The growing risk of vulnerable SCADA systems

In the energy and utilities sector, there’s a huge dependence on SCADA systems (Supervisory Control and Data Acquisition). They’re used for everything from automating plant machinery to controlling supply. So, in turn, end-users rely heavily on those systems, too – that means all of us.

However, the number of application vulnerabilities found in SCADA systems has grown significantly over the past few years. What were once seen as isolated, secure systems that could be relied upon are now the target of considerable risk.

And that risk has been largely caused by SCADA systems – and an attitude towards them – that simply hasn’t kept up with change.

How SCADA systems have changed

Once, SCADA systems were highly isolated from the wider network – and certainly from the internet. As a result, exposure was limited to internal threats. Even where vulnerabilities may have existed, they did not score highly in terms of criticality.

Today, the energy and utilities sector has changed. Looking for new efficiencies, cost savings, and flexibility, SCADA systems are more integrated than ever before. The cloud, the internet, and widespread networking sees SCADA systems that are accessible remotely from anywhere in the world. Some leading platforms even include web-based applications, a constantly connected point of access.

These are all good things. They come with opportunities to work more flexibly, to monitor more continuously, and to increase availability.

But they also come with security concerns that just didn’t apply to SCADA systems before. Now, whether it’s the core SCADA software or a connected technology like ActiveX that’s vulnerable, attackers potentially have several attack vectors to choose from.

SCADA isn’t special

Given their very important role, it’s tempting to think that SCADA systems are somehow distinct from the more familiar Microsoft Office suite, or that handy third-party collaboration application you’ve found. After all, they require specialist expertise to operate.

Unfortunately, they don’t require specialist expertise to attack – no more than any other piece of software. Some input goes in, the system parses it, and then does something as a result. That’s all attackers need to know.

SCADA systems aren’t special. They potentially face the same threats and vulnerabilities as anything else in your infrastructure.

However, there is one crucial way in which SCADA software sets itself apart – it’s seriously behind the times:

  • Sporadic security updates
  • Little vendor focus on closing application vulnerabilities
  • Low user awareness and slow patching

In this climate, energy and utility companies need to take the lead. It’s only then that SCADA system developers will put security in the spotlight.

Securing your SCADA systems

To some degree, an intelligent implementation is the secret to a secure SCADA. Following best practices can minimise an organisation’s exposure to threats that exploit application vulnerabilities.

However, this isn’t 100% efficient. Even if a company is using secure SCADA communication protocols and restricting access to trusted hosts, the uncertain threat of unknown, undiscovered vulnerabilities will always remain.

That’s why the focus should be on awareness and intelligence. After all, when you know a vulnerability exists, you can do something about it.

Written by