Are ICS and SCADA Systems the Next IOT Disaster?

industrial-securityThere is a lot of talk in the cybersecurity world about Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems that run the US power grid, water utilities, gas piplines, oil refineries, and countless factories.  We discussed how all this might play out in the electrical grid when I reviewed Ted Koppel’s new book Lights Out.

We saw the kind of damage that an IoT botnet could achieve when the Mirai botnet took large chunks of the Internet offline for part of a day.  Do ICS and SCADA systems represent the same sort of risk?

The answer is:  not likely.  And the principle reason makes sense.  It is true that many of these ICS and SCADA systems were designed for private wide area networks, and never designed to be connected to the Internet.  Nevertheless, this is happening.  The good news is that the industrial controls marketplace are dominated by a few very large players such as General Electric, Honeywell, and Siemens.  These companies are not driven by the same rush to market forces that the little IoT manufacturers are.  More importantly, there are competitive advantages to these ICS manufacturers to provide better security systems than their competition.  Additionally, their large size and long presence in the market means they are more likely to be designing security in from the start, rather than as an afterthought.

They are also likely to know exactly who has what product and where it is located.  So in the event that there is a major firmware or software update, they can get it out quickly to the companies who need it.  Their customers are also mostly large and technically sophisticated companies who are able to handle these sort of upgrades without an serious issue.

But lets not forget that Stuxnet was designed expressly to attack a very specific Siemens industrial controller.  So the risk is very real.  ICS and SCAD systems need to be secured as well, if not better, than other automated systems.  For the most part, these security systems are in place where they are needed.


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.
  Related Posts

Add a Comment