Cybersecurity, Technology, and Society
SCADA system vulnerabilities and mitigating risk
SCADA systems are critical infrastructure and need to be maintained to a high standard to avoid potential downtime or money lost. The threats to these systems can mitigate risk by establishing proper security measures. Although, the risk is ever increasing due to the rise in use of networks for systems.
SCADA systems
SCADA stands for supervisory control and data acquisition. It is used to control and coordinate critical infrastructure and industrial processes such as water treatment and manufacturing. SCADA systems monitor all the different processes a site or area may have and display it to a human who can look at all the data in real time (scadasystems.net). According to the article provided, SCADA systems have gone through a couple different generations to where they are today. The current generation of SCADA systems can be connected to supervisory stations through internet protocols. This increases the systems vulnerability.
Vulnerabilities
SCADA systems connected to stations through internet protocols are more vulnerable to attacks on the system. Some these systems are in control of critical infrastructure that are vital to communities such as water treatment, gas pipelines, and traffic lights (scadasystems.net). These systems being vulnerable can have negative impacts on the community the attack affects or cause a company to lose money and production. A close to home example of this is when the Colonial Pipeline attack in 2021 on a SCADA system caused outages of gasoline across the east coast of the US(Virsec). These systems must be protected because the aftermath of a large attack could be devastating. According to SCADAsystem.net there are two major threats. The first is unauthorized access to software, which can be done by a human or viruses. And the second is packet access to network segments.
Mitigating risk
To combat these threats there are a couple of ways that a company or agency can protect against attacks to the SCADA systems. The NIST (National Institute of Standards and Technology) has created a guideline to help with security (Trendmicro). A couple of these tips include proper management of accounts and user access to critical systems, education on practices such as no connecting personal devices to critical networks and using adequate security measures on SCADA networks (trendmicro).
Conclusion
There are ever increasing vulnerabilities and risk to critical infrastructure. This can be mitigated against with proper security protection and techniques. Attackers will no doubt be interested in these systems seeing the damage they can do and the potential payout. So being serious and vigilant about the protect of these systems networks is crucial.
Works Cited
One flaw too many: Vulnerabilities in SCADA systems. Security News. (n.d.). Retrieved March 19, 2023, from https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/one-flaw-too-many-vulnerabilities-in-scada-systems
SCADA systems. SCADA Systems. (n.d.). Retrieved March 19, 2023, from http://www.scadasystems.net/
Virsec. (2023, March 7). VIRSEC analysis of the Colonial Pipeline Attack. Virsec. Retrieved March 19, 2023, from https://www.virsec.com/resources/blog/virsec-analysis-of-the-colonial-pipeline-attack#:~:text=However%2C%20as%20all%20systems%20are,data%20was%20encrypted%20for%20ransom.
The Human Factor in Cybersecurity
With a limited budget, training should be priority. Part of the budget needs to be spent on technology but a good amount of it should be allocated to training. Even the most advance technology in the flied can become compromised because of one persons incompetence.
Balancing Training and Technology on a Limited Budget
As the new CISO of a new startup company, I was given the task of figuring out how to properly utilize our budget for cybersecurity. It’s a limited amount so I cannot do everything I would like to secure our systems. This means I must brainstorm and find the most effective way to use my limited budget.
The first thing I want to do is start following a framework (Odogwu). Instead of me pulling my hair out worrying if I forgot anything in a framework of my own design. I could just follow the NIST (National Institute of Standards and Technology) framework. This framework was designed by the NIST to help businesses manage and reduce cybersecurity risk and to protect their systems (Vedova). The best part about this is that it’s free.
The next thing I would like to prioritize in is the technology. After figuring out everything we need to protect, I would implement methods of detecting and responding. This includes setting up MDR systems. MDR systems include firewalls, intrusion detection, and antivirus (Montie). This would be our base, although hackers could still get around it if it was all we had in place.
Training
The more important thing to me as CISO is the training of our employees over the technology we use. Educating our employees about best practices and the dangers they could encounter daily is fundamental to our security. We could have all the technology in the world but if one person makes a mistake the whole system could go down and cost us a lot of money. Training against email phishing and ransomware attacks are as important as proper password management and knowing what to look out for in their physical space.
Conclusion
If I was a CISO and I was given a limited budget, I would allocate more of the money towards the training of employees. Having a core foundation of proper security practices for our employees is essential to keeping our cybersecurity tight. With poorly trained employees, spending all the money we could on technology would not protect us for long.
Works Cited
Montie, S. (2023, March 3). What is managed detection and response? MDR security 101. BitLyft. Retrieved April 2, 2023, from https://www.bitlyft.com/resources/what-is-managed-detection-and-response-mdr-security-101#:~:text=MDR%20services%20are%20designed%20to,standalone%20security%20solution%20for%20businesses.
Odogwu, C. (2022, August 12). 5 cost-effective ways to implement cybersecurity on a budget. MUO. Retrieved April 2, 2023, from https://www.makeuseof.com/implement-cybersecurity-low-cost/
Vedova, H., & Technology, T. F. T. C. O. of. (2022, October 6). Understanding the NIST cybersecurity framework. Federal Trade Commission. Retrieved April 2, 2023, from https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/nist-framework#:~:text=NIST%20is%20the%20National%20Institute,protect%20their%20networks%20and%20data.
The “Short Arm” of Predictive Knowledge
After reading philosopher Hans Jonas paper, it is clear to me what he is saying. Looking back through time man never had foresight when it came to new technologies. People of the past never looked to the future and said there will be more technology advancements. The technology we have now were unimaginable to them.
With this in mind, I believe that any business or discipline should be forward thinking. Prepared for the unexpected because you never know what these unforeseen challenges or problems can even look like.
When developing cyber-policy and infrastructure one must consider the “short arm” of predictive knowledge. It’s difficult to prepare for the unknown, especially so if you barely have a grasp with the problems you are faced with now. We should approach the development of policy and infrastructure with the idea that in the near to distant future these things may evolve to something unrecognizable to the original creators. The infrastructures and policy need to be adaptive and allow for things to be changed as they evolve.
We are still in the early days of advanced technology. Over the years new security measures will be created and old ones will fall to the way side. An example being Artificial Intelligence, or AI. This tech is very new and we can only speculate the problems it will bring and the problems it will solve.