SCADA stands for Supervisory Control And Data Acquisition, the computer control systems at the heart of many industrial automation and control systems.
First developed in the 1960s - and evolving rapidly as the first PCs started shipping in the 1980s - SCADA-driven systems are found in energy power plants, electricity supply grids, chemical plants and many other industrial systems that require a high degree of computerized control - but also demand total, 100% systems availability.
This is Mission Critical with a giant capital 'M' and 'C.' Many organizations claim their IT processes are mission critical, but SCADA control systems truly are critical to the national infrastructure.
If the national power grid goes down, for example, it can cost a country many hundreds of millions of dollars per hour and, in the case of hospitals, air traffic control systems and the like, will actually place people's lives in jeopardy. Lost production and commerce is one thing, but lost lives raise the security ballgame to an entirely new level of governance.
Here in the US – as in the UK and Europe - many SCADA-driven systems are connected to the Internet. Where previously these systems were connected using a dial-up modem – with password security that at the time was highly resistant to attack – the trend today is to plug these devices into the Internet using a standard Ethernet connection – or worse yet, by WIFI or some other wireless protocol that lacks the encryption and authentication needed to prevent tampering.
This approach, as you might surmise, is a ticking time bomb. Cybercriminals are not stupid – they understand weaknesses, possess the means to guarantee success, and understand the impact of an attack.
Until now the only documented exploits in the SCADA security space have targeted foreign infrastructures, but I believe that this is certain to change.
A study carried out at the end of 2012 by Bob Radvanovsky and Jacob Brodsky of InfraCritical, a US-based security consultancy – and conducted with assistance by the US Department of Homeland Security – found that thousands of SCADA-based systems accessible from the Internet have weak default passwords defending them.
The two researchers used automated scripts to interrogate the grey hat SHODAN (Sentient Hyper-Optimised Data Access Network) and identified over 7,000 vulnerable, default logins out of an initial pool of 500,000 SCADA systems.
The good news is that the Department of Homeland Security has now started to reach out to the IT admins of this particular group of vulnerable SCADA-based systems, but reports suggest the remediation progress has been relatively slow.
Against this backdrop, there are discussions making the rounds in US IT security markets that, in return for allowing their SCADA systems to be scanned – essentially vetted - by the federal government, the utilities and other critical national infrastructure (CNI) system owners will be protected against legal or regulatory action in the future.
The real issue with the security of SCADA systems is that, while you can employ software patches to make a system more secure, there is, unfortunately, no similar patch against human stupidity.
SCADA systems should never, ever, be connected directly to the Internet, because they are simply not resilient enough to hook up to the public network. They require the use of advanced layers of security – firewalls, privileged identity management, secure proxies – to be implemented as soon as possible for their defence.