Supervisory control and data acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities in America, as well as in other countries. These devices are a part of the nation’s critical infrastructure and should be protected from the growing and evolving list of security threats that exist today. SCADA devices are useful in that they collect and analyze data and control equipment from remote locations. However, they also present a security risk. Currently, there are 61 commercially operating nuclear power plants in the US and 99 nuclear reactors in 30 states (EIA, 2016). Increased number of nuclear power plants and reactors dramatically increases the risks associated with the facilities, more so if the network is unsecured properly and in the event of a cyberattack.
These sometimes legacy systems were not built with security in mind, don’t always have access controls, are not usually established with account groups, and can be extremely susceptible to massive disruptions. So what is known about SCADA environments? Here are four myths that we know are not true.
- It’s hard to secure a SCADA environment. While most SCADA devices are typically old and not as intuitive as some of the latest software available on the market, it isn’t impossible and not nearly as difficult as initially perceived. Most SCADA systems do not have a common platform, so ensuring the security of one platform is often developed through problem-solving on that particular device rather than simply downloading a “one-size-fits-all” solution or patch.
- SCADA devices are not online therefore they are not vulnerable. Users of SCADA devices assume that the environment is secure when it is not connected to the internet. This securing method is often called “air gapping”. While an employee might not be able to utilize the SCADA system to access their social media accounts or check email, some systems are connected to the internet for alerting purposes, and this combined with the false sense that air gapping is eliminating risks creates a false sense of security. Also, even if a device isn’t connected to the internet, usually there is no monitoring of the device so there is a chance that physical tampering of the local equipment by employees or anyone who has access could occur. Provided the opportunity, anyone with ill intentions that has the motivation to gain access to a system supported by a SCADA device could attempt to hack an employee. If enough motivation, incentivization and willingness to be compromised exists, then this situation lends itself to vulnerabilities, as your organization is only as strong as your weakest link.
- SCADA environments are not a target. Wrong, SCADA environments are a target. A nation state malicious actor could be an example of an entity that would want to gain access to a SCADA environment. Gaining access to many SCADA devices enables control over critical infrastructures, such as power plants, electric providers, water treatment, gas supply, oil, etc. Confiscating controls of a U.S. nuclear power plant could lead to devastating destruction, loss of life and long-term negative effects on American citizens.
- SCADA devices do not have valuable information. Yes, they do. Nation states can calculate critical infrastructure usage, and when in control can also disrupt service. Data could be utilized for malicious actions and exploitation if that is the agenda of the perpetrator. Regardless of the output of the critical infrastructure, the services affect millions of consumers. Manipulation of these services may cause service disruption, outages, damage, or even death.
In conclusion, SCADA systems are increasing in complexity, due to the integration of varying elements, in many cases produced by different manufacturers. It’s necessary to address the security level of each device as well as the overall environment and anyone that is given access. Security must become a larger focus of the project in the industrial system. Additionally, the Department of Homeland Security, the Federal Bureau of Investigation (FBI), and National Counterterrorism Center have declared cyberattacks as the most likely form of terrorism against the United States in the coming years (Wisniewski, 2011). This should make us think about the real importance of security for critical systems of our infrastructure, including SCADAs.
About the contributing author(s):
Mr. Corey Lancaster has over 18 years in the industry. He is a three-time US Air Force War Veteran and has held titles such as VP of Sales and Marketing, IT Security Director, Program and Deputy Manager on International contracts. He has worked at all levels of IT from the Help Desk to Global Risk Management for the Department of Defense and is a security and compliance Subject Matter Expert.
With over 10 years of progressive content marketing experience, Maria Gupta is a regular contributor and author to TruShield’s TruBlog. Focused on providing insight from a managed security service provider’s perspective, she gives a fresh and innovative perspective on the industry in her work.
U.S. Energy Information Administration – EIA – Independent Statistics and Analysis. (2016, November 8). Retrieved March 07, 2017, from https://www.eia.gov/tools/faqs/faq.cfm?id=207&t=3
Wisniewski, C. (2011, December 12). FBI acknowledges more SCADA attacks, increases cyber budget. Retrieved March 07, 2017, from https://nakedsecurity.sophos.com/2011/12/13/fbi-acknowledges-more-scada-attacks-increases-cyber-budget/