One of the less well-known aspects of information technology – but arguably one of the most critical to modern businesses – is the SCADA platform.

SCADA stands for Supervisory Control And Data Acquisition, the computer control systems at the heart of many industrial automation and control systems.

First developed in the 1960s - and evolving rapidly as the first PCs started shipping in the 1980s - SCADA-driven systems are found in energy power plants, electricity supply grids, chemical plants and many other industrial systems that require a high degree of computerized control - but also demand total, 100% systems availability.

This is Mission Critical with a giant capital 'M' and 'C.' Many organizations claim their IT processes are mission critical, but SCADA control systems truly are critical to the national infrastructure.

If the national power grid goes down, for example, it can cost a country many hundreds of millions of dollars per hour and, in the case of hospitals, air traffic control systems and the like, will actually place people's lives in jeopardy. Lost production and commerce is one thing, but lost lives raise the security ballgame to an entirely new level of governance.

Here in the US – as in the UK and Europe - many SCADA-driven systems are connected to the Internet. Where previously these systems were connected using a dial-up modem – with password security that at the time was highly resistant to attack – the trend today is to plug these devices into the Internet using a standard Ethernet connection – or worse yet, by WIFI or some other wireless protocol that lacks the encryption and authentication needed to prevent tampering.


This approach, as you might surmise, is a ticking time bomb. Cybercriminals are not stupid – they understand weaknesses, possess the means to guarantee success, and understand the impact of an attack.

Until now the only documented exploits in the SCADA security space have targeted foreign infrastructures, but I believe that this is certain to change.

A study carried out at the end of 2012 by Bob Radvanovsky and Jacob Brodsky of InfraCritical, a US-based security consultancy – and conducted with assistance by the US Department of Homeland Security – found that thousands of SCADA-based systems accessible from the Internet have weak default passwords defending them.

The two researchers used automated scripts to interrogate the grey hat SHODAN (Sentient Hyper-Optimised Data Access Network) and identified over 7,000 vulnerable, default logins out of an initial pool of 500,000 SCADA systems.

The good news is that the Department of Homeland Security has now started to reach out to the IT admins of this particular group of vulnerable SCADA-based systems, but reports suggest the remediation progress has been relatively slow.