What is SCADA? Why do I care?

Written By Todd Mitchell

You care because every one has one on the side of their house!!! It is attached to your incoming gas and electric lines, this is how they shut off power without coming to your house.

Supervisory Control And Data Acquisition (SCADA) systems are used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation. In the USA the infrastructure was designed in a time when fax and dialup modems where in use. So, the signals sent to the valves in a natural gas pipeline are sent via telephone wire with a fax machine type signal. This is very easily hacked by anyone with the correct phone number to the valve, and able to be sent without the ability to verify who sent it.

Security of SCADA systems is important because these systems control water, electricity and oil/gas pipelines makes them a critical infrastructure that must be protected. The systems could incur damage that will take out entire grids of valuable resources to our nation. A cyberattack could occur and in less than an hour will cause significant damage (Chee-Wooi Ten, Chen-Ching Liu, & Manimaran, 2008).  A perfect example is the Christmas Day bombing of the AT&T hub in Nashville. They have outages in several states with 911 systems, cellular towers, and land line phones at hospitals.

SCADA is particularly vulnerable because they are designed for ease of control and operation, not prevention from cyberattack. Historically they were designed without authentication required to access and communicate with the programmable logic controller that is used to automate valves and machinery (Coggins & Levine, 2014).

SCADA communication protocols allow plain text transmissions including passwords and usernames leaving access control and authentication at risk. Lack of patch management and software maintenance to keep code updated and secure reduces the exposed attack surface will improve communication security (Fink, Spenser & Wells, 2006).

References

Chee-Wooi Ten, Chen-Ching Liu, & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA systems. IEEE Transactions on Power Systems, 23(4), 1836-1846. doi:10.1109/TPWRS.2008.2002298

Coggins, C.S. & Levine, D.E., (2014) Monitoring and control systems.  In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (6th ed.). New York, NY: John Wiley & Sons.

Fink, R. K., Spenser, D. F., & Wells, R. A. (2006). Lessons learned from cyber security assessments of SCADA and other energy management systems. Retrieved from http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/1-NSTB_Control_Systems_Security_Standards_Accomplishments_and_Impacts.pdf

Todd Mitchell
Previous

Do I need a Disaster Recovery Plan?
Next

How do you know you have been hacked?