The S in SCADA isn’t for Secure
The S in SCADA stands for Supervisory, not Secure. An article in the Harvard Business Review entitled ‘Smart Cities Are Going to Be a Security Nightmare‘ points out that SCADA systems are particularly susceptible to frequent hacks due to poor security protocols, and a lack of cryptographic security and authentication factors. This is largely because the software dates from the last century.
But it is also because the software is written to perform an engineering function with too little attention paid to security. The same mistake continues to be made as Internet of Things applications are created. The excitement of creating new applications for sensor-based systems usually means that security is an after-thought. ZDNet reported last year that IoT devices can be hacked in minutes.
A report today reveals that cyber-criminals start attacking servers newly set up online about an hour after they are switched on. The tools used to identify vulnerabilities are automated. 37% of them looked for vulnerabilities in web apps or tried well-known admin passwords.
To date, state-sponsored hacking has focused on the electricity grid (Ukraine) and, using Stuxnet, the industrial process of uranium enrichment. The same principles and approach could easily be applied to water treatment and distribution, probably with greater and more enduring impact on a larger number of people. Reports of a hack of a US water system fortunately proved incorrect when it later transpired that a contractor had logged in to the system whilst on holiday in Russia.
i2O appointed a Security Architect last year and has designed its solutions to minimise security risks, offering a large number of security advantages including the minimum viable number of attack vectors, full separation of water company OT from IT, defensive architectures, integrity monitoring, hardened software, rapid security patching, secure access, and encrypted communications. The company is ISO 27001 compliant.
Attribution:
By Own Work (Own work) [Public domain], via Wikimedia Commons
