Supervisory Control and Data Acquisition systems are the technology connection between control systems and the switches, pumps, and motors that run our automated physical world. SCADA is the basis of everything from power plants to train systems. It’s also one heck of a security risk.
I’ve talked about SCADA before in a few posts, including this, this, and this. In general, it seems obvious that running these things on standard IT technology, then connecting them to the Internet (no matter how many firewalls you have) isn’t the smartest idea in the world. This is highly contested by SCADA traditionalists who constantly assure us that the odds of a successful attack resulting in physical impacts are extremely low. Methinks those traditionalists might need to pull their heads out of either the sand or a rather unattractive orifice, since there are more than enough examples these days to prove them wrong.
CIA: Hackers to Blame for Power Outages By TED BRIDIS — 3 hours ago WASHINGTON (AP) – Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in “several regions outside the United States.” “In at least one case, the disruption caused a power outage affecting multiple cities,” Donahue said in a statement. “We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
Both Hoff and Stiennon predicted SCADA attacks this year (and I made fun of them for it, but that’s another story).
Now before you SCADA defenders get your panties in a bunch, over my career as an analyst and consultant I was privy to more than one successful and physically dangerous SCADA attack communicated to me by clients. I’ll never talk details, but they really happened, putting lives at stake.
I’ll still talk SCADA, but there’s enough evidence now of real problems that I don’t see the need to waste time trying to prove how important it is. If you don’t get it by now, you never will, and I hope you don’t have anything to do with my corner of the power grid.
Okay, just a quick primer on the major risks of connecting a process control network with the business network:
- Loss of communications due to a non-SCADA failure or attack disrupting network communications. Inability to monitor and control remotely.
- Exploitable vulnerabilities on SCADA systems running on standard platforms, e.g. Windows. You often can’t patch a running SCADA system or install antivirus, HIPS, or other defenses. Vulnerable to mass exploits that have nothing to do with SCADA.
- Direct attack on SCADA software/systems.
- Exploitation of a control workstation which is then used to access/control the SCADA system. Has the added advantage that the attacker can remotely monitor normal activity to determine how to commit malicious actions on a proprietary system they don’t have prior knowledge of.