One of the less well-known aspects of information technology – but one of the most critical – is the SCADA platform.
SCADA stands for Supervisory Control And Data Acquisition. These are the computer control systems at the heart of many industrial automation and control systems. SCADA-driven systems are found in energy power plants, electricity supply grids, and many other industrial systems that require a high degree of computerized control and 100% systems availability.
Many organizations claim that their IT processes are mission critical. However, SCADA control systems truly are critical to the national infrastructure. If the national power grid goes down it can cost a country untold financial damage. And, in the case of hospitals, air traffic control and the like, could actually place people’s lives in jeopardy. Lost production and commerce is one thing, but lost lives raise the security game to a new level.
The Default Password Backdoor
In the US, many SCADA-driven systems are connected to the Internet. And like most anything connected to the Internet, these systems are under continuous attack. This situation, as you might surmise, is a ticking time bomb. Cybercriminals are not stupid. They understand weaknesses, possess the means to achieve success, and comprehend the impact of an attack.
Thousands of SCADA-based systems that are accessible from the Internet have weak default passwords defending them. These are the passwords that administrators use to gain access to their industrial control systems. Logins such as ‘root:root’ and ‘admin:admin’ are quite common. For a complete list, refer to the default password list for SCADA devices published by the SCADA Strangelove research group on Github: https://github.com/scadastrangelove/SCADAPASS.
This is a well-known – and easily exploited – vulnerability. Especially when these devices are left unprotected on the Internet on default unsecured ports such as port 80 or 23. Programs like Shodan allow people to search the Internet to find where particular devices are located. Once found, a person can then access plenty of web sites that provide a list of default passwords corresponding to a specific device.
These default passwords should be found and changed to unique and cryptographically complex values. But it shouldn’t stop there. IT security best practices call for all credentials on critical systems to be updated regularly. And automated updates are best.
Making SCADA Systems More Secure
Given that the heart of our nation’s infrastructure runs on SCADA, how do we make these systems more secure?
Here’s what I believe is the core of the issue. SCADA systems can be based on a combination of embedded controllers combined with Windows or Linux systems. This combination isn’t terribly insecure in isolation. But once connected to the Internet, every component needs to be patched and managed for access and authorization.
Corporate IT systems are – most of the time – protected by network firewalls, intrusion detection systems, endpoint security software, privileged identity management technology and other prevailing safeguards. Once they’re connected to the Internet, there’s no excuse for SCADA networks not to use – at the very least – those same essential layers of security to protect against external attacks.
The Bottom Line of the SCADA Security Issue
The bottom line is that a great many SCADA networks are designed and deployed by engineers who lack IT security training. This engineering culture can’t be expected to understand all the cyber security threats that foreign powers and sociopaths could have on their designs. Therefore, many SCADA networks have a security blind spot. While there is a healthy dose of attention paid to whether the controls interact safely with their physical environments, there is far too little focus on how well the systems can withstand cyber attacks.
And, as discussed previously, management teams often fail to understand the need to change passwords regularly. The thinking is: `We need to know the passwords for everything – because when the power is down, we need access in a hurry.’ Consequently, these admin teams have a habit of using default passwords on their systems to ensure easy levels of access – at all times – for all engineers.
This is a cultural issue, and it’s one that IT security vendors need to address head on. Because, while you can employ software patches to make a system more secure, there is no similar patch against human error.
The State-Sponsored Attacker
This entire matter is one of potential cyber warfare with state-sponsored attackers as a primary threat. We’re talking about extremely well-funded, extremely intelligent and extremely motivated people. Not just any old basement-dwelling “hacker”. That makes critical national infrastructure cyber security an issue that screams for government oversight.
The reality is that governments around the world have already staged attacks on rival states’ critical infrastructure, but we hear about few of these incidents in public. In the event of a significant attack on US infrastructure – in all likelihood originating from a smaller rogue state – the outcome could constitute an act war as damaging as any action taken with troops and physical armament.
Some time ago I believed it was unlikely that any government would footprint or probe other states’ critical infrastructure. My observations have caused me to change my mind. I now believe it is naive to underestimate any foe. SCADA vulnerability is a central challenge to our national security. We need to address this issue now, before a major incident takes place.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.