Utility Post


The SCADA Security Challenge

The SCADA Security Challenge
October 11
12:59 2017







By Chris Stoneff, Vice President of Technical Management, Lieberman Software Corporation

One of the less well-known aspects of information technology – but arguably one of the most critical – is the SCADA platform.

SCADA stands for Supervisory Control And Data Acquisition, the computer control systems at the heart of many industrial automation and control systems. SCADA-driven systems are found in energy power plants, electricity supply grids, and many other industrial systems that require a high degree of computerized control – but also demand total, 100% systems availability.

Many organizations claim that their IT processes are mission critical. However, SCADA control systems truly are critical to the national infrastructure. If the national power grid goes down, for example, it can cost a country untold financial damage. And, in the case of hospitals, air traffic control and the like, could actually place people’s lives in jeopardy. Lost production and commerce is one thing, but lost lives raise the security game to an entirely new level.

The Default Password Backdoor

Here in the US, many SCADA-driven systems are connected to the Internet. And like most anything connected to the Internet, these systems are under nearly continuous attack. This situation, as you might surmise, is a ticking time bomb. Cybercriminals are not stupid – they understand weaknesses, possess the means to guarantee success, and comprehend the impact of an attack.

One of the largest vulnerabilities is that thousands of SCADA-based systems that are accessible from the Internet have weak default passwords, originally from the manufacturers, defending them. These are the passwords that administrators use to gain remote access to these industrial control systems. Logins such as ‘root:root’ and ‘admin:admin’ are quite common. For a more complete list, please refer to the default password list for SCADA devices published by the SCADA Strangelove research group on Github. SCADA Strangelove is an independent group of information security researchers focused on security assessment of SCADA and industrial control systems.

This is a well-known – and easily exploited – vulnerability, especially when these devices are left unprotected on the Internet on default unsecured ports such as port 80 or 23. Programs like Shodan allow people to search the Internet to find where particular devices are located. Once found, a person can then access plenty of web sites that provide a list of default passwords corresponding to a specific device.

These default passwords should be found and changed to unique and cryptographically complex values. But it shouldn’t stop there. IT security best practices call for all credentials on critical systems to be updated regularly. And automated updates are best.

Making SCADA Systems More Secure

Given that the very heart of our nation’s infrastructure runs on SCADA, how do we make these systems more secure?

Here’s what I believe is the core of the issue: SCADA systems can be based on a combination of embedded controllers combined with Windows or Linux systems.  This combination isn’t terribly insecure in isolation. But once connected to the Internet (as a matter of convenience and for holistic management), every component needs to be patched and managed for access and authorization since there are no longer any locked doors keeping the wrong people out.

Corporate IT systems are – most of the time – protected by network firewalls, intrusion and anomaly detection systems, endpoint security software, privileged identity management technology and other prevailing safeguards. Once they’re connected to the Internet there’s simply no excuse for SCADA networks not to employ – at the very least – those same essential layers of security to protect against external attacks.

The Bottom Line of the SCADA Security Issue

The bottom line is that a great many SCADA networks are designed and deployed by engineers who lack IT security training. This engineering culture can’t be expected to understand all of the cyber security threats that foreign powers and sociopaths could have on their designs.  Consequently, many SCADA networks have a security blind spot. While there is a healthy dose of attention paid to whether the controls interact safely with their physical environments, there is far too little focus on how well the systems can withstand cyber attacks.

And, as discussed previously, we’ve also found that management teams – especially at smaller utilities – fail to understand the need to change passwords regularly. The thinking is: `We need to know the password for everything – because when the power is down, we need access in a hurry.’ Consequently these admin teams, we find, have a habit of using default passwords on their systems to ensure easy levels of access – at all times – for all engineers.

This is a cultural issue, and it’s one that IT security vendors need to address head on. Because the fact of the matter is, while you can employ software patches to make a system more secure, there is no similar patch against human error.

The State-Sponsored Attacker

This entire matter is one of potential cyber warfare with state-sponsored attackers as a primary threat. We’re talking about extremely well-funded, extremely intelligent and extremely motivated people – not just any old basement-dwelling “hacker”. That makes critical national infrastructure cyber security an issue that screams for government oversight.

The reality is that governments around the world have already staged attacks on rival states’ critical infrastructure, but we hear about very few of these incidents in public. In the event of a significant attack on US infrastructure – in all likelihood originating from a smaller rogue state – the outcome could constitute an act war as damaging as any action taken with troops and physical armament.

Some time ago I believed it was unlikely that any government would footprint or probe other states’ critical infrastructure. My observations have caused me to change my mind, and I now believe it is naive to underestimate any foe. SCADA vulnerability is a central challenge to our national security – and we need to address this issue now, before a major incident takes place.


Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software Corporation. He is responsible for meeting the real-world needs of the company’s customers. With nearly 20 years of systems administration, consulting, training, and product management experience, Mr. Stoneff is in guiding the development of the Lieberman Software products portfolio.


Related Articles


No Comments Yet!

There are no comments at the moment, do you want to add one?

Write a comment

Write a Comment

Time limit is exhausted. Please reload CAPTCHA.

Follow Us!

Stay In Touch With Utility Post

News Categories

Latest Tweets