Posted by Craig Rickel, Compliance Specialist on September 11, 2009 1:23 PM
There has been a lot of commentary about terrorism over the past few years. Since 2001, we've seen the word "terrorism" overused, misapplied, with over reactions to it. Well, get ready for the same reaction to the next buzzword: Cyberterrorism. Already, Congress is preparing laws that will provide strong security for our nation's SCADA systems -- something that has left many people saying, "What's SCADA?"
SCADA stands for Supervisory Control and Data Acquisition. Your local water purification and power plants use SCADA devices to monitor levels, control valves and switches, and alert to dangerous conditions. However, just as the SCADA devices can be remotely controlled, they can be remotely abused. There was an incident in Australia seven years ago where raw sewage was dumped into the water supply by a disgruntled employee via remote control. Vendors have just now gotten around to providing HTTPS as an optional add-on!
Most SCADA systems are designed to be operated in a fairly secure environment. For smaller operations with only a single building's worth of systems to worry about, security is not an unreasonable expectation. Locations with a single building can easily have a secure perimeter locked down from physical access. For larger suppliers, such as power plants with substations and oil companies with far-flung pipelines and valves, remote security is much more of an issue.
Of particular concern to me is the growing trend of SCADA systems using increasing numbers of remote systems for monitoring. Many electricity suppliers are using these systems in power meters for billing and the ability to shut on or off power to residential buildings on demand. We've already found out recently how WPA is insecure. How many wireless SCADA systems do you think still use WEP?
There are many secure SCADA implementations out there, but most of those belong to large companies that can afford to hire not just system administrators, but dedicated security professionals as well. Many suppliers -- particularly ones that serve rural areas -- don't have those resources to draw upon. For them, managed co-location services can provide serious benefits. By using an existing network infrastructure, secured with encryption, auditing, and policies strong enough to protect financial data, these suppliers can be sure that even far-flung servers are secured, and get back to their business -- supporting our nation's critical needs.