The SCADA Scandal || SCADA Security
At the heart of modern civilization, there is a silent, mostly unknown, worker. Dealing with our riskiest jobs, it toils day in, and day out, without recognition or praise. Unlike its much younger sister, the Internet, it is not glitzy nor headlining daily newspapers. Yet… it is at least as essential to our well-being.
SCADA, or, in its even less sexy full name, Supervisory, Control And Data Acquisition, is still a rose. Initially thought-of in the 1940’s (and some say earlier) and created in the 1950’s, it enables the ebb and flow of our daily lives. SCADA devices and software initially consisted of large mainframes and simple open/close electronic devices, such as PLC’s, and enabled the rapid growth and the commercialization of the Industrial Age. An Age that for most of us today exists only in the history books.
What are PLC’s?
PLC, or a Programmable Logic Controller, is a type of an integrated circuit device used for control of electro-mechanical processes.
In the Beginning
Before the advent of networks and PC’s, and with the rapidly growing demand of a post-world-war world, new ways of creating and managing were needed. The transistor became ubiquitous, and its applications – endless. The problem emerged when controlling of action by an electronic, or even a mechanical device, was no longer possible or efficient to be done by people. It was the dawn of SCADA.
In its youth, SCADA was controlling instances of tens, or even hundreds, of circuits. The sheer volume of decisions stemming from such constraints as Temperature, Speed, Rate-of-Flow, Pressure, and other needs, required the involvement of computers in the process early on. Initially, those computers ran proprietary operating systems and were managed by people with very specialized knowledge. Access to and control of those devices was secured by the worst of all security paradigms: Security by Obscurity. Simply put – if you were not a member of the club, you did not know the handshake.
Before long, those instances became larger and more demanding, and lead to SCADA’s second generation.
The Care-Free Teens
In the 1970’s and 1980’s, SCADA technologies enjoyed explosive growth. Everywhere you turned in the industrialized world, you would see (and usually not notice) its footprint. SCADA began to use network technologies – initially manufacturer-specific, and later standardized (such as RS-232c) – to perform its work more effectively. Again relying on obscurity, each manufacturer used their own language, protocols, software, and devices to control and manage SCADA networks. Even then, a typical SCADA installation could be as large as hundreds-of-thousands of devices. Even a small water-purification system for a medium-sized town would need upwards of thirty-thousand devices to operate.
Coming of Age
In the late 1980’s and since, SCADA devices updated communication to a state of the art one. Many devices, not to speak of their controlling computers, could now communicate using open-standards protocols. These protocols, which today include Ethernet,TCP/IP, WiMax and others, are well known, documented, and unfortunately – exploited.
Little thought was given to even the most basic components of modern network connected devices (such as a hardened TCP stack). Simply put – vendors gave no consideration that the SCADA device would ever be connected to anything other then a closed SCADA network. As an example, early digital control system vendors neglected to include any standard TCP error handling in to their protocols, hence a simple UDP flood or a "port scan" on an early SCADA network could potentially bring the SCADA system crashing down.
Gone is even the fig-leaf of obscurity. Gone are proprietary knowledge, access, and tools. SCADA stands exposed.
Further – facilities such as petro-chemical plants and power plants have taken advantage of the efficiency offered by modern SCADA systems capable of handling hundreds of "control loops" with reduced manpower. In these plants, just 10 years ago, a dozen shift operators at the controls were required to keep the plant humming along normally. Today, with the automation offered by SCADA systems, that same plant may only have four or fewer operators at the controls per shift. This low-level of staffing is fine as long as things are operating normally…. however in a nightmare cyber-incident, where the SCADA system fails and hundreds of control loops shift into manual mode the operators will quickly become overwhelmed, potentially leading to catastrophic results.
The Challenge
I recall an afternoon driving to the Philadelphia airport with Howard Schmidt in 2003. Coming off his latest position with the US Government, he was enjoying effecting change for the better in the Corporate World, where people were paying close attention to his advice. One of the things we discussed was SCADA. Simply put: it is a HUGE risk.
Forget "fancy" nuclear meltdowns; lets talk about a simple scenario of a pipeline of Compressed Natural Gas (CNG) crossing a few miles inside a major city. Even without intentional terrorism, the exact pressures, temperatures, etc.. within the pipe are crucial to the safe delivery of the gas. The situation today is that there are potentially millions of devices spread across all continents that have very little or no security.
Call To Action
Organizations such as the North America Electrical Reliability Corporation in the US and the European Telecommunications Standards Institute (ETSI) in Europe try and teach the necessity of security as a foundational consideration in SCADA design and deployment. To say they are meeting with varying degree of success is to be too kind.
SCADA is not as sexy as the web. You do not see a US Senator talking about a series of tubes to describe it on a national soapbox (even though the term is slightly more appropriate to SCADA than to the Internet, since tubes were, indeed, used in early SCADA devices).
We need action now. Industry had its chance and has been too lax for too long. We need the Government to take an interest and mandate a change in the way things are done. We need international cooperation to assure uniformity in securing those devices and networks, many of which cross oceans and spaceways. And we need it now. SCADA security is not less important than SWIFT security. It is the single biggest vulnerability in the world today. We must act now.
I thank Paul A. Henry, CISSP, for his review and contribution. Mr. Henry is a Security and Forensic Analyst at Lumension.
Update: since publishing this post, readers have asked me to recommend more readings on SCADA security. Besides asking me 
, I recommend the following books.
First, with Paul A. Henry’s contribution: Second would be: And finally:
