I’ve written before about the world being held together by duct tape… and it seems there are more people lately who have decided to rip off the covers and go looking for some duct tape. The latest headline comes from the world of SCADA systems.
Researchers Lay Bare Woeful SCADA Security. SCADA systems are small embedded computers that help guide various kinds of industrial processes..manufacturing, power plants and water systems. Basically anything where you have sensors, motors, pumps etc that have to be monitored and controlled. Iran learned all about lax SCADA security over the last couple years and now everyone else is finding out about it too. The dirty little secret is that most of these systems haven’t fundamentally changed in the last 20 years… despite huge improvements in the level of sophistication of what’s out there now even for hobbyists. Things like the Arduino platform costs an order of magnitude less than commercial systems and can perform many of the same jobs. Actually that’s not true though.. SCADA systems have changed in one very important way.. people started plugging them into a network. Once you do that.. you are opening yourself up for a world of hurt if those systems were not designed to operate in a hostile environment. As the researches in the linked story found out.. some of them can’t even be probed without crashing.. never mind standing up to direct attacks.
I was fortunate enough to take the SANS security course on Wireless Ethical Hacking, Penetration Testing, and Defenses a few years ago. While I totally recommend the SANS courses.. they are really top notch in the world of tech training.. one of the things I learned as a result of that course is that very few people/organizations take security seriously. Security should be thought of as existing on a continuum along with ease of use. That is.. something could be totally secure and totally unusable or very easy to use and totally insecure. SCADA systems have been operating at that end of the scale for decades now and I doubt very seriously that’s going to change anytime soon. If the customers who buy these systems cared at all about security they would demand the systems actually be more secure. That doesn’t happen though.. and I blame human nature.
Incidentally… you may think your world isn’t personally touched by these systems but you would be wrong. In fact.. in some areas you may already have a vulnerable SCADA component bolted right on your own home. Heard of the SmartGrid? The very same researcher who taught my wireless hacking class has found some serious issues with the power meters used in smart grid systems. Imagine a worm that could infect a network of power company smart meters.. giving control over the power they regulate to some 3rd party. At that point it would be trivial to crash the regional electrical grid on demand.. and we know from what happened accidentally in the north east a few years ago that can take days to recover from. Sleep tight!