A water utility in Illinois was reportedly hacked in a cyber attack traced back to Russia. The motives aren’t clear, but the act alone demonstrates how vulnerable our SCADA (Supervisory Control and Data Acquisition) networks are, and the potential risks posed to the critical infrastructure of the United States.
The FBI and DHS are investigating the incident. Attackers were able to obtain login credentials from a company that makes the software used to control industrial systems like the Illinois water pump, and remotely shut it down. The attackers reportedly enabled and disabled the pump repeatedly, eventually damaging it.
This instance is more a nuisance than a real threat, but attacks against SCADA systems can have grave consequences. SCADA systems are specialized control devices used to monitor, manage, and maintain chemical plants, natural gas pipelines, dams, railroad switches, nuclear power facilities, and water treatment plants like the one hacked in Illinois. The potential for endangering lives with a compromised SCADA network is very serious.
Dave Marcus, Director of Security Research for McAfee Labs, examines the issue of SCADA vulnerabilities in a recent blog post. Marcus says that the two main questions regarding SCADA security are, “How easy is it to attack SCADA networks?” and, “Are we going to see more of these types of attacks?”
Attacking a SCADA system is not really any different than attacking any other system or network. It requires specific knowledge related to the SCADA devices being targeted, and enough time and dedication to develop a successful attack.
In answer to the second question, though, Marcus points out that it seems fair to assume attackers will continue to attack SCADA networks. Attackers tend to focus on low-hanging fruit--systems that take the least effort to compromise while yielding the most impact possible. Depending on the motives of the attack, it is hard to imagine a more attractive target than a SCADA network.
Marcus goes on, however, to address an even more important question: “How do we know they’re not already under attack or compromised?”
The reason this is a concern is that SCADA networks lack the kinds of perimeter and host defense that are typically found protecting standard computer networks. Organizations that maintain SCADA networks don’t have the tools or capabilities to detect cyber intrusions, or the skills to properly investigate suspected cyber attacks.
With the stakes so high, it is important for SCADA networks to ramp up awareness and defensive capabilities. Marcus recommends that SCADA admins do the following:
- Include “cyber” in all risk management.
- Set up extensive penetration testing.
- Set up extensive counter-social engineering training.
- Put a SCADA-specific CERT plan and team in place.
- Network with law enforcement at all levels.
- Expect to get attacked and take appropriate countermeasures.
SCADA networks are exposed and vulnerable, and represent targets of significant value--especially for terrorists, or politically-motivated attacks. It is time to start doing more to defend them.