By Kevin Coleman — Defense Tech Cyberwarfare Correspondent
Recently I was conducting some research on critical infrastructure security for the next version of my book, the Cyber Commander’s eHandbook. During that work, I repeatedly encountered a particular threat that increases the risks everyone faces when it comes to critical infrastructure protection and beyond. The issue is the process of publicly disclosing previously unknown vulnerabilities in sensitive or critical systems like SCADA controllers.
SCADA systems were first put into use back in the 1960s. Since then, they have grown dramatically in their use and capabilities. Modern day SCADA controllers are used in everything from relatively simple applications like monitoring the HVAC systems / environmental conditions of small office buildings to highly complex tasks like monitoring and controlling activity in nuclear power plants.
(Remember that the Stuxnet worm went after Siemens-built SCADA systems used at Iranian nuclear facilities. That’s the country’s Bushehir reactor shown above.)
So how big is the exposure? North America, Europe, the Middle East, and Africa make up the most significant users of SCADA products. Their popularity and use is evidenced by the fact that the market for SCADA equipment is experiencing double digit growth. Market analysts believe that the total market for SCADA products is expected to grow at nearly 10 percent for at least the next five years. This shows how common these systems are — something that makes them a top cyber attack target.
In the spring of this year security researchers publically disclosed the existence of 34 SCADA system vulnerabilities. Analysis indicated that 15 were new zero-day (never seen before) threats of which 13 are said to affect eight different SCADA products. The problem is, the security researchers’ actions left organizations using the effected SCADA systems vulnerable to attack/exploitation. We keep doing this. I am all for quick action when a vulnerability is identified, but the process needs to be changed so that we don’t increase the risk and open sensitive systems up to enhanced attacks while patches are designed and tested to fix these holes.