SCADA on Thin Ice: A Two-Person Team Consisting of a Good Hacker and a Good Electrical Engineer Could Wreak Havoc on Energy Systems from Anywhere in the World. (Tech Talk)
Piazza, Peter, Security Management
Below the computer networks that keep businesses connected to the Internet lies another, largely hidden level of technology that controls critical elements of the nation's infrastructure. These devices, known as supervisory control and data acquisition (SCADA) systems, are often poorly protected and are dangerously vulnerable to compromise by malicious attackers or even terrorists, according to engineering and IT experts. But in the reaction to 9-11 and amid fears that al Qaeda has begun to probe dam operations and other critical infrastructure systems, security issues are now being given more attention.
When SCADA systems were still proprietary, attackers needed to be insiders or industry professionals to hack their way through the complex system. Now, says Ron Fisher, deputy director of the Infrastructure Assurance Center at Argonne National Laboratory technology has made the job easier. "It's more complex than just hacking a Web site," he says, "but the trend is clearly more of a GUI [graphical user interface, a user-friendly interface, so once you get into the system, someone who's not very knowledgeable about the software but knows what they want to do" can more easily wreak havoc. Dave Teumim, a cyber-security consultant for the energy industry, says a two-person team consisting of a good hacker and a good electrical engineer who understands SCADA could accomplish the task from anywhere in the world.
SCADA systems are used primarily in the energy industry, where they monitor and control the movement of oil and natural gas through pipelines, as well as electrical power; they are also found in water systems performing similar functions. They used to be isolated from a company's main business networks and were independent, and often proprietary or homegrown, systems that created safe "islands of isolation," according to Teumim, who also serves as chair for the Control Systems Subcommittee of the Instrumentation, Systems, and Automation Society.
Two changes have taken place that have raised the threat level, says Teumim: "First, vendors began to use commercial hardware and software in their [SCADA] systems." These are the same operating systems, such as Windows or Unix, used in their business systems. …