Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
SCADA: The Power Grid Saga
In an excellent report published today in the USA Today, Steve Reilly wel-researched work gives examples of just how big the risk from unsecured SCADA devices is.
As I wrote in 2009, in my article ‘The Biggest Hole of It All‘, our infrastructure, that is to say the foundations on which our way of life depends, are highly insecure.
For example, Mr. Reilly describes that in the Power Grid area alone, the Department of Homeland Security (DHS), reported more than 151 ‘cyber incidents’, representing a 36% increase over the previous years’ and an astonishing 487% increase over 2012.
The article mentions a 2011 attack on a small electricity co-op in Texas. What is really telling are the words (emphasis mine)
…CEO R.B. Sloan shared his surprise with the utility’s board of directors.”
Why surprise, you ask?
It seems that the CEO thought the hackers would aim for ‘something else’ to ‘make a bigger impact’. Is that not another occurrence of the Ostrich Syndrome?
Almost three and a half years after I published The SCADA Scandal, and over a year after The Biggest Hole – Keeps Getting Bigger, it seems that something is finally being done.
Over the last weekend, it emerged that two researchers, using a tool not more complicated then Google Search have found more than 500,000 SCADA devices which use little to no security, and are accessible from the Internet. This deserves repeating: over 500,000 from Internet-connected SCADA devices alone. This does not include the many millions of devices that are not direct-connected to the Internet.
The state is truly grim.
From those, it appears that Mark and friends at DHS, have contacted the ‘owners’ for the 7,200 systems judged the most risky or egregious in terms of potential impact to the country (US) . and are working with these owners to fix the situation or remove these systems from the Internet.
So the good news is that (finally) something is being done. I wonder if we can continue to be just step ahead of hackers and rely on luck, or should we have a more fundamental risk-based approach to SCADA security.