SCADA and security

A recent article  by Hal Hodson of Information Age reports that the FBI has publicly stated that hackers have successfully targeted SCADA systems in three unnamed US communities. The attacks were reported to have the potential to shut down electricity at a nearby mall as well as the potential to dump sewage. Just weeks earlier came an announcement from the Illinois Statewide Terrorism and Intelligence Center that claimed a water pump failure was caused by a hacker attacking the pump control system. The failure came from the attackers repeatedly turning the pump on and off. (The Illinois hacking attack has been refuted the FBI, so then it must not be one of the three sites reported above, right?)

So, what exactly is SCADA? Supervisory Control and Data Acquisition. SCADA systems control power production and distribution, such as those used for the generation of electricity or the delivery of water to communities. They are basically used to support the infrastructure that we rely upon. Thus, the failure of SCADA systems can impact a large number of people.

In a display of the potential damage that can be caused by an attack on the SCADA network , let’s look back to Stuxnet . This malware was reported to have targeted very specific Siemens based SCADA systems. (The attack was so specific that there was speculation that the purpose of the malware was to damage the nuclear facilities of Iran.) While details are hard to come by, it appears that the Stuxnet attack resulted in damage to centrifuges. (The centrifuge is used to separate different isotopes of uranium.)

Stuxnet caused incorrect data to be reported, which lead to the control systems effectively “mis-operating” the equipment. This “mis-operation” then resulted in damage. Stuxnet further revealed that it is difficult to prevent SCADA systems from malware attack. Theoretically, Stuxnet should not have been able to infect the SCADA systems controlling the centrifuges. However, in practice, it did because somehow the malware was introduced, either through an Internet connection or carried in via a USB. This reveals the risks of taking SCADA systems that are already network capable systems and making them accessible via the Internet.

So, you would think that a malware infection such as Stuxnet could not happen again. Not so fast, as Iran has reported that they are now dealing with another virus, the Duqu virus, that is targeting their civil defense system.

Well, what can we learn from all of this? Certainly, virus scanners are less effective now, especially against a determined adversary. Therefore, it truly is important that SCADA systems be shielded from the introduction of malware, whether it is via the Internet or through a USB device.

As consumers, we all have an interest in the security of the SCADA systems that manage our power, our water, and even our prisons.