- Do you regularly carry out security and system updates?
- Do you replace old hardware in good time?
- Do you conduct risk assessments to check your business-critical systems for possible hazards?
- Let us begin by explaining what SCADA stands for and what it meansSupervisory Control and Data Acquisition refers to monitoring and controlling technical processes using a computer system.
We hear people saying again and again “Nobody can get into our system anyway” or “We use our own lines and cables, what’s the worst that could happen?”. But things become suddenly emotional once we scale up the extent of the discussion by topics like “What is the state-of-the-art?” and “How much does security cost?”.
However, it has been common knowledge ever since Stuxnet that attacks on isolated SCADA systems have indeed been carried out in practice. It is really a matter of financial capability and the amount of effort that one is willing to put in to reach a certain goal.
Events that have currently taken place clearly demonstrate that the hazards are often underestimated. The latest tool, already out there for attacking SCADA systems has been dubbed “Industroyer” by security researchers. “Industroyer” actually controls several SCADA protocols, and its architects are definitely able to adapt it for specific applications.
In times when everyone is constantly talking about “Cyberwar”, Industroyer clearly proves that we must not take the security of our power supply for granted. The industry should not just relax and sit back either. Every business using the SCADA systems is now faced with a new security topic in addition to all the other security issues.
In practice, it happens more often than not that SCADA systems get updates only for functional areas, and those updates come mostly in longer time intervals. Security updates cost time, money and effort in times when the industry is facing lack of human resources. The missing updates and in some cases old hardware make things a lot easier for potential hackers – they would not have to use expensive zero-day exploits. To reach their goal, they would merely need to make use of any of the countless notorious exploits.
The least that we can do now is to resort to risk management in view of the new hazards. The only thing that we must not allow ourselves to even consider as a response for dealing with the risks is to ignore them.
Urheberrecht Bild: (c) ChiccoDodiFC – Fotolia.com