Nov 7, 2010

SCADA Systems


Security of SCADA (Supervisory Control And Data Acquisition) systems has been a known issue for some time. However, recent attacks of a virus on control systems in the Middle East have brought the topic on newspapers' front pages.

Slashdot has recently published a question of someone interested in implementing a SCADA system in a reasonably secure way ...

 

Category: General
Posted by: dc352

Security of SCADA (Supervisory Control And Data Acquisition) systems has been a known issue for some time. However, recent attacks of a virus on control systems in the Middle East have brought the topic on newspapers' front pages.

Slashdot has recently published a question of someone interested in implementing a SCADA system in a reasonably secure way and a number of responses demonstrated a general image of the state of security in large information systems - amplified by potential real-world consequences of successful attacks.

The main issues touched by the responses were:

  • insufficient isolation of vulnerable systems from public networks and the Internet;
  • weak (from the security point of view) implementations of SCADA systems;
  • sloppy installation and configuration of SCADA systems (default security settings, including passwords);
  • dubious risk analysis evaluating probability of successful attacks;
  • use of security mechanisms for general purpose computers (e.g., antivirus) without considering virus infections against errors in AV software and the probability of the use of zero-day exploits; and
  • difficulty of getting independent information comparing SCADA implementations and level of their security.

It is not really very surprising as exactly the same issues can be found in any other industry using computers. There is no silver-bullet solution and the only mechanism that seems to be working (well, at least makes companies spend money on security) is clear and regularly enforced independent audits. This is an approach of the banking industry for card data processing systems.

The problem of any regulatory requirements is that they introduce additional cost on all operators and it must outweight the cost of malicious activities against systems in question.