Addressing National Concerns Over SCADA security

With the rapid growth witnessed in supervisory control and data acquisition (SCADA) systems during recent times, organisations across the world are continually finding new ways to effectively manage change with seamless upgrades.

But as well as optimising the SCADA system, firms crucially need to ensure that advanced security measures are in place to counter external threats with the potential to floor national infrastructure.

The urgency of this was highlighted last year by news of a high-profile global attack – at its centre was a worm by the name of Stuxnet. It infected tens of thousands of Windows PCs running Siemens SCADA systems in manufacturing and utilities organisations, most notably in Iran. "Stuxnet proved that it is relatively simple to cause potentially catastrophic damage" to an industrial control network, Rodney Joffe, director of the Conficker Working Group coalition of security researchers, told ComputerWorld in May 2011.

Industrial networks have evolved from humble beginnings at standalone plants, into the fully-distributed, integrated systems linked directly into businesses and responsible for monitoring and controlling today's national infrastructure. As technology has developed, sensors and actuators upgraded the basic manual interface, though it was the advent of microprocessors that led to the creation of sophisticated networks that service the industry to this day. But with the birth of new technologies, the potential for things to go wrong also seems to have been amplified somewhat.

Writing for PublicService.co.uk, the British Security Industry Association's (BSIA) David Ratcliffe, said recently that as systems became more complex, their security was rather lacking. "Everything was transmitted across the wire in clear text, as there was no real need for securing the data. After all, the idea of someone intercepting the data, altering some variables and causing the system to fail or crash was unthinkable, as these were installed in factories and pump halls and the protocols were obscure and proprietary, with no links to the outside world," he explained.

Influenced by work undertaken in the US, European governments began to recognise long ago that SCADA systems were potentially vulnerable to external threats. For example, the Centre for the Protection of National Infrastructure (CPNI) in the UK has issued directives urging companies to start making security a key priority. The CPNI is helping Britain's core infrastructure understand and mitigate electronic attack risks, facilitating these efforts through a focussed programme of work.

As the BSIA's Mr Ratcliffe pointed out, security is and will remain of paramount importance wherever industrial systems are concerned. Key to ensuring that requirements are met, government intervention will be needed continually, with thorough regulation and guidance in place to keep firms on the right track. "The increase in IT-type architecture for SCADA systems has given us an unhealthy confidence," he suggested.

Mr Ratcliffe continued: "Just like pirates in 2010 can hold ships off the coast of Somalia for millions of pounds in ransom, the idea of a power plant being disabled or taken over by a group of cybercriminals should not be considered absurd. Not only is there now a concerted effort to attack industrial networks by organised groups, but individuals now bored with creating simple email viruses are also looking for a new challenge. The virtual war that IT departments went through will eventually come towards our industrial networks."

The challenge for industry now is to keep investing in and securing its crucial networks, carrying them into the future with robust layers of ideally impenetrable layers of security. Vulnerabilities in SCADA systems may not be as headline-grabbing as other threats, such as those throughout e-commerce activity, for example, but the fact remains that an attack could be equally – if not significantly more – devastating than cybercriminals' interfering with the likes of PayPal and Amazon. Governments are increasingly recognising this, but so too are the attackers. And the battle to protect national infrastructure rages on.