We’d recently organised a roundtable discussion on the very esoteric topic of SCADA with regional security experts help AG, which has thrown up some interesting findings. SCADA, for the uninitiated, is the lifeblood of any modern energy or utility company. The discovery of number of serious vulnerabilities in these industrial control systems, first brought to light by the now-famous Stuxnet incident, has raised serious concerns, as a successful attack can cripple a nation’s most critical industrial infrastructure. SCADA has never been a fodder for discussion at security seminars before as these systems have been written with the assumption that it would always be on a trusted LAN, not connected to the Internet or the outside world. In other words, these systems were not designed with security in mind, and definitely not for a connected world. However, lately many energy companies are being forced to expose their process control systems to the outside data environment to augment their business efficiencies. But, hacking SCADA systems no long requires a physical access. As a security expert puts it “all it takes is just a network connection, a way to route packets to the logic controller and a way to bypass the traffic filters, which are all activities that hackers understand.” You might recall that Stuxnet spread through removable media, not the Internet.
With the stakes being so high, what needs to be done to make sure that our critical infrastructure which is essential for society and economy to function is safe? The recent flurry of vulnerabilities has forced SCADA developers to take a closer look at the security aspect, and energy and other utility companies have been urged to deploy the appropriate monitor and intrusion prevention systems to protect these networks. One of the troubles with SCADA security is that many companies in the region don’t have expertise in this domain, and those in the SCADA filed are also not as open as other software companies about exchanging security tips and knowledge. To make things worse, SCADA systems are often old and haven’t gone through proper security audits even though systems control critical infrastructure. It’s heartening to see that bodies such as Critical National Infrastructure Authority in the UAE have taken the lead, which has started auditing of all the major oil and gas companies in the region. Critical infrastructure is always an attractive target for cyber criminal and it’s an area where we can’t afford to let our guards down.