Control systems tend to be overlooked simply because the average John Q. Hacker doesn’t understand them. This does nothing to mitigate the threat.
Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department.
As more and more non-SCADA people take notice the blinders are starting to lower from the eyes of SCADA operators. There has been a long held misconception that SCADA systems are secure because no one knows how to hack them. This is a sadly misguided perspective. A simple search on Google will provide some examples (3rd result) of web based login screens for SCADA systems. These systems are being attached to the internet. This is a frightening trend because historically SCADA systems have not been built with security in mind. Because control systems are built to address realtime data they often conflict with IT Security systems such as antivirus which can slow system response times during a scan. Short answer, SCADA can’t suffer downtime. Now take into account the fact that these systems can’t be down and they’re also now being attached to the internet. OK, starting to get the picture?
Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity.
These systems are used to control, oil&gas, electricity, sewage, traffic lights et cetera. The predisposition of SCADA operators to wave their hands and dismiss security concerns will have to end now. The problem of control system security is something that can be addressed. The problem will be enlightening the control system operators and that we also have to wake up the manufacturers of these systems such as ABB or Siemens.
[tags]SCADA, SCADA Security, Control Systems, Critical Infrastructure[/tags]
