Environmental Engineering Reference
In-Depth Information
4.
Network
(including communication links)—Legacy system hard-
ware and software have very limited security capabilities, and the
vulnerabilities of contemporary systems (based on modern informa-
tion technology) are publicized. Wireless and shared links are sus-
ceptible to eavesdropping and data manipulation.
5.
Platforms
—Many platform vulnerabilities exist, including default
configurations still in place, poor password practices, shared
accounts, inadequate protection for hardware, and nonexistent secu-
rity monitoring controls. In most cases, important security patches
are not installed, often due to concern about negatively impacting
system operation; in some cases, technicians are contractually for-
bidden from updating systems by their vendor agreements.
The following incident helps to illustrate some of the risks associated with
SCADA vulnerabilities (USEPA, 2005):
During the course of conducting a vulnerability assessment, a contractor
stated that personnel from his company penetrated the information sys-
tem of a utility within minutes. Contractor personnel drove to a remote
substation and noticed a wireless network antenna. Without leaving
their vehicle, they plugged in their wireless radios and connected to the
network within 5 minutes. Within 20 minutes they had mapped the net-
work, including SCADA equipment, and accessed the business network
and data.
The increasing risk
Historically, security concerns about control systems (SCADA included) were
related primarily to protecting against physical attack and misuse of refining
and processing sites or distribution and holding facilities (GAO, 2003). More
recently, however, there has been a growing recognition that control systems
are now vulnerable to cyber attacks from numerous sources, including hotel
governments, terrorist groups, disgruntled employees, and other malicious
intruders. In addition to control system vulnerabilities mentioned earlier,
several factors have contributed to the escalation of risk to control systems:
(1) the adoption of standardized technologies with known vulnerabilities, (2)
the connectivity of control systems to other networks, (3) constraints on the
implementation of existing security technologies and practices, (4) insecure
remote connections, and (5) the widespread availability of technical infor-
mation about control systems.
Adoption of Technologies with Known Vulnerabilities
When a technology is not well known, not widely used, not understood, or
not publicized, it is difficult to penetrate it and thus disable it. Historically,
proprietary hardware, software, and network protocols made it difficult to
