Against this backdrop, there are discussions making the rounds in US IT security markets that, in return for allowing their SCADA systems to be scanned – essentially vetted - by the federal government, the utilities and other critical national infrastructure (CNI) system owners will be protected against legal or regulatory action in the future.

The real issue with the security of SCADA systems is that, while you can employ software patches to make a system more secure, there is, unfortunately, no similar patch against human stupidity.

SCADA systems should never, ever, be connected directly to the Internet, because they are simply not resilient enough to hook up to the public network. They require the use of advanced layers of security – firewalls, privileged identity management, secure proxies – to be implemented as soon as possible for their defence.

I believe that the problem is rooted in the fact that – as my research teams repeatedly discover – utility companies almost without exception fail to make the requisite investments in IT security that you'd find in other industries of comparable size – unless, of course, the utilities are forced by federal agencies and auditors to take action.


Making SCADA systems more secure

Given that the very heart of our nation's infrastructure runs on SCADA, how do we make these systems more secure? Are there really so many active threats out there?

Here's what I believe is the heart of the issue: SCADA systems can be based on a combination of embedded controllers combined with Windows or Linux systems. This combination isn't terribly insecure in isolation, but once connected to the Internet (as a matter of convenience and for holistic management), every component now needs to be patched and managed for access and authorization since there are no longer any locked doors keeping the wrong people out.

Corporate IT systems are – most of the time – protected by network firewalls, intrusion and anomaly detection systems, endpoint security software, and other prevailing safeguards. Once they're connected to the Internet there's simply no excuse for SCADA networks not to employ – at the very least – those same essential layers of security to protect against external attacks. The bad news is that a great many SCADA deployments do not even begin to utilize these broadly adopted technologies.

And the bottom line is...

The bottom line is that a great many SCADA networks are designed and deployed by electrical engineers who lack IT security training, and I believe that this engineering culture is often naïve when it comes to the threats that foreign powers and sociopaths could have on their designs. Consequently many SCADA networks have a security blind spot, with a healthy dose of attention paid to whether the controls interact safely with their physical environments but far too little focus on how well the systems can withstand cyber attacks.