SCADA Systems: Achilles Heel of Critical Infrastructure

Our critical infrastructure is an attractive target for foe nations, terrorist groups, or even campaign-of-the-mill cyber criminals, and many security experts believe that it is not remotely protected against cyber attacks. The SCADA systems that manage and control much of the critical infrastructure for the United States were not designed with security in mind, and are not engineered for an Internet-connected world.

SCADA systems are uniquely enticing because a successful attack could cripple a nation. The Stuxnet worm that targeted nuclear power capabilities in Iran controlled a rootkit that could highjack the control and behavior of PLC (programmable logic controller) devices used for plant operations.

security radar — SCADA systems are a prime target, and a weak link in protecting the critical substructure.

In a Wall Street Journal article Richard Clarke, former EXEC advisor on cyber security, warns that there is evidence that China has been actively probing and hacking the United States power grid. Clarke points out, "The only point to penetrative the grid's controls is to counter American military superiority past threatening to damage the underpinning of the U.S. economy. Chinese military strategists have graphic about how therein way a res publica wish China could gain an equal footing with the militarily superior United States."

Dr. Avishai, CTO of AlgoSec, recently discussed some of the challenges facing SCADA systems. Avishai notes, "In the old days, we worked with an 'isolated web' assumption. The network operated with very simple communication protocols and over order lines."

Avishai explains that SCADA networks were not organized with certificate in mind and can non secernate between legitimate requests and malicious responses. SCADA systems were traditionally on isolated networks that would require an attacker to first gain somatogenetic access to the prey facility.

"Hacking SCADA systems no more requires corporal access code, just a network connection, a way to itinerary packets to the logical system controller and a way to bypass the traffic filters, which are all activities that hackers understand," proclaims Avishai.

Randy Abrams, manager of technical education at ESET, agrees that SCADA systems have their weaknesses, simply feels that the humans behind the networks, and social technology attacks are the real number weak point.

There are two very significant human factors that come into play accordant to Abrams.The first follows the points ready-made by Dr. Avishai–the false Assumption of Mary that SCADA systems are somehow covert because they're not connected to the Internet. The false impression in security by obscurity leaves these systems exposed to risk.

"The other fallible factor is societal engineering," says Abrams. "We have seen countless spear-phishing attacks that birth resulted in compromise of discipline and tete-a-tete industry systems. The recent disclosure of a spear up-phishing flack against high ranking US and south Peninsula officials, also as journalists and dissidents that resulted in the great unwashe divulging the passwords to their Gmail accounts demonstrates how unbelievably itsy-bitsy multitude realize about the nature of phishing attacks and social engineering in general."

The critical base is called that for a intellect–information technology is the substructure that is substantial for our society and economy to function. Combine the security flaws inherent in the SCADA systems themselves, with the with weaknesses in human nature and exposure to social engineering attacks, and you have a potential formula for disaster.