The Increased Threat of Attacks on SCADA Systems

By Kevin Coleman — Defense Tech Cyberwarfare Correspondent

Recently I was conducting some research on critical infrastructure security for the next version of my book, the Cyber Commander’s eHandbook. During that work, I repeatedly encountered a particular threat that increases the risks everyone faces when it comes to critical infrastructure protection and beyond. The issue is the process of publicly disclosing previously unknown vulnerabilities in sensitive or critical systems like SCADA controllers.

SCADA systems were first put into use back in the 1960s. Since then, they have grown dramatically in their use and capabilities. Modern day SCADA controllers are used in everything from relatively simple applications like monitoring the HVAC systems / environmental conditions of small office buildings to highly complex tasks like monitoring and controlling activity in nuclear power plants.

(Remember that the Stuxnet worm went after Siemens-built SCADA systems used at Iranian nuclear facilities. That’s the country’s Bushehir reactor shown above.)

So how big is the exposure? North America, Europe, the Middle East, and Africa make up the most significant users of SCADA products. Their popularity and use is evidenced by the fact that the market for SCADA equipment is experiencing double digit growth. Market analysts believe that the total market for SCADA products is expected to grow at nearly 10 percent for at least the next five years. This shows how common these systems are — something that makes them a top cyber attack target.

In the spring of this year security researchers publically disclosed the existence of 34 SCADA system vulnerabilities. Analysis indicated that 15 were new zero-day (never seen before) threats of which 13 are said to affect eight different SCADA products. The problem is, the security researchers’ actions left organizations using the effected SCADA systems vulnerable to attack/exploitation. We keep doing this. I am all for quick action when a vulnerability is identified, but the process needs to be changed so that we don’t increase the risk and open sensitive systems up to enhanced attacks while patches are designed and tested to fix these holes.

  • blight

    From the Enemy of the People: Wikipedia

    “The term SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (anything from an industrial plant to a nation). Most control actions are performed automatically by Remote Terminal Units (“RTUs”) or by Programmable Logic Controllers (“PLCs”). Host control functions are usually restricted to basic overriding or supervisory level intervention. For example, a PLC may control the flow of cooling water through part of an industrial process, but the SCADA system may allow operators to change the set points for the flow, and enable alarm conditions, such as loss of flow and high temperature, to be displayed and recorded. The feedback control loop passes through the RTU or PLC, while the SCADA system monitors the overall performance of the loop.”

    The drive towards increasing automation to reduce manpower and automation to closely tie power supply to power-demand to quickly enable quickly available power-generating assets to meet transient surges in demand will increase vulnerability to attacks on remote decision-making systems.

    The joy of “soft” attacks…

  • nraddin

    If you breed out variations you breed in vulnerability. If you want your system to be resistant then go proprietary. As much crap as MS always got for ‘security through obfuscation’, it really is hard to hit what you can’t see. Personally I am surprised that any of these SCADA systems are similar enough to find security holes that work from one system to the next.

    • Kevin

      you wrote - Personally I am surprised that any of these SCADA systems are similar enough to find security holes that work from one system to the next.

      I was shocked!!! and that is my biggest area of concern!

  • Musson1

    Is this the way Open Source ends? Not with a bang but a Stuxnet?

    • nunya

      Were any of the compromised systems opensource? It was my understanding that they were closed source systems with default login back doors, something that wouldn’t last very long in an open source project.

  • Reader

    An article about SCADA, and you did not reference even one additional source? Nothing about the DHS and ICS-CERT security advisories, or limiting their input to software security vs. design flaws? Nothing referencing attempts to secure SCADA systems, either in design, coding, or testing, nor through manufacturers or customers who use the systems?

    Your total input to this discussion is “Here are facts about SCADA from top google searches. I think we shouldn’t put out word of vulnerabilities until they’re patched.” Another fluff piece that reads like you’re trying to stretch out a high school essay.

    Reference for more substantial information about DHS’s approach:
    http://threatpost.com/en_us/blogs/dhs-thinks-some…

  • itfunk

    To be fair he’s not researching scada systems he’s researching FUD marketing opportunities.

    Coleman’s hyperbole is way overblown. To wreak these systems you have to have a lot of knowledge of how they operate.

    Just for example put Coleman in a nuclear reactor control room say unsupervised for a day and the chances that he is able to get a melt down are next to zero. You could do the same thing for weeks and he still wouldn’t be able to break the system.

    The consultants will run their scam until people wise up and realize there is nothing in what they say, and then they will move on to the next scam. It’s been going on for decades.