Is This SCADA Hacking Friday?

Today’s infosec news focuses on several possible incidents of penetrations at water utility companies. Elinor Mills at C|Net posted a story on a potential compromise last week at a Springfield, Ill., water company that may have resulted in physical damage. Meanwhile Gareth Halfacree at thinq has a writeup on a potential South Houston water supply network compromise.

Questions I often hear concerning incidents like this range from “How easy is it to attack SCADA networks?” to “Are we going to see more of these types of attacks?” The answers are quite simple.

It is really no more difficult to attack a SCADA network or system than it is to attack any other system. It just takes time, certain types of knowledge, and dedicated resources for developing the attack–same as any other attack vector or target. The second question is trickier.

Certainly we may see more SCADA-based or SCADA-focused attacks in the future. Attackers tend to target systems that can be successfully compromised, and recent history has shown that these systems are at least as vulnerable as other types of networked systems. But that isn’t really the point. In my mind, the second question often morphs into “How do we know they are not already compromised and actively under attack now?”

My gut tells me that there is greater targeting and wider compromise than we know about. Why? Again, my instincts tell me that there is a lack of cyberforensics and response procedures at most of these facilities. If you do not have cyberforensic capabilities, it is kinda hard to know if you have a cyberintrusion. Does this mean that I think it is cyber-Armageddon time? No, but it is certainly prudent to evaluate our systems and ask some questions.

The point has already been proven: SCADA networks and components are susceptible to attack just like any other networked computer system, and we see them getting attacked more and more often. So what should SCADA network administrators do?

  • Include “cyber” in all risk management
  • Set up extensive penetration testing
  • Set up extensive counter-social engineering training
  • Put a SCADA-specific CERT plan and team in place
  • Network with law enforcement at all levels
  • Expect to get attacked and take appropriate countermeasures