Supervisory control and data acquisition systems are critical to the functioning of industrial organizations, including energy companies and public utilities. Precisely because of their connection to such valuable resources — and also because they are often legacy systems that are not protected by state-of-the-art defenses — SCADA networks are extremely tempting targets for threat actors.
“If I were an opportunistic cybercriminal, the first thing I would want to do is try to access a SCADA network,” says Pedro Serrano, a senior security architect at CDW.
“A successful attack against the right organization could result in a loss of energy to a large portion of the country. That’s a very scary reality.”
Click the banner below to secure your SCADA networks in an evolving threat landscape.
Energy and Utility Companies Have Critical Security Vulnerabilities
According to a Fortinet survey of operational technology (OT) professionals, 93 percent of organizations experienced at least one intrusion over the previous year; 78 percent experienced more than three intrusions. The most common impacts of these attacks were downtime, financial or data loss, and brand degradation.
Most concerning: Respondents also cited reduced physical safety as a common impact. While that report focused on OT more broadly, there is also evidence that attacks directed specifically at infrastructure and control systems are becoming more common.
According to research by the Organization of American States and Trend Micro, 54 percent of critical infrastructure suppliers in the U.S. reported attempts to access control systems, and 40 percent experienced attempts to shut down these systems. And more than half reported an increase in attacks.
One problem is the age of the systems, experts say. “Many of these networks have been around since the 1960s or 1970s,” Serrano notes. “Back then, nobody thought about putting in any security, because these were all closed networks. Today, you have users who want to connect to their SCADA systems via Wi-Fi, but all of these changes must be made with security top of mind, because these are not networks that you want open to the world.”
Some people may underestimate the scope of the threats facing SCADA systems simply because successful attacks against critical OT often go unreported or victims remain anonymous.
READ ON: Find out how you can align digital transformation efforts to business goals.
In 2014, for instance, attackers caused multiple system failures at an unnamed German steel mill, reportedly bringing the facility’s operations nearly to a halt. Similarly, Verizon Security Solutions discovered in 2016 that a water company had fallen victim to a SCADA attack. In the attack on the unnamed utility, uncovered as part of a vulnerability assessment, hackers gained a level of access that could have allowed them to take over the plant’s chemical processing systems.
SCADA Systems Are Old and Protect Vital Infrastructure
The advanced age of most SCADA networks, combined with the fact that they integrate sensors and physical devices, makes them susceptible to what Serrano calls the “weaponization of IoT.” Recently, security professionals across sectors have reported an increase in both the volume and sophistication of threats, meaning that attacks on SCADA networks are often leveraging techniques and tools far more advanced than those of even a few years ago.
Organizations must protect their networks against these potential threats on a number of fronts, Serrano says: “There are a lot of reasons why someone would want to attack these resources. On a geopolitical level, hostile nation-states have their eyes on public infrastructure and utilities.”
Additionally, Serrano says, financially motivated hackers may target SCADA systems with ransomware. Garden-variety malware can lead to significant disruptions. And insiders pose an additional risk, as disgruntled employees may attempt to manipulate data or sabotage systems.
“In a sense, the threat landscape is no different from that facing any other industry,” Serrano says. “It’s the same kind of cybercrime that they’re battling. But what is different is the potential scale of the consequences.