Understanding the Relative Insecurity of SCADA Systems

It wasn’t long ago that I wrote about how Supervisory Control and Data Acquisition (SCADA) systems affect those with special needs in Security and the Special Needs Person. I then posted an update on that original message in An Update On Special Needs Device Hacking. In both cases, I decried the lack of security for SCADA systems that affect those with special needs. I realize that only a truly nasty person would turn off someone’s insulin pump in order to kill them, but our world is unfortunately filled with some pretty nasty people.

One person (who shall remain nameless) wrote to tell me that it was fine that I was worried about special needs people, but that he wasn’t worried about it because these problems don’t affect him. Well, let’s say that you truly are superhuman and will never once need to use any sort of special needs device in your entire life (statistically, you’d really need to be superhuman or die early). Let’s put the whole SCADA issue in another light. Let’s look at your car.

Your car contains SCADA systems. Those ads you see for turning your car on, opening the windows, flashing the lights, and so on using a cell phone are really telling you about the SCADA systems in your car. If you can access your car using a cell phone, someone else can do the same thing. All they need to do is break the security, which someone has already conveniently done for them. CNET News recently ran an article about how an expert hacker had broken into a car.

Imagine now that you’re on an off-ramp. There are cars crowding you on both sides. A crook uses his cell phone to turn off your car engine and unlock the doors. Bam, you’re suddenly in a world of hurt because the car manufacturer thought it would be a neat idea to let you control your car using a cell phone. I have to wonder why such control is even necessary. Does it even serve a useful purpose? If so, why can’t it be secured better?

Of course, not every drives. So, let’s look at another SCADA issue. A recent InfoWorld article states bluntly that our water system is already under attack by hackers. Sure, the hackers are only kicking the tires of their new toy for now, but how long do you think they’ll wait to do something truly terrifying to your water supply? The experts have been warning about this sort of attack for quite some time, but everyone ignored them as being sensationalists. The sad thing is that the experts probably didn’t scream loud enough this time.

Someone out there is probably thinking that the bad guys can overcome physical security too. You’re right, of course. Someone can remove a padlock, jimmy a car, and overcome physical security in all sorts of other ways. The point is that the bad guy has to be in physical contact with the object to overcome it when you’re using physical security. In addition, if you’re nearby, a physical security system often buys you enough time to call the police or obtain help in some other way. The remote control nature of SCADA systems makes it possible for someone to break into the system and do something nasty with it long before you’re even aware of the intruder.

SCADA systems make a modern world possible by allowing remote control of many of the devices that we need to live. I can fully understand how a utility would need to monitor and control a system from a remote location, and how such control actually makes the system safer. However, it’s time that we realize that these systems are dangerous in the wrong hands and that we need to do something about them before a major accident occurs. Here are some ways to make SCADA systems better:

 

  • The SCADA systems we do need should be secured better.
  • All SCADA systems should be restricted to wired connections only and those wired connections should be on a private, secure, network.
  • Researchers should be advised not to research break-ins for hackers to use (and then publish them for the whole world to see).
  • Our society also needs to seriously consider where SCADA systems can be removed.


Remote control is a two-edged sword and you can bet the bad guys have no compulsion about playing dirty—count on them not following the rules. If there is a way for you to access something, the bad guys will find a way to access it too. Let me know what you think about the threat of SCADA system break-ins at John@JohnMuellerBooks.com.

 

Author: John

John Mueller is a freelance author and technical editor. He has writing in his blood, having produced 99 books and over 600 articles to date. The topics range from networking to artificial intelligence and from database management to heads-down programming. Some of his current books include a Web security book, discussions of how to manage big data using data science, a Windows command -line reference, and a book that shows how to build your own custom PC. His technical editing skills have helped over more than 67 authors refine the content of their manuscripts. John has provided technical editing services to both Data Based Advisor and Coast Compute magazines. He has also contributed articles to magazines such as Software Quality Connection, DevSource, InformIT, SQL Server Professional, Visual C++ Developer, Hard Core Visual Basic, asp.netPRO, Software Test and Performance, and Visual Basic Developer. Be sure to read John’s blog at http://blog.johnmuellerbooks.com/. When John isn’t working at the computer, you can find him outside in the garden, cutting wood, or generally enjoying nature. John also likes making wine and knitting. When not occupied with anything else, he makes glycerin soap and candles, which comes in handy for gift baskets. You can reach John on the Internet at John@JohnMuellerBooks.com. John is also setting up a website at http://www.johnmuellerbooks.com/. Feel free to take a look and make suggestions on how he can improve it.