A Q&A with David Wolpoff, Kyrus Technologies
Supervisory control and data acquisition (SCADA) systems are industrial computer systems that monitor and control industrial or infrastructure processes. Recently, two hacking incidents at water utilities in Illinois and Texas have exposed their vulnerabilities. To get a better handle on how companies using SCADA systems can better protect them from malicious attacks, I spoke with David Wolpoff of Kyrus Tech.
How do bad guys access and exploit SCADA systems?
I wish I could say there’s some magical technique. Unfortunately, it’s the same vulnerabilities you see in any computer system. Things are interconnected. When someone wanted to get into the IT infrastructure of the city water utility in Springfield, Illinois, all they had to do was get access by breaking into the third party vendor who sold the SCADA system to steal passwords and they walked right into an open door. The problem is when you get these embedded systems people think of them as a product they purchase and deploy, and they don’t think it’s something someone might want to subvert, so they’re not doing the same kind of due diligence that they might do for their other systems.
What types of damages can a SCADA attack lead to?
SCADA systems bridge the gap between cyber space and kinetic space so they tend to be interfacing with larger scale systems with a physical presence. That means an attacker can shut down a water pump and cut off the water supply to a city. In general, an event could include everything from interfering with a particular manufacturing process—which might only be noticeable to a company—to attacking a power grid, which would impact an entire region and pose major risks. We don’t know if SCADA attacks are happening more often than they used to but my guess is that people are probably accessing these systems on a regular basis—it just doesn’t always make it into the media.
What can a client do to proactively defend themselves against these attacks?
Again, I wish there was something magical out there. It really breaks down to limiting access, such as only providing access to vendors during certain times for updates. A reasonable administrator should be setting up an authorized list for people allowed to access the system when they first set it up. Unlike the personal computing space there are not a lot of tools for repairing, removing or even detecting hackers on an embedded system, so it is very important to keep attackers out. Another big question I would ask is whether the system actually needs to be connected to the internet—many don’t need to be. The more interconnected you are, the more you offload maintenance burden to third parties the more you expose yourself to risk. The best advice I can give is to think of these systems as you think of other systems and start applying regular practices and due diligence to them before you have a problem.
I’d like to underscore Mr. Wolpoff’s recommendation: Any organization that plays a vital national infrastructure role should revisit their SCADA system’s design—and whether it truly needs to be connected to the public internet. This past year we have come across several clients in the utility and energy sectors who intentionally decided NOT to connect their SCADA to the internet because the downside was so great.