Skip the navigation

Poor SCADA security will keep attackers and researchers busy in 2013

Security researchers expect attacks against industrial control systems to increase next year

By Lucian Constantin
December 21, 2012 12:16 PM ET

IDG News Service - An increasing number of vulnerability researchers will focus their attention on industrial control systems (ICS) in the year to come, but so will cyberattackers, security experts believe.

Control systems are made up of supervisory software running on dedicated workstations or servers and computer-like programmable hardware devices that are connected to and control electromechanical processes. These systems are used to monitor and control a variety of operations in industrial facilities, military installations, power grids, water distribution systems and even public and private buildings.

Some are used in critical infrastructure -- the systems that large populations depend on for electricity, clean water, transport, etc. -- so their potential sabotage could have far-reaching consequences. Others, however, are relevant only to their owners' businesses and their malfunction would not have widespread impact.

The security of SCADA (supervisory control and data acquisition) and other types of industrial control systems has been a topic of much debate in the IT security industry since the Stuxnet malware was discovered in 2010.

Stuxnet was the first known malware to specifically target and infect SCADA systems and was successfully used to damage uranium enrichment centrifuges at Iran's nuclear plant in Natanz.

Stuxnet was a sophisticated cyberweapon believed to have been developed by nation states -- reportedly U.S. and Israel -- with access to skilled developers, unlimited funds and detailed information about control system weaknesses.

Attacking critical infrastructure control systems requires serious planning, intelligence gathering and the use of alternative access methods -- Stuxnet was designed to spread via USB devices because the Natanz computers systems were isolated from the Internet, exploited previously unknown vulnerabilities and targeted very specific SCADA configurations found only at the site. However, control systems that are not part of critical infrastructure are becoming increasingly easier to attack by less skilled attackers.

This is because many of these systems are connected to the Internet for the convenience of remote administration and because information about vulnerabilities in ICS software, devices and communication protocols is more easily accessible than in the pre-Stuxnet days. Details about dozens of SCADA and ICS vulnerabilities have been publicly disclosed by security researchers during the past two years, often accompanied by proof-of-concept exploit code.

"We will see an increase in exploitation of the Internet accessible control system devices as the exploits get automated," said Dale Peterson, chief executive officer at Digital Bond, a company that specializes in ICS security research and assessment, via email.

However, the majority of Internet accessible control system devices are not part of what most people would consider critical infrastructure, he said. "They represent small municipal systems, building automation systems, etc. They are very important to the company that owns and runs them, but would not affect a large population or economy for the most part."

Reprinted with permission from Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!