SCADA - Security by Obscurity
- SCADA lifecycles are extremely long and deployed systems are rarely patched;
- Many SCADA end-users are on tight budgets and won’t hear about a defence in depth security protocol or even patching;
- Most systems don’t have any kind of protocol in place to even support patching – and the ones who must run 24x7 are particularly difficult to patch (no test servers exist; the hardware perhaps isn’t even made anymore – quite a bit of this stuff is out there running on Unix, Windows NT, Linux, BSD, DOS, OS/2 (really!) and even Windows 3.1 (really, really!!);
- The whole controls world loves things with 20+ year lifetimes – it is horribly expensive to upgrade;
- These people operate in a distinct environment from IT – a control system has up-time as its No.1 priority to support process operability and safety – security is absolutely not a top priority (I’m not saying here it should not be a priority, but even if you were monitoring your network and you had an unexpected traffic spike or whatever you can’t just go shutting things down);
- It is quite normal for a SCADA system to be supported by one or more third-party firms (e.g., System Integrator) – we go to sites, we plug in our laptops, do our bit for King and Empire and go home – this is a two-way street for picking up malware, trojans, bots or whatever (certainly the good integrators do their homework and have fairly clean laptops – but I’ve seen viruses come in from Fortune 500 company control networks) – one of the reasons to have to plug-in with our own kit is that run-time versions are deployed and engineering versions may not even exist with a lot of clients.
Also, SCADA is just the beginning. Out there every little thing you can think of in automation - not just critical infrastructure - can hang off a network.