Understanding the Relative Insecurity of SCADA Systems

It wasn’t long ago that I wrote about how Supervisory Control and Data Acquisition (SCADA) systems affect those with special needs in Security and the Special Needs Person. I then posted an update on that original message in An Update On Special Needs Device Hacking. In both cases, I decried the lack of security for SCADA systems that affect those with special needs. I realize that only a truly nasty person would turn off someone’s insulin pump in order to kill them, but our world is unfortunately filled with some pretty nasty people.

One person (who shall remain nameless) wrote to tell me that it was fine that I was worried about special needs people, but that he wasn’t worried about it because these problems don’t affect him. Well, let’s say that you truly are superhuman and will never once need to use any sort of special needs device in your entire life (statistically, you’d really need to be superhuman or die early). Let’s put the whole SCADA issue in another light. Let’s look at your car.

Your car contains SCADA systems. Those ads you see for turning your car on, opening the windows, flashing the lights, and so on using a cell phone are really telling you about the SCADA systems in your car. If you can access your car using a cell phone, someone else can do the same thing. All they need to do is break the security, which someone has already conveniently done for them. CNET News recently ran an article about how an expert hacker had broken into a car.

Imagine now that you’re on an off-ramp. There are cars crowding you on both sides. A crook uses his cell phone to turn off your car engine and unlock the doors. Bam, you’re suddenly in a world of hurt because the car manufacturer thought it would be a neat idea to let you control your car using a cell phone. I have to wonder why such control is even necessary. Does it even serve a useful purpose? If so, why can’t it be secured better?

Of course, not every drives. So, let’s look at another SCADA issue. A recent InfoWorld article states bluntly that our water system is already under attack by hackers. Sure, the hackers are only kicking the tires of their new toy for now, but how long do you think they’ll wait to do something truly terrifying to your water supply? The experts have been warning about this sort of attack for quite some time, but everyone ignored them as being sensationalists. The sad thing is that the experts probably didn’t scream loud enough this time.

Someone out there is probably thinking that the bad guys can overcome physical security too. You’re right, of course. Someone can remove a padlock, jimmy a car, and overcome physical security in all sorts of other ways. The point is that the bad guy has to be in physical contact with the object to overcome it when you’re using physical security. In addition, if you’re nearby, a physical security system often buys you enough time to call the police or obtain help in some other way. The remote control nature of SCADA systems makes it possible for someone to break into the system and do something nasty with it long before you’re even aware of the intruder.

SCADA systems make a modern world possible by allowing remote control of many of the devices that we need to live. I can fully understand how a utility would need to monitor and control a system from a remote location, and how such control actually makes the system safer. However, it’s time that we realize that these systems are dangerous in the wrong hands and that we need to do something about them before a major accident occurs. Here are some ways to make SCADA systems better:

 

  • The SCADA systems we do need should be secured better.
  • All SCADA systems should be restricted to wired connections only and those wired connections should be on a private, secure, network.
  • Researchers should be advised not to research break-ins for hackers to use (and then publish them for the whole world to see).
  • Our society also needs to seriously consider where SCADA systems can be removed.


Remote control is a two-edged sword and you can bet the bad guys have no compulsion about playing dirty—count on them not following the rules. If there is a way for you to access something, the bad guys will find a way to access it too. Let me know what you think about the threat of SCADA system break-ins at John@JohnMuellerBooks.com.