Home » Data Protection » Network Security

SCADA System Security: Out of Control

Industrial control systems such as SCADA systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

August 01, 2004 — CSO — Vitek Boden sought revenge. After he was turned down for a job with the Maroochy Shire Council in Queensland, Australia, the 48-year-old disgruntled techie unleashed his anger in early 2000 by hacking into the town's wastewater system at least 46 times. On two separate occasions, his electronic attacks (apparently he used a stolen laptop and a radio transmitter) led to pumping station failures that caused as much as 1 million liters of foul-smelling raw sewage to spill into parks, waterways and the grounds of a tourist resort. In the surrounding area on Australia's Sunshine Coast, creeks turned black.

Boden was a disgruntled ex-employee of Hunter Watertech, the company that had recently installed Maroochy's computerized sewage control system. Boden's attack became the first widely known example of someone maliciously breaking into a control system. But there have been other control system breaches, including, for example, a 1997 control tower shutdown at the Worcester (Mass.) Regional Airport and a Slammer-related disruption of the safety monitoring system at FirstEnergy's Davis-Besse nuclear plant in Ohio.

Electric utilities, oil and gas refineries, chemical factories and even food processing plants use control systems to digitize and automate tasks once handled by people: opening and closing valves in pipes and circuit breakers on the power grid, monitoring temperatures and pressures in reactors, and managing assembly line machinery. And because these systems are now connected to corporate networks, their vulnerabilities serve as an entrÃ©e into the guts of the nation's critical infrastructure. A malicious hacker or terrorist group could conceivably take down parts of the power grid, throwing the country into darkness; they could take out emergency telephone systems or disable the floodgates to a dam. Even scarier to terrorism experts is a digital intrusion combined with a physical attackthink 9/11, but magnify the chaos by adding an electronic knockout of regional or national communication and power systems. The intent is clearly present: Raids in Afghanistan in early 2002 discovered that al-Qaida operatives had scoured websites containing information on SCADA (supervisory control and data acquisition) networks in U.S. water systems and the electricity grid. Alarmism? Unfortunately, the people with detailed knowledge of control systems security say no. Control systems are designed for efficiency and reliabilitynot security. In fact, "It requires very little knowledge" to hack into a control system, says Juan Torres, program manager of the SCADA program at Sandia National Laboratories.

Experts worry that this issue is not getting enough attention from both government and the private sector, for a variety of reasons: technical ignorance, lack of funding and perhaps the absence of a major incident to date in the United States. Even with a concerted public-private effort, securing these systems will take years. Older, legacy controllers can't handle newer security technologies such as encryption; in fact, many don't even have enough horsepower to accept operating system updates or software patches. "How a control system works is different from an IT system, technologically," says Joe Weiss, the former technical manager of the Electric Power Research Institute's Enterprise Infrastructure Security program, now an executive consultant with Kema. "It's deterministic, cheap and old, with little in the way of computing resources. It's not in any way, shape or form designed to be a secure system." Compounding these technical challenges are a number of entrenched cultural and management obstacles. The people generally responsible for managing control systems are engineers who often have had little cybersecurity trainingor interest.