Over the past twenty years, the control of the services that we consider essential for our way of life – electricity, petroleum production, water, transportation, manufacturing and communications – have shifted to networked computers known as either Supervisory Control And Data Acquisition (SCADA) systems or industrial automation systems. Little thought was given to security implications of this shift, since these control devices were believed to be immune to cyber attack.
Recent events have shown this complacency has been misguided – in 2003 the Slammer Worm interrupted power distribution SCADA systems, infected the safety parameter display system (SPDS) computers in a nuclear plant and impacted oil operations in the Gulf of Mexico. Hackers have also infiltrated water treatment SCADA systems with key loggers, shut down petroleum loading facilities and deliberately caused sewage spills. Even innocent security scans of PLC and SCADA networks have caused millions of dollars of production losses for companies. Compounding the problem is the fact that the flaws in SCADA technologies have become general knowledge in the hacking community – detailed presentations on how to exploit SCADA vulnerabilities have been given at public conferences such as BRUM2600 , ToorCon 2005 and Blackhat Federal .
Organizations which operate SCADA and automation systems have good reason to be concerned about cyber security. Not only have the number of incidents increased dramatically in the past five years, but the seriousness of these events appears to be growing as well. Furthermore the cost of an incident can be substantial. Failure to adapt to the changing landscape of security threats and vulnerabilities will leave the industrial controls world exposed to increasing numbers of cyber incidents. The result could easily be loss of reputation, environmental impacts, production and financial loss and even human injury.
The good news is that there are proven solutions for securing SCADA and control systems from cyber attack. This includes evolving standards such as ISA 99 and NERC CIP-002…009, as well as best practices in security policy, security education programs, layering of firewall defenses and the hardening of endpoint devices through patch management, antivirus deployment, and micro-firewalls within the control network.
If you are an automation professional or network security expert concerned with the operation and protection of critical infrastructures we invite you to browse our collection of technical articles, papers and good practice guides on industrial security. Make your control system intrinsically secure.
