Home » Data Protection » Network Security

SCADA System Security: Out of Control

Industrial control systems such as SCADA systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

That's a lot of problems. And a recipe for potential disaster.Efficient, but Not SecureFor years, distributed control systems and SCADA systems (see "Talk to Your Plants," this page, for the difference) were designed with proprietary technology, and were physically and technologically isolated from the corporate networks that run standard IT applications.

Fatefully, the drive for efficiencies of cost and time led many companies to knock down the wall that traditionally separated those two types of networks. In the electric power industry, for example, deregulation led to more interconnectedness as executives sought more information from control systems to help make output and pricing decisions. Manufacturing executives wanted to pull up real-time information from, say, their assembly lines, to monitor how efficiently their factories were running. "As the networking evolution came through and local and wide area networks were installed, they were generally installed by IT. Operations, so as not to spend double the money, started using the corporate LANs and WANs for the control networks," Weiss says. Ultimately, this meant many control systems were connected to the Internet.

This linkage has profound security implications. Now control systems are exposedvia the Internet, intranets, remote dial-up and wireless capabilitiesto hacks, worms, viruses and other dangerous payloads. That exposure scares Jonathan Pollet, president of PlantData Technologies, who advises companies on control system security. "With each release of worms and viruses, there are more and more customers with downtime," he says. Pollet says the Sasser worm in spring 2004 took out several oil platforms in the Gulf of Mexico for two days. "They had firewalls, but worms crawled through commonly used ports like ports 80 and 139. If any type of connectivity is not turned off, a worm in a corporate network will crawl to control systems," he says. Another virus, SoBig, affected the dispatching and signaling systems of CSX Transportation, halting train service for four to six hours along the Northeast Corridor in August 2003.

Accentuating the connectivity problem is the growing move away from proprietary software toward standardized and off-the-shelf software and hardware. For example, Pollet notes that some SCADA software vendors use the same Microsoft connectivity tools found in products such as SQL Server and Exchange. "A worm written to take down a SQL server can take down a SCADA system that has nothing to do with the target server," says Pollet. The same vulnerabilities exist with other common technologies, from Unix to ActiveX.Worlds ApartGlance at the organizational chart of a typical large company and you'll see that cybersecurity falls under the purview of the CIO or, sometimes, the CISO. That makes sense; those execs are best qualified for the critical job of maintaining safe, secure and private IT networks. But who looks after the security of control systems? In most cases, Weiss says, the real answer is no one. The CISO knows IT security but nothing about the shop floor or the control systems. The VP of operations or manufacturing understands engineering and control systems but knows nothing aboutand has no budget allotted forcybersecurity.