The SCADA security challenge
by Philip Lieberman - President and CEO of Lieberman Software - Thursday, 7 March 2013.
One of the less well-known aspects of information technology but arguably one of the most critical to modern businesses is the SCADA platform.

SCADA stands for Supervisory Control And Data Acquisition, the computer control systems at the heart of many industrial automation and control systems.

First developed in the 1960s - and evolving rapidly as the first PCs started shipping in the 1980s - SCADA-driven systems are found in energy power plants, electricity supply grids, chemical plants and many other industrial systems that require a high degree of computerized control - but also demand total, 100% systems availability.

This is Mission Critical with a giant capital 'M' and 'C.' Many organizations claim their IT processes are mission critical, but SCADA control systems truly are critical to the national infrastructure.

If the national power grid goes down, for example, it can cost a country many hundreds of millions of dollars per hour and, in the case of hospitals, air traffic control systems and the like, will actually place people's lives in jeopardy. Lost production and commerce is one thing, but lost lives raise the security ballgame to an entirely new level of governance.

Here in the US as in the UK and Europe - many SCADA-driven systems are connected to the Internet. Where previously these systems were connected using a dial-up modem with password security that at the time was highly resistant to attack the trend today is to plug these devices into the Internet using a standard Ethernet connection or worse yet, by WIFI or some other wireless protocol that lacks the encryption and authentication needed to prevent tampering.

This approach, as you might surmise, is a ticking time bomb. Cybercriminals are not stupid they understand weaknesses, possess the means to guarantee success, and understand the impact of an attack.

Until now the only documented exploits in the SCADA security space have targeted foreign infrastructures, but I believe that this is certain to change.

A study carried out at the end of 2012 by Bob Radvanovsky and Jacob Brodsky of InfraCritical, a US-based security consultancy and conducted with assistance by the US Department of Homeland Security found that thousands of SCADA-based systems accessible from the Internet have weak default passwords defending them.

The two researchers used automated scripts to interrogate the grey hat SHODAN (Sentient Hyper-Optimised Data Access Network) and identified over 7,000 vulnerable, default logins out of an initial pool of 500,000 SCADA systems.

The good news is that the Department of Homeland Security has now started to reach out to the IT admins of this particular group of vulnerable SCADA-based systems, but reports suggest the remediation progress has been relatively slow.

Against this backdrop, there are discussions making the rounds in US IT security markets that, in return for allowing their SCADA systems to be scanned essentially vetted - by the federal government, the utilities and other critical national infrastructure (CNI) system owners will be protected against legal or regulatory action in the future.

The real issue with the security of SCADA systems is that, while you can employ software patches to make a system more secure, there is, unfortunately, no similar patch against human stupidity.

SCADA systems should never, ever, be connected directly to the Internet, because they are simply not resilient enough to hook up to the public network. They require the use of advanced layers of security firewalls, privileged identity management, secure proxies to be implemented as soon as possible for their defence.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st