Supervisory Control and Data Acquisition (SCADA) refers to a control system which allows critical infrastructure facilities to reduce manning by automating processes that historically required human interaction. This control system has many individual parts and can spread over a large area or facility. The system is centralized and remotely controlled, which increases efficiency. Water treatment, power generation, and manufacturing facilities all use some form of SCADA.
SCADA Vulnerabilities
Since the early 1970’s, SCADA has been used in large scale facilities for a wide variety of functions. Remote monitoring and control functions can be performed from a centralized location which drastically reduces the amount of personnel required to operate. Modern SCADA architecture resembles something seen in a corporate IT office rather than a manufacturing facility (Shaw, 2023). As these facilities rely more and more on SCADA, the need for security, both physical and digital, has increased. SCADA systems are vulnerable to the same attacks as IT networks. Many facilities utilize remote software updates to remove the need for a technician to physically visit the equipment. This means that a user, with the appropriate credentials, can access a PLC or RTU remotely while bypassing the host. The web interaction between individual components in the SCADA system provides the biggest vulnerability.
As these systems become more advanced and complex, the need for additional security increases. In an article published by Trendmicro, two engineers found 147 vulnerabilities from 20 different applications in 2018. The most famous cyber-attack, targeting SCADA systems, occurred back in 2010. The infamous Stuxnet attack targeted Iran’s nuclear centrifuges. Malware placed in the Siemens PLCs caused the centrifuges to overspeed, which damaged them to the point where they required engineers to visit the facility. This attack is well known because it is the first known attack to target SCADA systems (Dpstele, 2021). The malware used was so sophisticated, it could replicate itself through removable drives, LAN, Siemens HMI database server, and Windows Server Message Block. In some instances, SCADA may not even be the target of a cyber attack but a “bridge” used to access the true target. In 2013, hackers accessed Target’s HVAC control system (SCADA) to access their business network. The business network was connected to the HVAC control system and thus provided a path for the hackers to use. Target lost $309 million dollars and seventy million customers were affected (Dpstele, 2021). As most of the country’s critical infrastructure utilizes SCADA in some fashion, we need to ensure we’re doing our due diligence to identify and combat these vulnerabilities.
Risk Mitigation
One of the easiest and cost effective ways to minimize risks and reduce potential cyber attack vulnerabilities is to design partially automated systems. To put it simply, the communication chain is broken on purpose to add an additional layer of security. Engineers will design a system that has periodic breaks in the automated process that requires a user to interact for the process to continue (Saini, 2021). This break in the chain allows for a majority of the process to be automated while also making it more challenging for a “bad actor”. Communication between the many, many devices in the HMI/SCADA network poses the biggest vulnerability. A large portion of the internal communication
between devices is unencrypted, making it very easy to capture, manipulate, and transmit. Encrypting and hashing data would utilize existing technology while making the data harder to obtain. The data owners would also be able to easily identify if the data was compromised (Saini, 2021).
Conclusion
SCADA systems have revolutionized many industries and are not going away anytime soon. They are used in many of the services we take for granted every day. These systems must be managed and maintained more in conjunction with IT standards. Physical security is not enough to maintain our critical infrastructures.
References
Saini, Ranbir. 2021, February 15. Minimizing SCADA system security gaps.
Retrieved from: https://www.controleng.com/articles/minimizing-scada-system-security-gaps/
Shaw, William T. 2023, March 14. SCADA System Vulnerabilities to Cyber Attack.
Retrieved from: https://electricenergyonline.com/energy/magazine/181/article/SCADA-System-Vulnerabilities-to-Cyber-Attack.htm
14 Major SCADA Attacks and What You Can Learn From Them. December 23, 2021. DPS Telecom. Retrieved from: https://www.dpstele.com/blog/major-scada-hacks.php