Austin Hildenbrand 

CYSE-200 

November 3, 2024 

Critical Infrastructure and SCADA Systems Write – Up 

BLUF 

Critical Infrastructure faces new problems and is not prepared for the new vulnerabilities that are created every day. SCADA applications and systems are now used to control and maintain these infrastructures but is being questioned by officials about the security measures being taken within these applications and systems. 

Critical Infrastructure 

When discussing what SCADA systems are and how they are effective, you first must understand what Critical Infrastructure entails. “Critical Infrastructure is physical or virtual assets, networks, and systems that are vital to any country, which would create catastrophic problems if these entities were to ever fail or be destroyed” (CISA Article, 1). The broad spectrum of Critical Infrastructure can be narrowed down into 1one simple category, which is anything you need or use daily that is usually provided/overseen by a nation-state or government organization. Examples of Critical Infrastructure include; Communications, Energy, Emergency Services, Food and Agriculture, Water/Wastewater, Transportation, etc. Because these entities are so vital to people, there is a need for different security measures that depict the individual necessities of each infrastructure. This creates job opportunities and big budgets.  

What problems does Critical Infrastructure face? 

Modern day infrastructure is usually behind from five to ten years on security measures and updated protocols. This can create expensive issues for government agencies and private sector companies, who face imminent threats to their provided critical infrastructure, because of an increase in vulnerabilities that entities are not prepared for. For example, the cyber security applications that an electrical grid has are sometimes not prepared for new cyber-attacks because of the increased amount of new technology, such as super computers. 

Critical Infrastructure faces more organized attempts to hack or destroy systems because of the amount of security in place. This is because nation-states will sanction attacks on other nation-states in hopes of gaining access or even making the other party spend money to fix the issues. This creates more sophisticated attacks, not just a simple brute force attack.  

Some examples of specific vulnerabilities from each sector of Critical Infrastructure include;  

• Overloading ports/Overloading system to a power grid 

•  Unauthorized access to transportation systems, such as railroad systems 

• Lack of physical security on power lines, and other large sectors of Critical Infrastructure 

The exponential increase in the need for these services/systems has a direct correlation to the increase in vulnerabilities, which cyber security professionals work on every day to prevent. 

What are SCADA Systems? 

SCADA, Supervisory Control and Data Acquisition, systems are described as systems that “gather all the required data about the process” (SCADA Systems Article, 1). The process that this quote is referring to is the intended Critical Infrastructure system. SCADA systems are centralized units that “control and monitor” through remote terminal units (RTU’s) or by the programmable logic controllers (PLC’s). The systems allow the host to see which components of the infrastructure are failing or are going to fail in the near future. The host is then able to override the systems to fix the issue. The systems differ between each entity, but provide data acquisition, “which includes equipment status reports, and meter readings” (SCADA Systems Article, 1). Because each Critical Infrastructure differs from the others, the Human Machine Interface (HMI) system, an apparatus that gives the processed data to the human operator” (SCADA Systems Article, 1), may look different, but all provide the necessary components to maintain the critical infrastructure. SCADA systems control each of the Critical Infrastructure entities but can also be susceptible to cyber-attacks, as any piece of technology is.  

How can SCADA Systems help? 

Critical Infrastructure is continuously facing security challenges, because technology will never stop growing. The ideology of using SCADA systems to prevent such cyber-attacks is supported by “an erroneous belief that SCADA networks are safe enough because they are secured physically.” (SCADA Systems Article, 6). SCADA engineers are not always thinking about the security vulnerabilities when creating their systems. This creates an issue for big companies who are running the critical infrastructure, because not only does it cost more money to find those vulnerabilities, but it is also very difficult to find the vulnerabilities once the system is in place. The vulnerability scanning process is very difficult because an operator must access the specific PLC model that is being used, which is hard because not all panels are accessible. For example, a cell tower that is 30ft high at the top of a mountain that needs to be scanned for vulnerabilities might have a PLC that is halfway up the tower. Not only does it cost money to get up there, but it is also dangerous. This puts large companies in a position to prioritize the amount of vulnerability scanning, which is bad for cyber security. 

Conclusion 

SCADA systems are used to control and maintain critical infrastructure, which can lead to cyber-attacks and failures. The need for critical infrastructure provides a big target on the entities, creating a sense of urgency in security. Many believe that SCADA systems are secure because of the physical nature of the systems but can be disproven because of the exponential growth of new technologies and new methods of cyber-attacks. High value companies and governments are being put in tough situations because of the variability in vulnerabilities within each entity of critical infrastructure. It creates a question, are SCADA systems enough to protect the critical infrastructure or should cyber security operators be doing more?