Australian Security Magazine

operational concepts and decision making.” Please view the following brief video of Craig Wylde, a close friend of mine, who served as Infantry soldier in the British Army and later was brutally assaulted when serving as a prison officer at Frankland High Security Prison: www. youtube.com/watch?v=-qFoPA6lJYI We are extremely passionate about their safety and our mission is to let the world know that their safety can be improved dramatically, without compromising their ability to operate and function effectively. The question simply is do you care enough? About the Author Robert Kaiser, is the CEO of PPSS Group, the company behind the global leader in slash resistant clothing: SlashPRO®

Frontline

Australian Security Magazine | 49

Frontline

Connecting mission-critical Push-to-Talk with enterprisegrade apps When lives depend on co-ordinated action, there is a requirement for standards that interconnect Push-To-Talk with enterprisegrade communication apps. By Roderick Hodgson Director, Secure Chorus

50 | Australian Security Magazine

irst responders in medical services, police forces, border security, fire service, civil aviation, disaster relief, armed forces and other emergency services, have a requirement to communicate efficiently and securely not only with each other, but with other stakeholders such as government officials. Until recently, connecting enterprisegrade communication apps to first responders using Mission-Critical Push-to-Talk (PTT) communication has not been technically possible, but innovation resulting from Secure Chorus’ interoperability standards can enable such communication. Historically emergency services have relied on dedicated radio systems to provide these mission-critical communication services. The ‘Project 25’ standard was adopted in North America, while Terrestrial Trunked Radio (TETRA) has become widely used in 114 countries across Europe, the Middle East, Africa, Asia Pacific, the Caribbean and South America. The TETRA standard was designed to be entirely separate from commercial mobile infrastructure. When it was first standardised in 1995, the first 3G infrastructure had not yet been introduced to the consumer market. Since the development of TETRA however, commercial mobile infrastructure has undergone a complete transformation, with the universal take up of 4G.

Commercial mobile operators are now rapidly migrating to IP-based systems and are preparing for the roll-out of the next-generation consumer mobile technology, 5G. This investment in commercial mobile infrastructure is bringing increased performance and additional features to the user market. Originally developed for voice communication, TETRA remains reliable for that type of communication. But it has limited capacity for handling the vast demands for data bandwidth created by the media-rich communications that have become essential in emergency response environments. Also, agencies adopting TETRA often find themselves “locked-in” to a single supplier, limiting their ability to upgrade to different technologies. This also places limits on their ability to communicate with colleagues in neighbouring countries or agencies. While features have been added to improve TETRA (such as the “TETRA Enhanced Data Service”), and to build interoperability gateways between systems (such as the “TETRA Inter-System Interface”), these have seen limited uptake to date. Many countries are evaluating the use of commercial mobile infrastructure to provide the necessary bandwidth and are delivering much-needed additional capabilities. Consideration is being given to augmenting or replacing

Frontline

TETRA with an interoperable standard that leverages public mobile telephony infrastructure – the Mission-Critical family of standards, developed by 3rd Generation Partnership Project (3GPP). The term “Mission-Critical Push-to-Talk” (MCPTT) refers to Push-to-Talk solutions that can support the requirements of emergency services applications. To meet this requirement, 3GPP has developed a set of standards that has been extended to include “Mission-Critical Data” and “Mission-Critical Video”. As well as providing mobile telephony infrastructure with extra capabilities, many countries are considering it as an opportunity to set worldwide standards to drive interoperability between emergency services agencies and other important stakeholders. However, it is important to note that the increased use of commercial mobile infrastructure also presents a problem, in that it exposes emergency services communications to a number of possible attack vectors, including: • Users disclosing sensitive information to potential attackers without confirmation of the identity of the person they are speaking with. • Attackers gaining privileged network access within an organisation, allowing them to retrieve multimedia data exchanged on a network. • An attacker compromising elements of the public mobile telephony infrastructure or using a fake base station in close physical proximity to its target, and so gaining access to all data and call content, as well as metadata for all users on that base station. • Attackers offering public telephony networks low-cost wholesale data routing, and so potentially having access to all data routed over their network. As a result of these threats, it is essential to ensure that data is protected end-to-end, and that data recipients can be confident that the content has come from a genuine source. To address this, 3GPP has defined the “Security of Mission-Critical Service”, mandating the open cryptography standard MIKEY-SAKKE to be used for encrypting data and providing cryptographic keys. MIKEY-SAKKE is a cryptography standard with a unique key management approach – Identity-Based Public Key Cryptography (IDPKC). Techniques pioneered in the MIKEY-SAKKE protocol were designed to minimise the traffic overhead needed to exchange keys and to establish a secure data transfer or voice call between users, while largely removing the need for a public key infrastructure. Beyond its efficiency, it also has the advantage of helping to minimise infrastructure cost. 2012 saw the UK Government’s National Technical Authority for Information and Assurance (CESG) – now the National Cyber Security Centre (NCSC) – define MIKEYSAKKE as a protocol to answer the security requirements of the UK government for a cryptographic method for validating an identity, for government communications. This protocol was based upon an existing standard for elliptic curve signatures, the Elliptic Curve Digital Signature Algorithm (ECDSA), and an identity-based cryptographic protocol developed by two Japanese researchers, Ryuichi

Download the White paper: "Emergency Services Communications: Secure Chorus Compliant Products interoperability with Mission-Critical Push-to-Talk Products” Sakai and Masao Kasahara. This gave rise to MIKEYSAKKE, which was made an open standard by the Internet Engineering Task Force (IETF), a standards organisation that develops and promotes voluntary Internet standards. MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS). This server distributes key information to the users it manages on a regular (typically monthly) basis. The existence of the KMS means that organisations have control over their own security system, without giving access to their data to unauthorised third parties. A further advantage is that the KMS can be managed entirely by an organisation’s own IT team. It can also be kept offline for maximal security. Ultimately, due to the properties of MIKEY-SAKKE, organisations can retain full control over their security system, and only those explicitly authorised by an organisation can access that organisation’s data. This is especially important in cross-border mission-critical scenarios where a diverse set of stakeholders from different countries and organisations may need to be involved in the emergency response plans in case of hurricanes, floods, wildfires, oil spills, chemical spills, acts of terrorism, and others, threatening the lives and health of the public. While the standards developed by 3GPP ensure interoperability between users of Mission-Critical Pushto-Talk (MCPTT) systems, in certain scenarios emergency services organisations may also need to communicate securely with other stakeholders that may not be users of typical emergency services equipment on a day-to-day basis. Generally, such stakeholders may favour enterprisegrade mobile applications that answer their day-to-day communication requirements. While commonly available secure communication mobile applications may offer a degree of security, these solutions are typically not able to communicate with users of MCPTT, leading to operational inefficiency or the use of insecure communications. One of the solutions for users not using MCPTT on a day-to-day basis is to adopt Secure Chorus compliant products. These are enterprise-grade communication apps that provide the benefits of MIKEY-SAKKE and its unique key management approach. Because all Secure Chorus compliant products contain MIKEY-SAKKE there is now a much lower bar to developing interoperability standards to connect MCPTT with enterprise-grade communication apps.

Australian Security Magazine | 51

CCTV SPECIAL

The new compression in your pocket

By Vlado Damjanovski

52 | Australian Security Magazine

Are you aware that you have a new compression in your pocket? The latest iOS on your smart phone and iPad already embeds a new compression inside the camera functionality. If you take pictures and then view them on the smart device itself you may not notice anything unusual. However, when you export these images to your computer you may notice a new file format with an ‘HEIC’ extension, not ‘JPEG’ as before. The HEIC extension refers to a compression known as High Eﬃciency Image File Format (HEIF). This is a component of the new High Eﬃciency Video Compression (HEVC) standard, popularly known in the CCTV industry as H.265. The HEIF is a new image compression format which has been developed by the MPEG imaging experts in 2015. It is now used by Apple as a default image compression in their latest iOS operating system (starting from v.11). Google is planning to include the same in their latest Android OS. The HEIC format refers to an Image compression that is a two-dimensional (Horizontal x Vertical pixels) compression of still images. The HEVC format refers to a video compression which deals with motion images (threedimensions: Horizontal x Vertical x Time) and sound.

The HEIC file format can be decoded by newer operating systems, beginning with Mac OSX High Sierra (v.10.13), Mojave (v.10.14) and Windows 10 (v.1803 and later). Since the new compression formats are very new some users may find it challenging to open and edit such photos or videos with their default (older) photo-editing programs on their computers. In the Mac OSX this can be done automatically by the native Preview app, while for Windows a dedicated software needs to be installed. Such programs are iMazing or Apowersoft Photo Viewer. It is also possible to switch the smart devices to use the “Most Compatible” format (under the Settings => Camera => Formats) which will re-set the image format back to JPG. Professional photo editing software, like Adobe Light-Room, have already come up with an HEIC plug-in. JPEG compression has existed since 1992, and as such JPG decoders are embedded in all known software which needs to decode JPG images, such as web browsers, word processors, and e-mail programs. Since HEIC is a very new compression, when sending the HEIC image file as an e-mail attachment, the latest iOS operating system automatically converts it to JPG. This function will eventually be made redundant once the HEIC becomes more common.

CCTV SPECIAL

They HEIF increases the efficiency and quality of the compression algorithms. As the name suggests, the ‘high efficiency’ coding means that for the same picture quality you would get from JPG compression, the HEIC would be a much smaller file size. Saving space with the HEIC file format is only one of the advantages, and reasons, for switching to it. Another advantage of HEIC is its ability to compress a sequence of images (like a ‘burst shot’ function when taking ‘live pictures' with your iPhone.) You can also save auxiliary data, such as the depth map used in Face Cam when unlocking your smart phone. Depth map is also useful in image processing with dual camera smart phones, where digital blurring of the background is performed by the software processing, simulating a narrow depth of field effect for more appealing portraits. Furthermore, the HEIF compression uses 16-bit colours, instead of 8-bit colours as used with JPG. This makes colour images with gradual colour transition, like blue sky, appear smoother and more natural; blocky artefacts - typical to JPG - become less obvious. Admittedly, there is a price to pay for such an increase in efficiency in HEIC compression, and that is more number crunching, and more coding and decoding processing. With modern and super- fast processors this is hardly noticeable, as processors now supersede their capacity on a daily basis. When comparing an HEIC with a JPEG compressed image the typical ratio file size ration is 1:2 for the same image quality. This means, a standard 12MP image from an iPhone, which (depending on the content) would occupy around 2~3MB in JPG. In contrast, the HEIC image with the same visual quality would occupy around 1~2MB. Most people today use their smart phones for picture taking on a daily basis on all occasions, privately and professionally, this requires a large amount of data space. This is the main reason that many iPhone users always need extra space on their devices. With the update to the latest operating system they can then take more pictures and videos, on the same device, consuming much less space, yet offering the same image quality. For illustration purposes, I have prepared some screenshots of the ViDi Labs test chart, compressed in JPG and HEIC format. The images are made with a ‘standard’ 12MP 1/3 sensor of an iPhone7 using a ‘standard' 4mm lens. For comparison, I have also produced an uncompressed TIFF format of the same test chart using a special iPhone software that allows for an uncompressed image. The uncompressed 12MP image produced in 16-bit RGB colour space TIFF format occupies around 43.4MB of data. The equivalent JPG produced of the same test chart image was around 2.4MB. This is nearly 20x smaller than the TIFF! It is not surprising that users prefer JPG compression rather than uncompressed TIFF format, for very little loss in quality. The equivalent HEIC format is literally half of this, 1.2MB, and it is almost impossible to notice any loss of detail compared with the JPG. The ViDi Labs test chart has many small details and after careful inspection I could not see any difference, between the JPG and HEIC files, despite them being 2:1 in file size.

JPEG

TIFF

HEIC

There is a tiny bit visible diﬀerence between the TIF file and the JPG and HEIC, where the TIF looks slightly sharper, as it would be expected (being uncompressed). This is shown further in the pictures crops. Oﬀering such data saving, there is no doubt that HEIC will soon be used in the modern IP CCTV cameras.

Australian Security Magazine | 53

CCTV SPECIAL

A history of CCTV test charts!

By Vlado Damjanovski

54 | Australian Security Magazine

ViDi Labs has just finished designing its latest test chart for the CCTV industry, v.5.0. This is a great update with many new features that will easily and convincingly indicate various camera qualities. The new test chart is intended for cameras with various aspect ratio imaging sensors such as 16:9, 3:2 and 4:3, including the most common HD resolution (1920x1080 pixels), the new UHD (aka 4k, with 3840x2160 pixels) and all other megapixel cameras. Most importantly, this new test chart accommodates the latest CCTV standards, including the IEC 62676-4 and 62676-5 standards and continuous sinewave Siemens stars for better resolution measurements, faces, money and cards samples, number-plates, as well as Macbeth colour chart. Here at ViDi Labs, we felt it was time for a test chart update. However, before I explain all the innovations that are included in this new design, I would like to go back in time and give you a history of the test charts we have been producing for over twenty- five years. It may come as a surprise to some that we were the first in the industry to introduce test charts for the CCTV industry. Back in 1994, I wrote and published my first book on the subject of CCTV (simply called ‘CCTV’). At the time it was the fundamental book in the world on this subject. My intentions were not only to demystify Closed Circuit Television technology but, equally, to oﬀer a tool to CCTV customers that they could use to test, analyse and compare cameras. It was during this time that I came up with an idea to design a test chart that could be printed on the back cover of this first book. So, not only could one read the book, but they could also use the back cover as a test target as well. The broadcast TV industry was already using the popular RETMA (acronym for Radio Electronics Television Manufacturers’ Association) chart for many years, yet this was

mostly for checking resolution and linearity of the system due to tube cameras’ geometrical distortions - and grey steps for Gamma testing. Even so, it had no colours or reference to face sizes for identification purposes, much needed in CCTV. I could have simply reproduced the RETMA pattern at the back of the book, but I wanted to do something more. This is how the idea of the first CCTV test chart v.1.0 was born, under the umbrella of my then company - CCTV Labs. Although this test chart was small and printed on the back cover of an A4 format book, the v.1.0 chart had suﬃcient clarity and precision to reproduce resolution wedges, colour bars and grey steps, focus target, linearity squares and bandwidth bars. Furthermore, for the first time in the industry human faces were introduced. The A4 format aspect ratio of 1:1.41 suited the 4:3 aspect ratio of 1:1.33 of analogue CCTV cameras so there was not much wasted space around the chart. The instructions on how to use the test chart were printed inside the book. This second edition - which Americans consider their first edition - was launched in 1999 at the ISC show in New York. This was when CCTV Labs introduced v.2.0 of the

CCTV SPECIAL

CCTV test chart, also at the rear of the book. Thankfully, Butterworth Heinemann decided to publish the book with a hard cover which made the appearance of the test chart more sturdy and uniform. The innovations introduced in v.2.0 included adding the German ORUA bars standard that helped in improving face identification quality with various thickness bars at an angle, in addition to the existing faces. We also introduced the reflection check bars that could be used to determine signal reflections of badly terminated coaxial cables in the analogue video transmission. After receiving comments and feedback from many happy customers it proved my intentions were welcomed and the first test chart became a useful tool for evaluating and comparing cameras and systems. CCTV users had now started operating a bit more scientifically, and I was proud of my contribution towards this science. In 1998 I was approached by the leading US publisher Butterworth Heinemann. They asked if I would re-write the book and include the NTSC standards. I also had to ‘americanise’ the English text in order for them to publish it under their banner. I agreed to this oﬀer which allowed the book to be marketed internationally and which freed me up financially. With v.2.0 test chart, we decided to produce it in an A3 printed format separate from the book. The improvement of ink-jet colour printer technology allowed us to produce more precise colour details on the chart from what was possible with the traditional oﬀ-set printing used for the book back cover. This was not an easy task as we had to do a complete colour calibration between the computer, scanner and printer, but we achieved accuracy that is reproducible and well above the industry requirements. This 1999 edition published by Butterworth Heinemann quickly became a best-seller on www.amazon.com, as did all subsequent editions. Due to the popularity of the book, we were soon producing and selling CCTV test charts throughout the world. Hundreds of CCTV manufacturers, consultants and integrators purchased the v.2.0 test chart and I was delighted that my original idea of CCTV specific test charts became recognised globally. The early 2000s saw rapid development in CCTV technologies, including the switch from analogue to digital technology. Initially, this was only standard definition (SD) but DVRs and NVRs started replacing VHS and S-VHS recorders. I now saw the need for an updated test chart to reflect these changes. In 2005, I launched the second American book edition called ‘CCTV - Digital and Networking technologies’ at the ISC West show in Las Vegas. Along with this book, I launched test chart version 3.0 on the back cover. We were also producing a stand-alone, A3, hard mounted version which was now ordered via our web site. This updated version included vehicle number plates (as per the newly published Australian Standard AS 4806-2), some additional co-ordinates of the line count when using an oscilloscope (to indicate the exact resolution wedges location), tilted squares for MTF analysis (by the slanted edges software methods) and, last but not least, a two-way grey scale chart to

Australian Security Magazine | 55

CCTV SPECIAL

check system Gamma. The stand alone test charts now proved more popular than the book option so it was decided to stop reproducing the charts on the back cover of future editions. Additionally, the book reproductions were out of our control and way below in quality what we could achieve with our colour calibrated printing process on A3 special non-reflective photographic paper. Now, all test charts, from v.3.0 onwards, were produced only in high quality A3+ format, mounted on light, yet rigid gato-board. This new format was safe yet not expensive to mail world-wide. Between the years 2000 and 2005, we designed were and produced an electronic programmable Test Pattern Generator (TPG-8), another first for the industry. The TPG8 produced the test chart v.3.0 completely electronically and not through a camera. This allowed for perfect monitor adjustments, as well as testing various system transmissions and SD compressions. For the first time in the industry, users were able to design their own test chart patterns and upload them into the TPG8 via a special software. Up to eight patterns were possible to be loaded, one of which was the test chart v.3.0. Post 2005, and we saw another technological revolution in CCTV. Standard Definition resolution with 4:3 aspect ratio was now overtaken by the new High Definition television standard in 16:9 aspect ratio. New video compressions like H.264 were introduced and IP networks became the norm for CCTV. The book publisher, and industry, demanded a new edition of my book relating the latest digital and IP technologies. As expected, an updated version of the test chart had to be produced. So, the next edition of the book was re-written over two years (2011~2013) and launched in 2013. During this time I also designed and produced a new test chart under our new company name, ViDi Labs. A new test chart, that could consider the range of sensors, resolutions and aspect ratios now available in the CCTV industry, had to be developed. This was a tough call, yet was launched as the new ViDi Labs SD/HD test chart v.4.0. V.4.0 was the first chart in the CCTV industry to consider the range of sensors and aspect ratios. Starting with the old television 4:3 aspect, then the 3:2 ratio typical for photographic sensors, and finally the 16:9 typical for HD standards; these were all now found on one physical chart! V.4.0 had to be designed with extreme accuracy, down to the hundredth of a millimetre (0.01mm), since it was intended for measuring very high resolution cameras. This was more easily said, than done because standard vector software was unable to provide such accuracy. A special vector based software had to be used to achieve this. Wedges and lines were calculated very precisely so that even the highest resolution IP cameras could be tested. We ensured that users could measure and quantifying image quality both in TV Lines (for the old â&#x20AC;&#x2DC;analogue schoolâ&#x20AC;&#x2122;), as well as in pixels. We also introduced the novel idea of qualifying compression quality. This is one of the hardest things to do visually, and one would think it is not even possible. We introduced bars with continuous colour change, red-togreen-to-red, and also continuous gradation black-to-white-

56 | Australian Security Magazine

CCTV SPECIAL

to-black bars. These bars are so seamless that a human eye would not see any discontinuity in the printing. This was a mammoth task as, in addition to having a high accuracy colour management system, it also required a very high quality printer; the best paper surface and ink system. Repeatability of good quality is only possible with the highest control over all elements in the computer imaging system. When such continuous bars are viewed by the IP camera under test, they would lose some of their continuity due to the quantisation process and the compression used. This typically happens when using JPG and H.264 compressions where 8-bit quantisation and lossy compression is used. By observing and comparing the banding in the continual bar tones, users may visually determine and compare various image and video compressions without even knowing the settings in the IP camera. Truly, a first concept of this kind in the industry. To the best of my knowledge - there is nothing similar in the test chart world and certainly not in the CCTV industry. In the ViDi Labs SD/HD test chart v.4.0 we also introduced various face sizes in order to indicate the facial identification standards in the image. We made sure we had faces for SD resolution, 720p as well as 1080 resolution and we also kept the ORUA non-faced detection of quality applicable to FI. We introduced images of playing cards for the casino industry as well as vehicle licence number-plates with various sizes suitable for SD and HD resolutions. The focus target has been improved and used on all edges of the test chart for easy focusing, as well as spotting focus issues with IP Visual instructions of the test chart v.4.x at the back of it cameras. In order to make the chart easier to use, and know how each part of the chart works, we have included visual instructions on the back of the chart. Again, for the first time in the CCTV industry, we have expanded the functionality of this test chart by introducing the concept of measuring motion blur. This is done by having the ability to hang the chart and calculating the resultant blurriness due to the chart oscillating when moved to a high point of the hanging line. The same concept was advised to the IEC standards, while participating in the work of this international standard on behalf of Australia, and accepted. It can be found in the Appendix of the 62676-5 standard. A further interesting application of v.4.0 is the newly designed ViDiLabs calc App. Here, images of the test chart are used to simulate the image quality at various compressions when deciding how much compression should be used to achieve certain length of recording and still have the expected image quality. Velcro spots on the back, one in each corner for ease of mounting to a wall. Along with a complete instruction manual, an electronic version can be downloaded from our web site. This chart, like all previous versions, can be ordered from www.vidilabs.com. In the next article I will explain the latest test chart design, v.5.0. The chart v.4.x is used to simulate various compression quality in the ViDiLabs calc app

Australian Security Magazine | 57

TechTime - latest news and products

To have your company news or latest products featured in our TechTime section, please email promoteme@australiansecuritymagazine.com.au

Latest News and Products

Israeli drone startup embeds itself in Australia’s IoT state By Chris Cubbage, Executive Editor

ounded in Petah Tikva, Israel in 2014, Airobotics is not the type of advanced technology startup company one would have expected to find in a quiet suburban industrial park just 20 minutes south of Perth, Western Australia. For many startups, having a robust Israeli origin does provide a sense of confidence and purpose, including Airobotics becoming Australia’s first and only Civil Aviation Safety Authority (CASA) approved operator of automated multi-rotor drones for beyond visual line of sight (BVLOS) operations, with no aircrew needed at the client site. Similar approvals are held with Civil Aviation Authority of Israel, as well as certification from the US Federal Aviation Administration. But you won’t see Airobotics delivering pizza anytime soon. Ran Krauss, CEO and Co-Founder has a vision of focusing on the industrial and commercial applications of drones for surveillance, emergency response, surveying and mapping. From its ROC (Remote Operations Centre) in the unassuming Kardinya building, Airobotics flies drones over 1,000 kilometres away across WA’s northern and eastern regions. Whilst not giving away their client details, a majority of current missions involve survey work, including twice daily inspections of haulage roads. The point of difference is the automation of the entire process, from the flight itself through to the data collection and reporting to the client. Monitored via live video and data feeds from the drone to the ROC, the client is delivered a report within just a short time of the flight concluding. Self-contained 2.6 tonne, 2.5m2 portable airbases in the Airobotics Warehouse The Optimus quad rotor drone, with a 1.8m span, takes off and lands via a 2.6 tonne, 2.5m2 portable, self-contained airbase. The Optimus has multiple payload options; lidar, dual video, thermal and mapping. The Trion payload is Airobotics’ own security and inspection video solution. With pilots, or system operators, located in the ROC, there are several airbases

58 | Australian Security Magazine

deployed in WA and engaged on a client subscription payment model, which allows any client to benefit from drone technology whilst ensuring compliance with CASA regulation requirements. Requiring ground power, communications for the mast and monthly maintenance, the Airobotics drone and airbases, with a robotic self-changing battery process, can deliver a return on investment on personnel efficiencies. For the haulage road surveys, Airobotics replaces two surveyors needing to drive out, work and drive back and report, instead to refocus their time on planning and data analysis. The drone does all this in a quarter or less of the time and arguably with more accuracy. Via cloud and data analytics, the automation of the flight, data collection and insights reporting is where the innovation lies. Other missions have included security inspections with CASA approved flight

routes allowing bushfire monitoring and site perimeter checks. On the back of US$111 million funding to date, the Kardinya premises were established in 2017 and the company headquarters was moved to Scottsdale, Arizona in September 2018, managing flights across North and South America. Choosing WA for its first Australian base, the company is working with the mining, construction and industrial sectors and has clearly invested for the long term. In addition to housing the ROC, the expansive warehouse facilities allows airbase and drone maintenance and pre-deployment flight checks before the airbases are taken to site. MySecurity Media visited the Kardinya premises on March 29, whilst a live flight was in operation and a walk around the warehouse. Thanks to Joe Urli and Kimberley Lim for organising the visit.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

All-in-one aerial solution for autonomous security, safety and inspection missions G overnment, Defence and Industry Representatives Attend Live Industrial Drone Mission Demonstrations in Canberra. Percepto has launched its all-in-one aerial solution for autonomous security, safety and inspection missions in Australia, following the completion of a series of successful live mission demonstrations in Canberra. The tests were observed in the capital by a delegation representing government, defence and industry organisations from across the country. Percepto solution - SmallDuring the demonstration, Percepto conducted missions to highlight how its autonomous ‘Sparrow’ drones can deliver value across a diverse range of industrial and enterprise applications in sectors including mining, oil and gas, renewable energy, utilities, port and sea terminals. The Percepto Solution delivers fully autonomous real-time human/vehicle detection and tracking, thermal inspection, gas/oil leak detection, 2D mapping, 3D modelling as well as fence and property patrols, all achieved without a need for a pilot or on-site operator. Percepto is a recipient of the Frost & Sullivan Global Enabling Technology Leadership

Award. Its cost-effective autonomous drones are equipped with high-definition and thermal cameras to enable day and night operation and can perform in hostile weather conditions including rain, snow and dust. When deployed in-the-field they take-off on-demand or at scheduled times and navigate pre-defined routes. Once the mission has been completed the Sparrow returns to its base station – a highly secure enclosed weather-proof box – where automated post flight checks and fast battery charging are completed, ensuring the drone is primed for the next flight. The system is controlled through Percepto’s cloud management system and it is also the only ‘drone-in-a-box’ solution that is powered by computer vision and AI, and provides communications over LTE . The Percepto demonstration coincides with the announcement of Google’s first commercial drone delivery service, that was also launched in the Australian capital in April and highlights the progressive approach of the Civil Aviation Safety Authority in Australia, regarding drone usage. CEO of Percepto, Dor Abuahsira states: “With Australia already breaking new ground

in the adoption and application of commercial drones, we are excited that our market leading technology is now widely available here. We look forward to working closely with our partners, industry and enterprises across Australia, to discover new and innovative ways the Percepto Solution can be deployed.” About Percepto Founded in 2014, Percepto is the market leader of on-site autonomous drone solutions for critical infrastructures and industrial sites. Operating with no need for human intervention, Percepto’s autonomous Sparrow drones perform multi missions, around the clock. The solution is ideally suited to any largescale enterprises looking to improve security, increase productivity and reduce safety risks and operational costs. Organizations using the Percepto solution are better aware of events taking place, allowing them to be proactive and more efficient in addressing risks and operational needs. The Percepto Solution is currently in use around the world including a number of Fortune 500 organizations

A short video is available at: https://youtu.be/j6cdTSIDOSA

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

Australian Security Magazine | 59

TechTime - latest news and products

Titomic Kinetic Fusion™ creates world’s largest titanium UAV

ustralian advanced manufacturing company Titomic has delivered the largest titanium, unmanned aerial vehicle, or UAV. 20190430 Jeff Lang - Titanium UAV Avalon AirshowMeasuring over 1.8 metres in diameter, the UAV was manufactured at Titomic’s R&D Bureau in Melbourne, Australia, where it houses the world’s largest and fastest metal 3D printer, the TKF 9000, measuring 9 x 3 x 1.5m. The system incorporates Titomic’s patented additive manufacturing (3D printing) technology, Titomic Kinetic Fusion™ (TKF). Titanium, with its superior strength-toweight ratio, provides the UAV with a strong, lightweight, ruggedised design and ballistics protection, which will provide durability for reliable in-field use by military and law enforcement and is well-suited for deployment in live combat situations. As titanium’s use is often prohibitively expensive and difficult to fabricate using traditional methods, the prototype demonstrates Titomic’s ability to utilise high-performance materials, including titanium, in applications that previously did not overcome a manufacture cost-benefit analysis, forcing manufacturers to use lesser desired materials in design, such as heavier metals or fragile plastics. The technology is widely applicable to the defence industry and can also create parts such as armaments, traditionally created through metal casting, resulting in reduced production

60 | Australian Security Magazine

time and increased output. Titomic Managing Director Jeff Lang stated: “We’re excited to be working with the global defence industry to combine Australian resources, manufacturing and innovation which will increase our sovereign capability to provide further modern technology for Australia and its defence force”. Titomic TKF 9000 Hero Shot (brand)Titomic Kinetic Fusion™ (TKF), co-developed with, and licenced from the CSIRO, is a patented metal AM process utilising supersonic deposition of metal powders to digitally manufacture metal parts and complex surface coatings of super alloys and dissimilar metals such as nickel, copper, scandium and alloys such as stainless steel, inconel, and tungsten carbide. With the unique ability to fuse dissimilar metals and materials, Titomic has unlocked opportunity to create unique materials and engineer parts and surface coatings that are unobtainable via other manufacturing methods. With ability to incorporate multiple metal alloys and materials into single, heterogenous parts, TKF enables the production of parts which exploit the mechanical benefits of multiple highperformance alloys concurrently.

unlock new applications and open opportunities that are now technically and economically viable with its proprietary Titomic Kinetic Fusion™ (TKF) technology platform. TKF overcomes the limitations of additive manufacturing (3D printing) for metals to manufacture complex parts without shape or size constraints. TKF offers production run capability to organisations, which enables speed-to-market, superior products with lower production inputs using fewer resources for a more sustainable future. Titomic’s TKF enables first mover advantage in industrial scale manufacturing for sectors such as aerospace, defence, resources (oil & gas, mining, rail, chemical & industrial equipment), marine, construction, automotive, medical and consumer & sporting goods. For more information, visit: www.titomic.com.

About Titomic Limited: Titomic (ASX: TTT) is headquartered in Melbourne, Australia. Titomic is positioned to change the value proposition of Titanium, to

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

Fujitsu and KIA collaborate on prototype of artificial intelligence-enabled digital police car of the future F ujitsu has announced the development of a prototype of an artificial intelligence-enabled digital police car of the future. In collaboration with an ecosystem of partners, and working closely with KIA Motors Australia, Fujitsu is able to remove surplus equipment, software, hardware, and cabling from police highway patrol vehicles by integrating the required information systems and response controls into KIA’s standard Stinger model. Fujitsu created a software-based platform that links disparate technologies, reducing the cost of installation and de-installation, while providing a cleaner and safer cabin for law enforcement officers. Together, Fujitsu and KIA used the manufacturer’s standard Stinger model to develop a turnkey solution. The car’s existing Infotainment screen, which is shared across the Kia range, is programmed to present information and execute emergency response controls. The benefits of this set-up include: Elimination of issues associated with airbag deployment and the blocking of vehicle controls and air conditioning vents due to the need for built-in personal computers and screens. Greater comfort for officers who are in the car for most of their shift. Greater police equipment security and officer safety, since currently officers are often required to operate multiple devices while driving and engaging with potential offenders at high speeds. Ian Hamer, Principal Architect, Fujitsu Australia, said: “To build each highway patrol police car now requires multiple tenders from numerous individual suppliers for each piece of equipment, from the car itself to Mobile Data Terminal (MDT), number plate recognition technology, In-Car-Video (ICV) and radar. Fujitsu’s enhanced vehicle ecosystem integrates these and other individual components, simplifying the installation and removal of vehicle equipment and bringing greater agility and efficiency to the police force.” Chris Forbes, National Fleet Manager, KIA comments, “KIA already supplies the standard Stinger model to the Queensland, Northern Territory and Western Australian police forces for use as highway patrol vehicles. We identified the amount of systems redundancy within the current vehicle fit-out and are excited to work with Fujitsu to push for a higher degree of integration of law enforcement systems within the Stinger. By reducing the amount of

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

physical technology within the car, the vehicle can be modified or serviced by any KIA dealer in Australia, reducing the time previously spent servicing vehicles at specialised facilities.” The Stinger’s core performance and safety characteristics have played a key part in the decision by state police forces to integrate the vehicle into their road policing divisions. The Stinger, in standard form, is capable of 0-100 km/h in 4.9 seconds and has a five-star ANCAP safety rating backed by a seven year warranty. Reducing the weight of copper cabling throughout the car reduces weight and power draw on the vehicle, resulting in greater fuel efficiency. Furthermore, Fujitsu’s solution will remove up to seven existing system logins by embedding biometrics into the gearstick, a natural position for the palm when starting a car. Fujitsu’s biometric authentication technology PalmSecure secures sensitive information, while three single-feature action buttons on the front of the gearstick control emergency lights and sirens, enhancing the safety of officers who are no longer required to take their eyes off the road to operate a complex control pad. Ian Hamer continues: “Fujitsu’s goal was to develop a car that looked like a regular vehicle rather than a highly modified police car. By integrating systems into the inbuilt systems in the vehicle, we were able to remove excess bracketry inside the cabin. Working closely with emergency warning systems specialist Whelen Engineering, the team designed a new modular configuration of the lightbar that will result in a less invasive installation using one umbilical cord instead of nine separate cables. As a result, cameras placed in the lightbar are at the optimum height to record video evidence. This umbilical cord will then be mated to the KIA’s core wiring loom for simplicity of installation.” Fujitsu will also integrate the radar into the car’s existing head-up display, removing the dash mounted control box and irritating doppler tone produced when using the radar. In phase two of this development, artificial intelligence (AI) capabilities will identify a target car’s manufacturer and colour using onboard cameras, and these will also be able to recognise stolen cars in busy carparks and traffic. The technology will be able to detect if an offender has drawn a weapon and automatically send duress signals. Fujitsu and KIA have developed a concept

car to demonstrate the approach to police forces in Australia. The initial project was funded by Fujitsu’s Incubator Fund, which is utilised for investment in development of innovative technology solutions with a view to future commercialisation. Mike Foster, Chief Executive Officer, Fujitsu Australia and New Zealand, said, “This project demonstrates the true value of co-creation between organisations to achieve a business outcome that benefits society. Fujitsu’s innovative technology solutions, including AI and video analytics technology, coupled with KIA’s cutting edge vehicle platform has the potential to transform emergency services vehicles. We believe this approach has a much wider application than just use within the police force. Fujitsu is working to develop an enhanced vehicle ecosystem by extending the technology to meet multiple vehicle needs including ambulance, fire and rescue services, security vehicles, and taxis.”

•

Fujitsu is working with KIA Motors Australia to develop an artificial intelligence-enabled digital police car of the future. Fujitsu is developing a software-based integration platform that links disparate technologies, allows the removal of unnecessary costly technology, and reduces the cost of installation and de-installation, while providing a safer cabin for law enforcement officers. Using KIA’s standard Stinger model, the enhanced vehicle ecosystem integrates individual components, simplifying the installation and removal of vehicle equipment and bringing greater agility and efficiency to the police force. Australian Security Magazine | 61

TechTime - latest news and products

Autotalks gains momentum in China after a successful C-V2X field test with a tech Giant

utotalks is gaining momentum in the Chinese market following the successful completion of the C-V2X field test with a Chinese technology giant. The field trial evidenced Autotalks’ leading C-V2X capabilities on a public road, including 3GPP release 15 compliant transmit diversity, and remarkable communication range of over 2km with a nominal range of over 1.5km. As part of its momentum in China, Autotalks is growing its Chinese partner ecosystem and hiring for its operation in this giant market. Autotalks is a member of IMT-2020, CAICV and China ITS Industry Alliance, working on standardization and testing of C-V2X towards mass deployment. The company has also launched a Chinese website at https://www. auto-talks.com/zh-hans/. Autotalks is Connecting Vehicles in China with V2XChina is a fast-growing region in the automotive and Intelligent Transportation Systems (ITS) segments. LTE-V2X technology has been recently gaining strong momentum in China. In November 2018, Autotalks announced that it has recruited Mr. Xiaobing Yang, to lead Autotalks’ business development efforts in China out of Autotalks’ new branch in Beijing. Mr. Yang brings to Autotalks over 25 years of experience in the Chinese telecom industry. Last summer, Autotalks launched the first ever global V2X solution supporting both DSRC and LTE-V2X (also known as C-V2X) based on its second generation mature chipset with the intention of expanding its global footprint into China. Autotalks’ LTE-V2X direct communications (PC5) solution is separated from the cellular Network Access Device (NAD),

62 | Australian Security Magazine

resulting in a truly secure and cost-effective standalone LTE-V2X solution. Autotalks also announced in February that it has partnered with MediaTek (TWSE: 2454), a global fabless semiconductor company that enables 1.5 billion connected devices a year. The two companies are cooperating on integrating V2X and telematics and have completed a joint reference design for Telematics Control Unit (TCU) integrated with a global V2X chipset. The reference design is based on Autotalks’ global V2X chipset and MediaTek’s newest technology, an automotivegrade cellular modem SoC, enabling a secure, robust and cost-effective global TCU architecture.

founded in 2008, is a V2X chipset market pioneer and leader, providing customers worldwide with state-of-the-art V2X solutions. Autotalks helps reduce collisions on roadways and improve mobility with its automotive qualified chipsets. The chipsets offer the most advanced, truly secure and highest performing global V2X communication solution designed for autonomous vehicles. Autotalks’ advanced technology, to be mass deployed in the coming years, complements the information coming from other sensors, specifically in non-line-ofsight scenarios, rough weather or poor lighting conditions. It significantly improves overall road safety, effectively coordinating vehicles, selfdriving cars, motorcyclists and pedestrians.

About Autotalks Autotalks (www.auto-talks.com), which was

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

4 - 5 September 2019 Bridging Innovation and Business Growth

Santa Clara Convention Center, California, USA

IOT & EDGE COMPUTING

CLOUD COMPUTING

SECURITY & BLOCKCHAIN

ARTIFICIAL INTELLIGENCE

For more details, please contact: FOR USA

FOR REST OF THE WORLD

Surajit Sengupta - Program Director 1900 Camden Avenue, Suite 101 San Jose, CA 95124

Tarun Tyagi - Project Head B181, Ground Floor, East of Kailash New Delhi - 110065

contact@gdfevent.com +1 (408) 509 7203 www.gdfevent.com

tarun@iconex.in +91 8267004948 www.gdfevent.com

Organized By TM

REPORT REVIEW | by CHRIS CUBBAGE WA POLICE FORCE RETICENT, UNACCOUNTABLE AND INADEQUATE: REPORT 4 0 T H PA R L I A M E N T

Community Development and Justice Standing Committee

Report 5

NO TIME FOR COMPLACENCY Final report for the inquiry into the protection of crowded places in Western Australia from terrorist attacks Presented by Mr P.A. Katsambanis, MLA March 2019

NO TIME FOR COMPLACENCY FINAL REPORT FOR THE INQUIRY INTO THE PROTECTION OF CROWDED PLACES IN WESTERN AUSTRALIA FROM TERRORIST ATTACKS Review By Chris Cubbage

A Police Force declined to assist the Review, are unaccountable for millions in spending and are not adequately regulating the security industry. Is public safety at risk? This report is the outcome of a Parliamentary inquiry established to determine whether there is adequate preparation for the protection of crowded places in Western Australia (WA). It was motivated, in part, by the release of Australia’s strategy for protecting crowded places from terrorism (the Strategy) in August 2017.

Background In March 2018, just 12 months away from the Christchurch massacre in New Zealand, in WA a Community Development and Justice Standing Committee was seeking submissions as part of its inquiry into the protection of crowded places in WA from terrorist acts. In particular, the Committee set out to consider the flow of information between agencies and other relevant stakeholders and the WA Parliament’s role in overseeing counter-terrorism arrangements to ensure that it can properly evaluate the: 1. 2. 3.

4. 5.

state-based emergency management framework; implementation of mitigation and protective security measures; relationships between state government departments and agencies and owners and operators of crowded places; capability of the Western Australia Police Force to respond to a terrorist attack on a crowded place; and security licensing, registration, and assurance processes in Western Australia.

In making a submission, it was quite apparent that the terms of reference was too broad. As the inquiry progressed, “the complexity of protecting crowded places quickly became apparent.” One may argue the Committee had limited experience or insight not to realise this at the outset given the scope it set for itself. Not surprisingly, the Committee chose not to consider in detail the other three elements of the PPRR

64 | Australian Security Magazine

(prevention, preparedness, response and recovery) model and likely targets of terrorism and indeed, crowded places such as the airport or domains in maritime, transport or health were also not examined extensively. Yet despite this, in October 2018, the Committee released an initial report identifying 30 matters they felt required further consideration. This report proclaims the inquiry and outcomes “will not reduce the complexity of both counter-terrorism and the protection of crowded places in WA.” In other words? It will achieve little and tells us much we didn’t already know. However, there is one striking takeaway from the inquiry worthy of note. The WA Police Force isn’t performing, isn’t accountable and isn’t prepared to assist when asked to.

WA Police Force reticent to share information Throughout the inquiry, the Committee struggled to access information and documentation it considered important to fully inform itself about the preparedness of the Western Australia Police Force and Western Australia more generally. The report noted, “It is impossible to determine whether the millions of dollars of government funds directed to WA Police counterterrorism capabilities has actually increased the state’s counter-terrorism preparedness.” “There is a lack of independent oversight in relation to the state’s preparedness for a terrorist attack. The Counter Terrorism and Emergency Response Command of the Western Australia Police Force received over $49 million in 2017–18 and there is currently no third party scrutiny to ensure the people of Western Australia that this money was used effectively, efficiently, and ultimately increased the state’s counter-terrorism preparedness.” “The apparent reticence of WA Police to engage meaningfully with this inquiry was particularly evident when contrasted to some UK police services’ purported responses to recent, independent reviews. The reticence of WA Police to cooperate with the inquiry also differed from the ‘dare to share’ approach to information-sharing that Victoria Police Deputy Commissioner Shane Patton told us he employed.” “The requirement to seek approval from the ANZCTC—a creature of the Council of Australian Governments (COAG) and therefore outside the authority of the WA Parliament—reduces the effectiveness of the traditional vehicles for scrutiny.” “Unlike Victoria or New South Wales, WA does not appear to have developed an up-to-date, publicly available state strategy or coordinated suite of policy documents elucidating the various counter-terrorism

REPORT REVIEW | by CHRIS CUBBAGE roles of government and non government entities. WA has also not developed a protective security advisory capability to support owners and operators to enhance the resilience of their crowded places.”

WA Police Force lacks independent oversight and accountability to auditing and governance “There is an assurance gap, however, in relation to owners and operators of crowded places that are neither the recipients of public funding nor covered by specific regulatory regimes.” Auditor General Caroline Spencer said she preferred for this emergency management assurance role to be legislatively defined and accompanied by appropriate funding to reflect the expansion of her role. She explained the estimated cost of an initial scoping audit of the emergency management sector is $500,000, or just over 8.3 per cent of the total Auditor General 2008 audit budget. Considering the average amount spent on a performance audit is $300,000, the estimated cost of the initial audit is significant. Expecting the OAG to fulfil a permanent assurance role without additional resources risks inadequate consideration of other, equally important, topics. As an example where oversight and auditing is required, the Committee determined that “despite monitoring an industry with over 30,000 active security licences, WA Police issued no infringements in relation to the Security and Related Activities (Control) Act 1996 (WA) between July 2017 and May 2018. While WA Police aims to audit 275 licence holders per year, only 100 people (or 0.003% of the industry), were audited between July 2017 and May 2018. WA Police noted that sometimes the audit target is not reached due to ‘other policing priorities’. In the 2016–17 financial year, WA Police issued only five infringements, one summons, and 86 cautions in relation to the Security and Related Activities (Control) Act 1996. The Queensland Office of Fair Trading has a similar number of active security licences as WA but issued a far greater number of infringements—55 infringement notices and 74 warnings—in the same period. WA Police said there was no reason why it could not also release de-identified compliance information, and pointed out that similar information relating to pawnbrokers and second-hand dealers was already published in the WA Police Force Annual Report. Yet the reason they don’t make this information available is most likely because they’re not actually regulating the industry effectively and one may argue, not at all. Another area WA Police were subjected to criticism was the State CCTV Strategy. Subject to complaints when it was first received (including formal complaints by this author), the Committee stated, "Because of evidence we received early in the inquiry, we raised questions about the effectiveness of the State CCTV Strategy. Some respondents identified specific issues with the CCTV strategy and sharing of data. Concerns were raised, for example, about the cost and technical

difficulties associated with creating and managing a central security information system from which WA Police can monitor CCTV data from multiple cameras.” “SAIWA (Security Agents Institute of WA) said the system may also prove costly for donors of CCTV data as they may have to obtain legal advice, upgrade their equipment to a different standard in order to add their CCTV cameras to any ‘joined-up approach’, and spend money on ongoing maintenance. Further, one local government told us of its reluctance to join the State CCTV Register because of ongoing questions about the governance measures and security of shared data.”

Terrorism is a silo risk – Holistic & Risk Based Approach is needed. “In the course of the inquiry, it became evident that whether or not an attack on a crowded place was terrorism was largely irrelevant from a protective security perspective.” “One document, the State Hazard Plan: Terrorist act, represents the totality of strategic counterterrorism arrangements in WA and embodies an outdated approach to counter-terrorism. This means WA’s counterterrorism preparedness is also largely unscrutinised as terrorist acts are managed under the state emergency management framework along with 26 other hazards identified as posing a risk to WA.” “With neither an up-to-date state strategy nor policy framework to guide counter terrorism efforts in WA, some of the stakeholder groups identified in the Strategy have contested the exact nature and extent of their roles and responsibilities. some sought to minimise their responsibility for achieving this goal. The strategy is not linked to any legislation or policy framework within WA and is therefore not mandatory.” “Terrorist use of drones is one example of an emerging threat there are legislative impediments on police use of drones for incident response and other purposes. There is clearly a need for legislative reform. it is inevitable that legislators will have to respond.” “We found there was a clear expectation amongst owners, operators and the public that authorities such as WA Police would take the lead in protecting crowded places. WA Police appeared reluctant to step into this space, however, distancing itself from any overarching responsibility for implementing the Strategy and stressing that it was not the role of WA Police to provide protective advice to private industry.” “WA Police and DPC had different positions about whether WA Police was responsible for implementing the Strategy: while DPC said WA Police is the ‘lead agency for implementing the Strategy in Western Australia’, WA Police said the CPAG is ‘responsible for the implementation of the National Strategy.” “Implementing proportional security and mitigation measures can be costly and—importantly—reduce the profit generated. As one inquiry participant pointed out: Any costs for additional protective security measures have no value in terms of marketability of the venue/ event. In fact, these protective security measures are wherever possible concealed so that attendees are not

consciously aware of the existence of a threat being mitigated.” “The Strategy does not set out a mechanism by which owners and operators can be compelled to fulfil their responsibility to protect their crowded place. This may become a problem should owners or operators weigh the quantifiable costs of implementing security measures against the less well-defined costs arising from non-implementation (i.e. reputational, asset damage, public safety) and decide not to invest in its security. Their preference was instead for the risk-based approach currently advanced by the Strategy.” “As the Queensland Police Service said: identifying a minimum standard of protection would result in the general adoption of that standard. Without a risk-based approach, owners/operators would likely to be either under-protected or would be required to implement unreasonable measures.” “Those indicating support for a prescribed minimum standard tended to be the owners and operators of crowded places who felt they did not have the skills or knowledge to either implement adequate protective security measures or identify consultants who could do it on their behalf.” The Committee reported, “We believe the debate around security standards reinforces the need for owners and operators to be able to identify and engage qualified, experienced and skilled security consultants who will ensure risk assessments (and any subsequent implementation of recommendations) are appropriate and commensurate with the circumstances This standard is a process-based standard of preparation. We can surmise, therefore, that those inquiry participants who preferred a risk-based approach to protective security would support this use of AS/NZS ISO 31000:2009.”

Thanks for the Report – but frankly no change will happen Whilst the Australian Government rams knee-jerk, politically motivated legislation like the Criminal Code Amendment (Unlawful Showing of Abhorrent Violent Material) Bill 2019 through parliament without ‘any’ oversight and informed consideration, actual calls for legislative reform by Parliamentary committees like these are ignored. The national security system which has the ‘intention’ of protecting Australians is in large parts broken, largely unaccountable, overly complex and politically manipulated. There is little that will change this and if a major attack does take place on Australian soil, the system is inherently designed to allow the blame game to cycle through again.

Australian Security Magazine | 65

BOOK RELEASE CYBER RISK LEADERS: C-SUITE INSIGHTS – LEADERSHIP AND INFLUENCE IN THE CYBER AGE

CYBER RISK LEADERS: C-SUITE INSIGHTS – LEADERSHIP AND INFLUENCE IN THE CYBER AGE by Shamane Tan APAC Executive Advisor, Privasec & Founder Cyber Risk Meetups

‘Cyber Risk Leaders: C-Suite Insights – Leadership and Influence in the Cyber Age’ will be launching first in Australia, and then internationally, scheduled for this June. In this book, you will get up close and personal with 30 CxOs from around the world. Trade secrets are revealed from lessons learnt the hard way, as their life experience unfolds. In this collection, Shamane explores the art of communicating with executives, tips on navigating through challenges, and reveal what the C-Suite looks for in their partners. The book includes:

1 2

3 4

Observations of the CISOs and lessons learnt from their lessons Interactive discussion with the audience on their biggest challenges faced in communicating with their stakeholders A dive into the various methods and techniques used by successful CISOs The top 3 tips that the C-suite wants to impart to current security professionals (there’s a total of 15 in the book) A very special bonus chapter – which is twofold:

– Contains advice by CISOs for CISOs, on what they should look out for in working with 3rd parties. Will be incredibly useful to vendors or

PREREGISTER BOOK INTEREST ‘Cyber Risk Leaders: C-Suite Insights - Leadership and Influence in the Cyber Age’

66 | Australian Security Magazine

security partners as they will learn how to build better relationships with their CISOs. Shamane is the APAC Executive Advisor at Privasec, a leading independent Security Consulting Firm in Australia and Singapore. She currently works with the C-Suite and Executives and examines various approaches in uplifting the corporate and individual’s security posture in this cyber age. Whilst also managing the APAC relations, she has successfully enabled businesses, as well as enterprises & agencies to be well equipped in key Cyber Risk aspects.

Shamane has a passion for disruptive technologies and the human factor. As the founder of the Cyber Risk meetups across Australia and Singapore with over 1,500 attendees, her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights. Shamane is also a huge advocate and champion for professionals in Cyber Risk sector and encourages people to look for new ways in which they can take a step forward. In a time of an ever changing digital landscape, our industry leaders find that they are playing catch up. Cyber Risk Leaders is a book like no other. This handbook is a laborious product of careful selection and compilation of the best stories and wisdom from over thirty Cexecutives. Shamane spent several years speaking to CxOs from different industries, and all over the world, from Australia, to Singapore, Israel, the US and the UK, to bring different aspects of successful leadership to life in this book. For those who are interested in learning from your top industry leaders, or if you are an aspiring or a current CISO, this book is gold for your career. It’s the go-to book and your CISO kit for the season. Shamane is the APAC Executive Advisor at Privasec, a leading independent Security Consulting Firm in Australia and Singapore and Founder of the Cyber Risk Meetups, which has over 1,500 members meeting across 5 major states in Australia and Singapore.

App now available on iTunes & Google Play DOWNLOAD NOW!

www.australiancybersecuritymagazine.com.au Australian Security Magazine | 67

A part of

Corporate Security

18 to 20

Transform The Future

JUNE 2019

Asiaâ&#x20AC;&#x2122;s definitive platform for end users across Asia to explore disruptive solutions and specialised technologies by global tech leaders.

MARINA BAY SANDS SINGAPORE

www.NXTasiaExpo.com

www.nxtasiaexpo.com/register/ Organised by:

Held Concurrently:

www.Broadcast-Asia.com

68 | Australian Security Magazine

Join in the conversation:

www.CommunicAsia.com

#NXTAsia #ConnecTechAsia