In the energy and utilities sector, there’s a huge dependence on SCADA systems (Supervisory Control and Data Acquisition). They’re used for everything from automating plant machinery to controlling supply. So, in turn, end-users rely heavily on those systems, too – that means all of us.
However, the number of application vulnerabilities found in SCADA systems has grown significantly over the past few years. What were once seen as isolated, secure systems that could be relied upon are now the target of considerable risk.
And that risk has been largely caused by SCADA systems – and an attitude towards them – that simply hasn’t kept up with change.
Once, SCADA systems were highly isolated from the wider network – and certainly from the internet. As a result, exposure was limited to internal threats. Even where vulnerabilities may have existed, they did not score highly in terms of criticality.
Today, the energy and utilities sector has changed. Looking for new efficiencies, cost savings, and flexibility, SCADA systems are more integrated than ever before. The cloud, the internet, and widespread networking sees SCADA systems that are accessible remotely from anywhere in the world. Some leading platforms even include web-based applications, a constantly connected point of access.
These are all good things. They come with opportunities to work more flexibly, to monitor more continuously, and to increase availability.
But they also come with security concerns that just didn’t apply to SCADA systems before. Now, whether it’s the core SCADA software or a connected technology like ActiveX that’s vulnerable, attackers potentially have several attack vectors to choose from.
Given their very important role, it’s tempting to think that SCADA systems are somehow distinct from the more familiar Microsoft Office suite, or that handy third-party collaboration application you’ve found. After all, they require specialist expertise to operate.
Unfortunately, they don’t require specialist expertise to attack – no more than any other piece of software. Some input goes in, the system parses it, and then does something as a result. That’s all attackers need to know.
SCADA systems aren’t special. They potentially face the same threats and vulnerabilities as anything else in your infrastructure.
However, there is one crucial way in which SCADA software sets itself apart – it’s seriously behind the times:
In this climate, energy and utility companies need to take the lead. It’s only then that SCADA system developers will put security in the spotlight.
To some degree, an intelligent implementation is the secret to a secure SCADA system. Following best practices can minimise an organisation’s exposure to threats that exploit application vulnerabilities.
However, this isn’t 100% efficient. Even if a company is using secure SCADA communication protocols and restricting access to trusted hosts, the uncertain threat of unknown, undiscovered vulnerabilities will always remain.
That’s why the focus should be on awareness and intelligence. After all, when you know a vulnerability exists, you can do something about it.
Flexera Vulnerability Intelligence Manager (Secunia VIM) provides timely, verified alerts from the Secunia Research Team. It helps organisations keep up-to-date with the latest vulnerabilities and gives them the insight they need to really understand the risk those vulnerabilities pose.
When a vulnerability is disclosed, instant alerts are routed to the relevant stakeholders, not lost in the noise. From there, a detailed advisory explains the nature of the vulnerability, how critical it is, and any steps that can be taken for remediation. Then, an alert can be put into a ticketed workflow to ensure the most appropriate action is taken as soon as possible.
Vulnerability Intelligence Manager can’t slow the tide of vulnerabilities in SCADA systems. But it can make sure that every company has the critical intelligence they need to keep critical systems secure.Get actionable vulnerability intelligence